undefined | Better HN

0 pointswoah12y ago0 comments

What's the advantage of using your hand-rolled hashing scheme instead of just https?

0 comments

There's not really any advantage as far as I know. In fact, as I stated in my explanation, using HTTPS is more full-proof. So why wouldn't you do that instead?! That's the point.

If I had to think of an advantage though, it'd be for the sake of any developer who needs to design their first API, and is inspired by yours. If you just used #2 then with plain-text authentication, and a developer copies your API without using SSL, then they'll have a horrible security problem. If you used #1 as well, then they'll still have an okay API, it just won't be suitable for use by packaged/distributed client apps.

In fact, this is purely conjecture, but that could be what happened here in the case of criticker. Who knows?

rblatz12y ago

You could just run fiddler on windows and trust the fiddler certificate. This would allow it to MITM the https session.

icebraining12y ago

Not if they pin the certificate.

j / k navigate · click thread line to collapse