HackerTrans
トップ新着トレンドコメント過去質問紹介求人

SnowflakeOnIce

no profile record

投稿

TruffleHog now detects public-key JWTs and verifies them for liveness

trufflesecurity.com
2 ポイント·投稿者 SnowflakeOnIce·7 か月前·0 コメント

コメント

SnowflakeOnIce
·26 日前·議論
Logout functionality is not the only use case for token invalidation. Another significant one is to revoke a token that has been exposed, like inadvertently pushed to GitHub. In that case you want to invalidate the token to a avoid unauthorized access to your service.

With vanilla JWTs, you have no way to do this! But then if you add revocation checking on top (which people do), your JWTs are no longer stateless.
SnowflakeOnIce
·2 か月前·議論
Your general point here is reasonable. But to provide some domain knowledge context: secrets are leaked _very_ often!

In public data (source code on GitHub, etc.) you can expect a prevalence somewhere in the range of 0.5-2.5 live secrets per gigabyte of content. Now yes, there are more than 8 billion people on earth now and the murder prevalence is a lot higher than 0.5-2.5 per billion. But there are _far_ more bytes of public content than there are people on earth, so in absolute terms, there are far more leaked secrets than murders.

If you look at other types of data (like internal Git forges), the prevalence is much higher.

I think you could indeed retire with $1 per leaked secret!
SnowflakeOnIce
·昨年·議論
https://en.m.wikipedia.org/wiki/Simultaneous_localization_an...
SnowflakeOnIce
·6 年前·議論
The latency on the touch bat is terrible. Perhaps 1/2 second to update when you switch apps, for example!