Simon Willison’s Weblog

Don’t Hash Secrets. A well written explanation from 2008 of why you must use hmac instead of raw SHA-1 when hashing against a secret. # 24th January 2010, 1:30 pm

Timing attack in Google Keyczar library. An issue I also need to fix in the proposed Django signing code. If you’re comparing two strings in crypto (e.g. seeing if the provided signature matches the expected signature) you need to use a timing independent string comparison function or you risk leaking information. This kind of thing is exactly why I want an audited signing module in Django rather than leaving developers to figure it out on their own. # 4th January 2010, 3:23 pm

Adding signing (and signed cookies) to Django core. I’ve been increasing my participation in Django recently—here’s my proposal for adding signing and signed cookies to Django, which I’d personally like to see ship as part of Django 1.2. # 24th September 2009, 7:31 pm

Browser Uploads to S3 using HTML POST Forms. I didn’t know you could do this: create a regular HTML form that gives people permission to upload direct to your own S3 bucket, using a signed JSON policy statement in a hidden form field to prevent third parties from abusing your S3 account. # 27th June 2008, 12:11 pm

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am