cryptography

How (not) to Sign a JSON Object

TLDR: Blog discusses signing JSON objects, emphasizing using symmetric signing (HMAC) over asymmetric signatures. It outlines steps to sign JSON, potential issues with in-band signing, and approaches like canonicalization, including examples from AWS signing versions and Flickr's API vulnerabilities. Recommendations encourage using external signatures, enforcing TLS, and recognizing the complexity of canonicalization in JSON.

https://www.latacora.com/blog/2019/07/24/how-not-to/

Hell Is Overconfident Developers Writing Encryption Code

Overconfident developers often create their own cryptography, leading to systemic security flaws. While writing crypto code can enhance understanding, deploying it without expert review is dangerous. Many developers mistakenly believe using standard libraries, like Node.js or OpenSSL, absolves them from “rolling their own” when they are still introducing risks. Misconceptions about the breadth of crypto practices lead to repeated mistakes, with limited reliable tools available for developers to use safely. The issue persists despite efforts to provide better guidance and tools, leaving a frustrating scenario for security experts.

https://soatok.blog/2025/01/31/hell-is-overconfident-developers-writing-encryption-code/

Scroll to Top