On Sun, Apr 26, 2020 at 9:53 PM James Bennett <ubernost...@gmail.com> wrote:
> On Sun, Apr 26, 2020 at 8:46 AM Adam Johnson <m...@adamj.eu> wrote: > > The short summary is: JWT is over-complex, puts too much power in the > attacker's hands, has too many configuration knobs, and makes poor > cryptographic choices. This is why we see vulnerabilities in JWT > libraries and JWT-using systems again and again and again. > > And even if you get every single bit of it right, in the ideal perfect > world with the ideal perfect implementation, the payoff is you've put > in a ton of work to get something that already existed: signed > cookies, for the use case of session identification, or any of several > better token or token-like systems -- everything from PASETO to just > timestamped HMAC'd values -- for the use case of inter-service > communication. > Thank you very much for this write-up. The mention of PASETO was particularly helpful to me. I was aware of the big all-library issue due to algorithm negotiation and public/symmetric forgery, but not the others you mentioned. For my use-case, I need a signed payload that is server-verified and client-readable. It sounds like PASETO is what you might recommend that I use, instead of JWTs, IIUC. Would you think that the motivation that started this thread might be well served with having that as PASETO, or would it be better in your estimation to avoid either JWT or PASETO in Django at this time? I can imagine that Django using PASETO could give it a signal boost, but of course if there were discovered some design flaw there, it would also entrench it more as well as making it a security issue that Django has to address. Either way, I really appreciate you taking the time to let us hear your thoughts. Ryan -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABpHFHTTYkQ3FsK4LOj%2B_kc-ZMyicdBSFTqFd1e370EnFHoPXA%40mail.gmail.com.
