|
|
|
|
|
|
by aidenn0
3838 days ago
|
|
|
A quick 30s scan of the webhooks docs looks like that is correct; if you used e.g. 12345 as your secret, you would be susceptible to a dictionary attack from anybody who was able to record a message, on the order of 10s of billions of keys per second can be tested with a multi-GPU setup. I suspect that the web hooks typically run over TLS, so recording the plaintext of a request would be a challenge in and of itself. |
|
|
As a general rule though, HMAC is used with randomly generated secrets. I don't know why GitHub doesn't just tell you the secret.
Amazon's implementation is much more correct.