andyleap / go-ssb

GNU General Public License v3.0
42 stars 13 forks source link

hash / key deviation #14

Closed cryptix closed 6 years ago

cryptix commented 6 years ago

The fixed order in which the fields of a message are parsed and verified does not work. This is also explained in the protocol guide.

It leads to invalid signatures (false negative) and changed hashes of messages. This means replying to other threads and posting of messages that JS clients can't respond to.

I wrote more about it and a saner approach to this problem on this thread on ssb: %M/qtHwvL1qgbQNZUowOnggGXAtgKuagjQMHGgreuETE=.sha256 (gateway viewer link)

andyleap commented 6 years ago

Yeap, known about that for a long time now, and frankly, I don't give a shit. SSB needs to get it's act together and stop violating best practices for cryptographic message signing...