undefined | Better HN

0 pointstptacek8y ago0 comments

No. The reason to sign requests is the same as the reason to support OAuth: so that the owner of the account can sign a request and give it to someone else to execute --- delegated authentication. Signed requests are finer-grained than OAuth is, but OAuth is much simpler and is the industry standard at this point. Don't do either thing until you absolutely need it, but then, start with OAuth.

Signed requests have burned a bunch of applications, more than have been burned by OAuth.

0 comments

hundt8y ago

Thanks for the response!

My thinking was that you might sign requests so that a request that was intercepted or inadvertently logged would not contain sufficient credentials to authorize arbitrary other requests for the indefinite future. It sounds like you do not consider that a significant enough issue to justify the complexity involved.

dboreham8y ago

Good point: Credentials must not be logged. The easiest way to achieve this is to use HTTP basic auth for the token because web server infrastructure already knows not to log that, or a header OAuth2 style.

tptacekOP8y ago

No. You need to be securely using TLS anyways. Signed requests are hard to get right (Google "canonicalization vulnerabilities"). That's not a good tradeoff.

dboreham8y ago

Signed requests were also invented when the transport connection was in the clear: if the request were not signed then it could be modified in transit by an attacker. These days all sessions are encrypted (SSL/TLS) and so this concern doesn't exist (or doesn't exist if you trust the transport).

tptacekOP8y ago

The AWS API runs over TLS, and uses signed requests.

dboreham8y ago

Perhaps because it was originally designed for use without TLS? Request signing was pretty much ubiquitous 10 years ago.

2 more replies

j / k navigate · click thread line to collapse

0 pointstptacek8y ago0 comments

Signed requests have burned a bunch of applications, more than have been burned by OAuth.

0 comments

hundt8y ago

Thanks for the response!

dboreham8y ago

tptacekOP8y ago

No. You need to be securely using TLS anyways. Signed requests are hard to get right (Google "canonicalization vulnerabilities"). That's not a good tradeoff.

dboreham8y ago

tptacekOP8y ago

The AWS API runs over TLS, and uses signed requests.

dboreham8y ago

Perhaps because it was originally designed for use without TLS? Request signing was pretty much ubiquitous 10 years ago.

2 more replies

j / k navigate · click thread line to collapse