Comments (4)
neurosnap
commented on July 17, 2024
For anyone curious, I managed to get this library working with ruby 2.2 aptible#1.
My next concern is the security impact of using webauthn-ruby v1.3.0: can we use this version of the library or are there security implications we should be concerned about?
Thanks!
from webauthn-ruby.
bdewater
commented on July 17, 2024
Gem 1.3.0 is really old, I can't vouch for its security. Skimming the changelog you're at least missing out on signature counter verification (1.17.0) and if you need attestation support, this is incomplete and what's there is not correctly implemented.
If you must backport gems, why not spend that effort on 2.1.0 which was the latest version to support Ruby 2.3?
from webauthn-ruby.
neurosnap
commented on July 17, 2024
Thanks for the tip, much appreciated. I managed to get 2.1.0 to work -- at least for signing. The only issue is I had to rip out openssl 2.0. What is the primary motivation for including that gem instead of using what was built into the ruby version?
from webauthn-ruby.
bdewater
commented on July 17, 2024
Nice that you got it to work. The motivation in 1560d73 was consistency of the OpenSSL gem used across Ruby versions for ease of development against Ruby 2.3, 2.4, and 2.5 at the time (2.6 to be released later that year). This was after Ruby started gemifying the standard library.
Assuming we can close this issue now. Best of luck with the eventual upgrade
from webauthn-ruby.
Related Issues (20)
- Prerequisites missing HTTPS HOT 2
- Using webauth-ruby with multiple domains HOT 4
- Getting AttestationStatementVerificationError while registering using a custom U2F HOT 8
- Should an x5c attestation always chain to the metadata service? HOT 5
- Following example throws an error HOT 2
- WebAuthn::AttestationStatementVerificationError
- Attestation Statement trustworthiness is not enforced as expected HOT 2
- support for multiple origins HOT 2
- Fix outdated Apple App Attest root certificate HOT 4
- Missing documentation of an option needed to avoid a vulnerability allowing Passwordless to be bypassed if a developer doesn't double-check it on the server-side
- Method name difference between WebAuthn::Credential and WebAuthn::RelyingParty (3.0.0 alpha 1) HOT 1
- Inconsistent/unexpected naming (`Webauthn` vs `WebAuthn`) HOT 2
- Support openssl 3.0 HOT 6
- Update conformance tests
- Instance based API timeline HOT 8
- Allow multiple origins HOT 2
- Support FIDO metadata service version 3 for attestations HOT 2
- Incompatibility with Ruby `3.2.0` HOT 5
- Circular require warning in verbose mode
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-ruby.