[zanata-bugs] [Bug 1213630] Webhook header needs to include cryptographic signature in header for identification.

bugzilla at redhat.com bugzilla at redhat.com
Thu Jul 9 01:34:14 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1213630

Sean Flanigan <sflaniga at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |camunoz at redhat.com,
                   |                            |sflaniga at redhat.com
              Flags|                            |needinfo?(rbean at redhat.com)



--- Comment #4 from Sean Flanigan <sflaniga at redhat.com> ---
Since our header doesn't have any historical baggage yet, rather than duplicate
GitHub's header exactly, I suggest we make it a little stronger, and very
similar to Trello.

According to the GitHub docs, use of the GitHub header may be vulnerable to a
timing attack if the webhook receiver fails to use a constant-time string
comparison.  Also, I think it may be vulnerable to another attack, if the same
secret is used for multiple webhook URLs (replaying a webhook for one URL
against the other).

The Trello header uses a double HMAC (to defeat the timing attack), plus the
hash includes both the body and the URL (to defeat the replay attack).

Trello docs and sample implementation:
https://trello.com/docs/gettingstarted/webhooks.html#triggering-webhooks

The timing attack:
http://web.archive.org/web/20141016010907/https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx

There are implementations which go further (including some of the HTTP headers
in the hash), but I don't want to add too much to the complexity


Instead of "X-Zanata-Signature" (what sort of signature?), I suggest the header
name "X-Zanata-Webhook".

I don't think we clarified this before, but I recommend we use Base64 (like
Trello), not hexadecimal (like GitHub).

Ralph, would you say including the URL in the hash will make signature
verification too complex at the receiver's end?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=ZuUziTg9dA&a=cc_unsubscribe

More information about the zanata-bugs mailing list