undefined | Better HN

0 pointsGroxx5y ago0 comments

Which they also point out may be insufficient:

>By Mattermost’s estimates this new API will not be a reasonable solution for most use cases currently affected by the vulnerabilities. Parsing and resolving namespaces is an essential requirement for correctly implementing SAML, and even considering only a limited set of real-world SAML messages without strict namespacing requirements would be unlikely to allow for a secure implementation.

0 comments

tptacek5y ago

Yes: people shouldn't be using encoding/xml to implement SAML, at all. The library was already functionally problematic for SAML, because it doesn't fully implement namespaces. Nor does it implement `xml-exc-c14n`. For the IdP I wrote last year, I just wrote my own XML; it's not that big a deal.

Software security people have understood for a long time that XMLDSIG is sketchy, and that implementations often need to be "bug-compatible" to interoperate safely. SAML is an XMLDSIG protocol. I feel bad for putting it this way, but I think that reasonably skilled security engineers should be alarmed if their platform's standard XML library easily allows you to implement something that claims to be DSIG.

jka5y ago

Meta-question: are software standards generally becoming more security-friendly over time?

tptacek5y ago

No, but software itself is, because of designs like WireGuard (which aren't formal standards) and software like libsodium and signify.

j / k navigate · click thread line to collapse

0 pointsGroxx5y ago0 comments

Which they also point out may be insufficient:

0 comments

tptacek5y ago

jka5y ago

Meta-question: are software standards generally becoming more security-friendly over time?

tptacek5y ago

No, but software itself is, because of designs like WireGuard (which aren't formal standards) and software like libsodium and signify.

j / k navigate · click thread line to collapse