Did you know: when you verify the signature on a digest, you should probably verify that the presented content (that the digest is supposedly of) actually hashes to same value as the signed digest?
I’m just increasingly disgusted that it seems like the majority of developers are just collectively drugged, high, intoxicated, or some combination thereof, because I don’t understand how I keep stumbling into these things when I’m not even trying to pentest anything. Worse is that this is in a library that people are just blindly importing and trusting.
arcanicanis /
npub1pm…wd4ts
2024-02-11 03:43:31
Author Public Key
npub1pmt6lj9sff80t4fvzn75d3j7g5kk9jjs537keafg0mfgykndymms5wd4tsPublished at
2024-02-11 03:43:31Event JSON
{
"id": "56b84dba0b95012b420cd9aad4aad69a984fbbdf3f96fea15e8a6d841c82919c",
"pubkey": "0ed7afc8b04a4ef5d52c14fd46c65e452d62ca50a47d6cf5287ed2825a6d26f7",
"created_at": 1707623011,
"kind": 1,
"tags": [
[
"proxy",
"https://were.social/objects/e609c58f-0971-41f0-91b8-6922bfa7e7a3",
"activitypub"
]
],
"content": "Did you know: when you verify the signature on a digest, you should probably verify that the presented content (that the digest is supposedly of) actually hashes to same value as the signed digest?\n\nI’m just increasingly disgusted that it seems like the majority of developers are just collectively drugged, high, intoxicated, or some combination thereof, because I don’t understand how I keep stumbling into these things when I’m not even trying to pentest anything. Worse is that this is in a library that people are just blindly importing and trusting.",
"sig": "c216ef9653271f6b81e1022043bfaa0082ece813dae9ad63af7f15460a43c40a5861e33c81dea996472f51e9cda484b191ed98724cb4167411466fdb16c8be39"
}