Lez50d agoCan you elaborate on the replay attack vector you mention in the README which affects the BUD-01 auth spec? What's the risk / scope of the attack? Can you provide an example?
Since `created_at` is part of the auth event, in my opinion it's easy to limit its scope on the server side to almost irrelevant by checking if the event is in the near past. Or would it break the functionality somehow?
💬 1 replies
Replies (1)
Pip the WoT guy49d agoExample of the replay attack.
- Alice wants to change her blossom server from Server 1 to Server 2
- Alice mirrors all blobs to Server 2
- Alice then sends a DELETE for all her blobs on Server 1
- Server 1 is malicious and replays all the DELETEs( with all the Auth events) to Server 2
- Result is a complete data loss
The Auth scheme is being reworked by @266815e0…6cd408a5 and I so it will be fixed
0000 sats