What is a "valid time window"? Acceptable difference in Date headers? #32
Comments
|
Yes! I think 30s is the most common answer, iirc that's what Mastodon does, but I don't know many details yet, or which additional timestamps things to compare, etc. Definitely good fodder for this report. |
|
I think Mastodon does it differently. They do: CLOCK_SKEW_MARGIN = 1.hour
...
return false if created_time.present? && created_time > Time.now.utc + CLOCK_SKEW_MARGINTo me, that looks like they're comparing the Date in the header, and seeing whether it is over one hour different to the time on the receiving server. They don't compare the signature to the published date at all. |
|
Ah, thanks for the sleuthing! I saw something about their sig handling and a 30s window recently, but either I misread it or it must have been wrong. |
|
Here's the language I ended up using:
Personally, I don't really think the exact window here is a big deal. It's hard to imagine an attack based on replaying or otherwise misrepresenting the exact time someone sent a given activity, if they otherwise did send it legitimately in that approximate time window. I'm open to feedback though. |
I'm slightly confused about the purpose of the Date header in validating signatures.
7.2.4 of https://datatracker.ietf.org/doc/rfc9421/ says:
What is a valid time window? How much skew should be acceptable?
I've set my software to reject anything beyond a ±30 second difference. Is that a sensible limit? Should I also look at the difference between the date in the signature and the date I received the request?
The text was updated successfully, but these errors were encountered: