babka/activitycolander
2
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Optional parameter for HTTP Signatures if key changes #15

New issue
Closed
opened 2022-09-15 15:40:43 +00:00 by emacsen · 2 comments
emacsen commented 2022-09-15 15:40:43 +00:00 (Migrated from gitlab.com)
Copy link

There are two possibilities for an actor's public key changing.

The first is that there's been a change by the server. The other is that there's been an attack and a malicious party has decided to take over.

An example of the second case would be if there was DNS poisoning, redirecting clients (such as ActivityColander) to a malicious site where the new public key is.

Therefore, there should be an optional parameter to the check that does not do a key lookup if the check fails, eg HTTP_SIGNATURE_VERIFICATION_FETCH should could be a binary value, 1 for true (default) and 0 for false.

There are two possibilities for an actor's public key changing. The first is that there's been a change by the server. The other is that there's been an attack and a malicious party has decided to take over. An example of the second case would be if there was DNS poisoning, redirecting clients (such as ActivityColander) to a malicious site where the new public key is. Therefore, there should be an optional parameter to the check that does not do a key lookup if the check fails, eg `HTTP_SIGNATURE_VERIFICATION_FETCH` should could be a binary value, 1 for true (default) and 0 for false.
emacsen commented 2022-10-18 18:50:37 +00:00 (Migrated from gitlab.com)
Copy link

@CSDUMMI pls update this issue

@CSDUMMI pls update this issue
CSDUMMI commented 2023-03-01 12:19:08 +00:00 (Migrated from gitlab.com)
Copy link

The HttpSignatureCheck now has a no_refetch = false option.

If a signature verification failed and this option is false, a fetch of the public key will take place.

The HttpSignatureCheck now has a `no_refetch = false` option. If a signature verification failed and this option is false, a fetch of the public key will take place.
CSDUMMI (Migrated from gitlab.com) closed this issue 2023-03-01 12:19:09 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat-absolute-thresholds
AdminAPI
SqrlCheck
nodeinfo-check
rename-local-config
ExampleConfig
25-basic-statistics-tracking
Configuration
SubscriptionsDomainCheck
29-circular-dependency-vs-a-single-root-config-lua-file
services
nginx-native-setup
integrated-tests
23-unicode-support
simple_keyword_check
v0.8.1
v0.8.0
v0.7.0
v0.6.3
0.6.1
Labels
Clear labels   
Critical Bug

A serious bug that effects functionality

  
Documentation

Documentation related issues

  
Feature

A "nice to have"

  
Small bug

A bug that does not effect functionality (typo, etc.)

  
tests
No labels
Critical Bug
Documentation
Feature
Small bug
tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
babka/activitycolander#15
No description provided.