Hacker News new | ask | show | jobs
by sreekanth850 296 days ago
Instead of suggesting paseto, auth0 blog clearly says how to mitigate the vulnerability by using kid and specifically mentioning which algorithm during validation. I think most of the implementation do this way.
1 comments
some_furry 296 days ago
The auth0 blog recommends an incomplete mitigation.

The correct fix is to never trust the header for which algorithm you're using.

https://infosec.exchange/@sophieschmieg/115132001021790785

link