undefined | Better HN

0 pointsdamncabbage13y ago0 comments

Could you elaborate on this, please? I can't find much on the topic.

Edit: The Filepicker.io email seems to indicate a PKI-style solution, but I can only sort of guess at the implementation.

0 comments

3 comments · 1 top-level

adatta0213y ago· 2 in thread

Sure - check out http://aws.amazon.com/articles/1434

What you're interested in is:

"signature" - "A signature value that authorizes the form and proves that only you could have created it. This value is calculated by signing the Base64-encoded policy document with your AWS Secret Key, a process that I will demonstrate below."

gliese133713y ago

I may be missing something, but it seems to me that's still vulnerable to interception. The policy document can limit the kinds of things that can be uploaded, but an attacker could still intercept that form on the way to or from the user and replace the intended user's data with anything else that happened to fit the policy.

I suppose that's solved by serving the form over https. Perhaps that's just what I was missing.

adatta0213y ago

HTTPs would work but also if you scroll down a bit and look at the policy JSON (http://pastie.org/private/tkr7iyqzqrezmmqazbfijw), it has an "expiration" field which would mitigate the type of attack outlined in the parent post since after a period of time the signature would no longer be valid.

j / k navigate · click thread line to collapse