DISQUS

Website
http://www.daemonology.net/blog/
Original page
http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html
Subscribe
All Comments
Community
Top Commenters
- Marton Trencseni
  3 comments · 1 points
- Ralph Corderoy
  4 comments · 1 points
- da44en
  2 comments · 1 points
- Jason Dusek
  2 comments · 1 points
- royce
  9 comments · 1 points
Popular Threads
- Supporting FreeBSD
  3 weeks ago · 1 comment

Francis · 1 year ago

It's very nice to see both act reasonably and rationally in action. It's the kind of situation that should be held as an example. =)
curi · 1 year ago

Thanks for posting this!
Dan_Mayer · 1 year ago

Very cool good find, I will be checking to make sure all our endpoints are https
Chris · 10 months ago

What about multiple keys? How do they sort foo=bar&foo=blaggy ?
cperciva · 10 months ago

I don't think that's ever specified; but there are no AWS requests for which it's valid to specify the same parameter twice.
guest · 7 months ago

Besides using SSL - I thought amazon(like google) had timestamp added as part of request - and hence it could be mis-used only in the next 15 minutes.(assuming in the
rare case - someone got hold of the request)
http://docs.amazonwebservices.com/AWSFWS/latest...
Its better or easier to use then client side certs anyway.(and as secure as it is if the "request" is changing)