Please sign in to comment.
Added constant time comparison of JWT signatures.
A vulnerability in our JWT implementation allows an unauthenticated remote attacker to execute to execute timing attacks . This patch removes the vulnerability by adding a constant time comparison of hashes, where the whole message is visited during the comparison instead of returning at the first failure.  https://codahale.com/a-lesson-in-timing-attacks/ Review: https://reviews.apache.org/r/67357
- Loading branch information...