[bisq-network/bisq] Minimal api (#3001)
battleofwizards
notifications at github.com
Tue Sep 3 19:36:14 UTC 2019
@blabno good news!
Fortunately, my take regarding authorization for money moving was **overly generic** and **not applicable** in this specific context. Very sorry for that!
To make replay attacks concern irrelevant these must be true:
* TLS must be used. TLS does protect against replay attacks under certain assumptions.
* The HTTP(S) client must **not** auto-repeat requests. If it does, TLS won't help and replay attacks are [still possible](https://blog.valverde.me/2015/12/07/bad-life-advice/#.XDpHS1wzZPY) although get sophisticated.
Despite TLS-level protections against replay attacks, money moving protocols tend to do request signing. This is partly for historical reasons (legacy SSL did not have this property) and partly to have second layer of security. However, this is far from mandatory in context for modern TLS.
I believe it is enough to document TLS necessity.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/3001#issuecomment-527606860
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190903/aab2e472/attachment.html>
More information about the bisq-github
mailing list