-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is a "valid time window"? Acceptable difference in Date headers? #32
Comments
Yes! I think 30s is the most common answer, iirc that's what Mastodon does, but I don't know many details yet, or which additional timestamps things to compare, etc. Definitely good fodder for this report. |
I think Mastodon does it differently. They do: CLOCK_SKEW_MARGIN = 1.hour
...
return false if created_time.present? && created_time > Time.now.utc + CLOCK_SKEW_MARGIN To me, that looks like they're comparing the Date in the header, and seeing whether it is over one hour different to the time on the receiving server. They don't compare the signature to the published date at all. |
Ah, thanks for the sleuthing! I saw something about their sig handling and a 30s window recently, but either I misread it or it must have been wrong. |
Here's the language I ended up using:
Personally, I don't really think the exact window here is a big deal. It's hard to imagine an attack based on replaying or otherwise misrepresenting the exact time someone sent a given activity, if they otherwise did send it legitimately in that approximate time window. I'm open to feedback though. |
I'm slightly confused about the purpose of the Date header in validating signatures.
7.2.4 of https://datatracker.ietf.org/doc/rfc9421/ says:
What is a valid time window? How much skew should be acceptable?
I've set my software to reject anything beyond a ±30 second difference. Is that a sensible limit? Should I also look at the difference between the date in the signature and the date I received the request?
The text was updated successfully, but these errors were encountered: