You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, the URI is the only WAMP metadata that is included and checked under the signature.
The design question is: is that signature scope (uri/args/kwargs) enough?
Are there other things besides uri/args/kwargs a receiving client would expect to be untampered under end-to-end encryption (by being part of the stuff that goes into signature)?
Essentially, everything not under the scope of the signature must be treated "untrusted" by the receiving peer. Any intermediary WAMP router between the sending and the receiving peer might have tampered with stuff not under the signature.
Implementation wise the main thing to check is: is the URI contained within the bytes under the signature (still) the same as the URI in the WAMP message envelope? If not, someone tampered with the URI, and this should be treated as "fatal".
The text was updated successfully, but these errors were encountered: