Hacker News new | past | comments | ask | show | jobs | submit login

In general, implementing non-cryptographically-secure protocols is easier than implementing cryptographically secure tools; there are many ways to set up something insecurely.

I recently set up libsodium for a client running Node.js on the server, and could work on this for you as well, if you want to send me an email, I can send you my rates.




What's your value proposition? Auth0 works for me, has a free tier, and my users' data is not anything so private. On the server side I only accept the HMAC-SHA256 algorithm, negating your biggest concern about JWT. Perhaps, as you claim in your article, that "is not JWT". I'm ok with that. How would your services save me money or increase my profit? I would be far more interested in a freemium SaaS alternative to Auth0 that fixes the concerns with JWT than I would be in paying an individual consultant (who might or might not be a crypto / auth expert - hard for me to verify) and who could be hit by a bus.


I don't know, you asked about how this could be done, and I could build it for you.

My value proposition is I've shipped a lot of useful things for companies, and found security vulnerabilities, and those skills are in demand these days, I guess.

You can read more here: https://burke.services


Well, what I asked for was an article showing how to do it in many languages and platforms. What I got was an offer to hire a high priced consultant. This is one of the reasons JWT and Auth0 are winning. I would love to do things the rightâ„¢ way, and I appreciated your article. But there is a lot more the crypto community (or someone) needs to offer to make the alternatives to JWT just as attractive as JWT.


If you liked his article, as I did, what are we actually debating at this point? If all you're pointing out is that a single blog post hasn't solved the problem of JWT being promoted as a safe crypto standard when it isn't, well, everyone agrees on that already. Nobody has claimed this blog post to be more than it is: a good blog post.


Are we debating? I was trying to find a viable alternative to JWT that isn't "hire me at an expensive hourly rate". I think that's a pretty reasonable goal after reading yet another "don't use JWT" article, of which I've seen dozens in the past few years.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: