Sometimes I'm not sure what's worse - a CSRF attack or the convoluted mess of a protocol that is CORS with its preflight OPTION calls and allow-origin headers - good grief. Oh the hours wasted...
JWTs are signed, that means you can be (reasonably) certain that nobody tinkered with their content. However, they are not encrypted (just base64 encoded), so they do NOT ensure that a third party attacker can't read their content and steal information this way. If you use JWT for authentication, set a suitable time-to-live. In combination with HTTPS/SSL that should guard you against most basic attacks. I'm not a security expert though.
I think it's great to openly talk about these topics and specially in approachable ways for non-security experts, like myself too. If we're going to disable security checks it's important to understand the consequences/risks. It makes you second guess yourself when it's everyone but you that wants these checks in place 😅
JWTs are signed, that means you can be (reasonably) certain that nobody tinkered with their content.
💯
However, they are not encrypted (just base64 encoded), so they do NOT ensure that a third party attacker can't read their content and steal information this way.
True that they're not encrypted, but the JWT travels through the HTTPS request so I think I'm comfortable with that. I believe the choice of using POST for the callback by the teams at Apple was for a reason (not "just because"). I just don't know enough about the vulnerabilities in these protocols to explain why.
Sometimes I'm not sure what's worse - a CSRF attack or the convoluted mess of a protocol that is CORS with its preflight OPTION calls and allow-origin headers - good grief. Oh the hours wasted...
JWTs are signed, that means you can be (reasonably) certain that nobody tinkered with their content. However, they are not encrypted (just base64 encoded), so they do NOT ensure that a third party attacker can't read their content and steal information this way. If you use JWT for authentication, set a suitable time-to-live. In combination with HTTPS/SSL that should guard you against most basic attacks. I'm not a security expert though.
I think it's great to openly talk about these topics and specially in approachable ways for non-security experts, like myself too. If we're going to disable security checks it's important to understand the consequences/risks. It makes you second guess yourself when it's everyone but you that wants these checks in place 😅
💯
True that they're not encrypted, but the JWT travels through the HTTPS request so I think I'm comfortable with that. I believe the choice of using POST for the callback by the teams at Apple was for a reason (not "just because"). I just don't know enough about the vulnerabilities in these protocols to explain why.
If only they wrote documentation about it :-P