[zanata-bugs] [Bug 1213630] Webhook header needs to include cryptographic signature in header for identification.
bugzilla at redhat.com
bugzilla at redhat.com
Thu Jul 9 01:34:14 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1213630
Sean Flanigan <sflaniga at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |camunoz at redhat.com,
| |sflaniga at redhat.com
Flags| |needinfo?(rbean at redhat.com)
--- Comment #4 from Sean Flanigan <sflaniga at redhat.com> ---
Since our header doesn't have any historical baggage yet, rather than duplicate
GitHub's header exactly, I suggest we make it a little stronger, and very
similar to Trello.
According to the GitHub docs, use of the GitHub header may be vulnerable to a
timing attack if the webhook receiver fails to use a constant-time string
comparison. Also, I think it may be vulnerable to another attack, if the same
secret is used for multiple webhook URLs (replaying a webhook for one URL
against the other).
The Trello header uses a double HMAC (to defeat the timing attack), plus the
hash includes both the body and the URL (to defeat the replay attack).
Trello docs and sample implementation:
https://trello.com/docs/gettingstarted/webhooks.html#triggering-webhooks
The timing attack:
http://web.archive.org/web/20141016010907/https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx
There are implementations which go further (including some of the HTTP headers
in the hash), but I don't want to add too much to the complexity
Instead of "X-Zanata-Signature" (what sort of signature?), I suggest the header
name "X-Zanata-Webhook".
I don't think we clarified this before, but I recommend we use Base64 (like
Trello), not hexadecimal (like GitHub).
Ralph, would you say including the URL in the hash will make signature
verification too complex at the receiver's end?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=ZuUziTg9dA&a=cc_unsubscribe
More information about the zanata-bugs
mailing list