security - Advantages of Hash Verification of Parameters and Content over TLS -

-


security - Advantages of Hash Verification of Parameters and Content over TLS -

when researching approaches securing web services, found application hashes portions of url in add-on utilizing tls. found specification proposes verify body of request producing hash , verifying content server side (specification follows):

final: oauth request body hash

in specification, mentions:

nonce checking , utilize of https can mitigate risk, may not available in environments. when nonce checking , https used, signing request body provides additional layer of defense.

looking @ oauth 2.0 specification, seems though have deemed these steps unnecessary when application configured/coded, instead relying on tls provide security features, of which, believe, includes tamper proofing. while there has been criticism specification people former lead author, has been said (by same person) when implemented, secure.

is there real benefit these hashing procedures? there known attacks compromise web service utilizes nonce , tls verify validity?

as far can tell quick read of documentation (i don't know much oauth), confusing purpose of hash. inclusion of hash meant extend signature covering other parts of request body:

the oauth core specification provides body integrity checking application/x-www-form-urlencoded request bodies. other types of request bodies left unsigned.

note including hash in url not provide additional security. instead, include in part signed:

set oauth_body_hash parameter obtained value.

sign request per [oauth core 1.0] section 9. oauth_body_hash parameter must included in signature base of operations string other request parameters.

thus, statement "even when nonce checking , https used, signing request body provides additional layer of defense." refers practice of signing url parameters (among other stuff) via rsa (or "signing" via hmac) , authenticating body via included hash. if url parameters not signed (the "plaintext" method used), not gain additional security including hash of body.

security ssl hash

Comments

Post a Comment

Popular posts from this blog

java - How to set log4j.defaultInitOverride property to false in jboss server 6 -

-
java - How to set log4j.defaultInitOverride property to false in jboss server 6 - how set log4j property false in jboss. not using log4j in application still property has set true. the reason, why trying set property false is, suspecting property overrides java.util.logging.logger configuration provided application. might because of this, log file not getting generated. boot.log infomation below: 02:46:10,495 debug [serverinfo] log4j.defaultinitoverride: true 02:46:10,496 debug [serverinfo] org.jboss.deployers.spi.deployer.matchers.nameignoremechanism: org.jboss.deployers.spi.deployer.helpers.dummynameignoremechanism 02:46:10,496 debug [serverinfo] org.jboss.logging.logger.pluginclass: org.jboss.logging.logmanager.loggerpluginimpl i have found in boot.log in jboss. in 1 of blog, developers told me that, log4j.defaultinitoverride property should set false avoid override of java.util.logging.logger. comment same if wrong. java logging jboss log4j
Read more

c - GStreamer 1.0 1.4.5 RTSP Example Server sends 503 Service unavailable -

-
c - GStreamer 1.0 1.4.5 RTSP Example Server sends 503 Service unavailable - i'm trying create rtsp server based on gstreamer 1.0 1.4.5 plugin. source code of illustration taken here. with_tls , with_auth flags not enabled. i'm compiling using visual studio 2013 community edition. project building , running successfully. when i'm trying play video using vlc on address rtsp://127.0.0.1:8554/test says can't open mrl. recorded traffic (using rawcap) of communication between compiled server , vlc player following: request: options rtsp://127.0.0.1:8554/test rtsp/1.0 cseq: 2 user-agent: libvlc/2.2.0 (live555 streaming media v2014.07.25) response: rtsp/1.0 200 ok cseq: 2 public: options, describe, get_parameter, pause, play, setup, set_parameter, teardown server: gstreamer rtsp server date: thu, 09 apr 2015 03:35:30 gmt request: describe rtsp://127.0.0.1:8554/test rtsp/1.0 cseq: 3 user-agent: libvlc/2.2.0 (live555 streaming media v2014.07.25) accept: applicat...
Read more

Using ajax with sonata admin list view pagination -

-
Using ajax with sonata admin list view pagination - i'm using sonata admin in project. in list view sonata refresh page when clik sec list pagination. that's default behavior of sonata.is there way utilize ajax phone call list view pagination !!! same question when using sortable list view. thanks. this possible, have overwrite of basic functionality of sonata admin bundle. tested symfony 2.6.6 sonata admin-bundle dev-master (4f23e1a30e49681bf8ebdbbae549848784be7699) 1. edit bundles services.yml you have implement own crudcontroller , new list template. tell in services.yml sonata.admin.youradmin: class: your\bundle\admin\youradmin tags: - { name: sonata.admin, manager_type: orm, group: "groupname", label: "grouplabel" } arguments: - ~ - your\bundle\entity\entityclass - yourbundle:yournewcrud # <- add together crud class here calls: ...
Read more