Comments (6)
If the susbcriber has an HTTPS callback, the callback's secret-ness doesn't matter. Also if there is an HTTPs callback, the secret is useless.
The secret was introduced only because it was an elegant mechanism for subscribers who didn't want to use HTTPs.
If we're ok to force everyone to use HTTPS, then, we can get rid of the secret.
from pubsubhubbub.
Dammit! Wrong Github account... but the previous comment was from me!
from pubsubhubbub.
"If the susbcriber has an HTTPS callback, the callback's secret-ness doesn't matter."
I don't think that's the case. If the point of a shared secret is to prevent third parties from pushing false data to the callback at distribution time, then using HTTPS is a moot point.
However, you could require client-side certificates, in which case the subscriber can validate that the incoming HTTP POST is coming from someone at the hub organization. But that's really hard with a lot of Web servers, and it's probably setting the bar too high.
from pubsubhubbub.
If you have HTTPs, then the callback url is protected all the way, so there is no way one could guess it and use it to post false data.
In this context, the callback itself is secret enough that it can be considered a shared secret between the 2 entities.
from pubsubhubbub.
"If you have HTTPs, then the callback url is protected all the way, so there is no way one could guess it and use it to post false data."
Only if you use a unique callback per hub (I think you should use a unique callback per subscription, but I need to convince myself that that's the case).
If you use the same callback for multiple hubs, then it's not a secret any more.
from pubsubhubbub.
Even if you're not using a unique callback actually. It's only known by the hub and the subscriber... They would be the only ones to know that it's not unique.
from pubsubhubbub.
Related Issues (20)
- Define Specific Content-Types HOT 1
- PubSubHubbub Core 0.4: Validation vs. verification of intent HOT 1
- PubSubHubbub Core 0.4: Fat pings vs. normal pings HOT 3
- PubSubHubbub Core 0.4: Verification of intent vs. "denied" HOT 1
- PubSubHubbub Core 0.4: Verifying during subscription request HOT 1
- PubSubHubbub Core 0.4: Acceptance of a subscription request HOT 7
- PubSubHubbub Core 0.4: X-Hub-Signature HOT 1
- Section 5.1.1 HOT 5
- Failed verification of intent: Send "denied" message to subscriber's callback? HOT 1
- Specify how publishers notify hubs HOT 19
- Do not require rel=self for discovery HOT 6
- Subscription Response Details regarding Validation HOT 4
- PuSH 0.4 recommends old SHA1 signatures HOT 2
- Make PuSH a "living" spec HOT 5
- Looking for server code HOT 3
- Silent Rate-Limiting by the Google PubSubHubbub Hub? HOT 5
- Google Hub's Subscriber Diagnostics Seems down HOT 4
- its stop working for my blogger HOT 1
- is this deprecated ?
- Feature Request: Youtube push notifications for user activity on my channel HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pubsubhubbub.