(github.blog)

312 points campuscodi | 2 comments | 15 Mar 25 19:06 UTC | HN request time: 0s | source

Show context

wcoenen ◴[15 Mar 25 20:46 UTC] No.43375039[source]▶

Isn't the simpler conclusion here that one should look for the signature where it is supposed to be? Instead of using an excessively general XPath like "//ds:Signature" that might find any signature in any unexpected location...

replies(2): >>43375138 #>>43375746 #

Muromec ◴[15 Mar 25 21:03 UTC] No.43375138[source]▶

>>43375039 #

Hot take, but for me the conclusion always was -- get a big stick and use it to prevent web developers from touching anything near your security sensitive code. Starting from design, protocols and data formats of it. The set of habits and design considerations simply doesn't match day to day practice of the usual web development. It's often the opposite of what you need to write normal code.

replies(1): >>43375758 #

1. TZubiri ◴[15 Mar 25 23:07 UTC] No.43375758[source]▶

>>43375138 #

I don't think it's fair to blame the skill of web developers (although if they use javascript and leftpaddings they have it coming).

The nature of web software is 100 times riskier than anything else because of the risk profiles and 100% connectivity

replies(1): >>43377058 #

2. chairmansteve ◴[16 Mar 25 05:15 UTC] No.43377058[source]▶

>>43375758 (TP) #

Anyone who thinks a publically accessible web site is secure is insane.

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials