Showing posts from June, 2016

The Unspoken Vulnerability of JWTs

JSON Web Tokens (JWTs) are the new thing. Blog after blog and book after book tell you how to generate them and use them to authorize access to web services. But there is one little detail that everyone is leaving out: it is much harder to secure a server that generates JWTs than a server that generates session IDs. This is because the JWT signing key must be protected, whereas there is little need to secure session IDs, and session IDs are easily secured by hashing, anyway. As a consequence, the push to use JWTs for local authentication is making sites more vulnerable. Here you might dismiss me as a random loon for questioning the JWT love, but I do have years of experience professionally evaluating systems to assess and document their security. I've performed IV&Vs for NSA, evaluated NetWare's file system for a TNI Class C2 rating, and developed a reputation for being able to quickly identify security flaws in large software systems. Mind you, that was COMPUSEC, not