undefined | Better HN

0 pointshinkley3y ago0 comments

I guess we'll find out if they have learned anything since the XML Signature specification. That was an adventure, trying to find a subset that actually did what it said it did.

0 comments

2 comments · 1 top-level

bawolff3y ago· 1 in thread

XMLSignature is one of the worst security standards i have ever read.

Do we sign the bytes of the document? No, we canonicalize it first? How do we canonicalize? Multiple ways. Do all documents with the same canonicalization have the same DOM? No. Which part of the document do we sign? Up to you.

Its a wonder there aren't more major saml breaches.

hinkleyOP3y ago

The biggest problem is that getElementByID doesn’t fucking work.

And then if you sign sibling documents, you essentially have most of the same problems you have with ensuring a zip file doesn’t have a malicious payload, because file cannonicalization is fraught with issues.

It took me a couple pages of don’ts to nail it down, and I missed a big one that I didn’t see until pretty late in the project.

j / k navigate · click thread line to collapse