mighty-gerbils
Add RSA-256 to crypto + a Tuturial
Deploy Preview for elastic-ritchie-8f47f9 ready!
| Name | Link |
|---|---|
| Latest commit | c68fb58c3c4290dbe2d8d949041cd4f137daadd9 |
| Latest deploy log | https://app.netlify.com/projects/elastic-ritchie-8f47f9/deploys/687ddb5c0948fe0008366190 |
| Deploy Preview | https://deploy-preview-1339--elastic-ritchie-8f47f9.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify project configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
RSA 256???? You can crack that on your iphone....
LOL, That's what Google uses for Firebase Auth JWT and one of the three signing things in the RFC's. You don't know half the headache of needing to integrate a Gerbil web app with OAuth and SAML and Micro$oft Entra ID and Authentik and Google and all the other insecure and buggy things a large corporation's IT department requires for security checklists.
Sigh, it gets even worse then this! :) Let's give away our private key to Cloudfare so it can say that sending SQL in a POST is insecure ... when it should never see it :(
there's got to be a mistakre somewhere.... can you look around? I can't possibly imagine they would use something with so few bits of security.
Not entirely sure what you mean as it's not meant for encryption but signature validation.
Here's some outlines: https://auth0.com/blog/rs256-vs-hs256-whats-the-difference/
And here's the tutorial which uses both my own Google verified pkey that works with openssl, node.js, and now gerbil, along with the HMAC from the RFC.
https://deploy-preview-1339--elastic-ritchie-8f47f9.netlify.app/tutorials/crypto.html
Cracking it does not matter, a signature is not encrypting anything, It's for verifying. Nothing is encrypted (base64url is not crypt lol), just signed.
On Sun, Jul 20, 2025 at 9:28 PM vyzo @.***> wrote:
vyzo left a comment (mighty-gerbils/gerbil#1339) https://github.com/mighty-gerbils/gerbil/pull/1339#issuecomment-3095176200
there's got to be a mistakre somewhere.... can you look around? I can't possibly imagine they would use something with so few bits of security.
— Reply to this email directly, view it on GitHub https://github.com/mighty-gerbils/gerbil/pull/1339#issuecomment-3095176200, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVTXOSS7ZYQFEEZXT4IML3JRT6DAVCNFSM6AAAAACB6MTOQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOJVGE3TMMRQGA . You are receiving this because you authored the thread.Message ID: @.***>
Yeah, kind of. Only it has a public key to verify where HMAC cannot. I think the "idea" is that because they've gotten rid of https being secure because you now give away the private key to a service Web Application Firewall you need more security. So, if you have a public key you can check the signature that can only be signed with the private key.
Because there are now many services involved for authentication (MFA = Mutha F'n Accident) and you cannot share a (useless) certificate the JWT is a way to be more secure by ... heh, more keys to open doors! :)
What a messed up industry lol.
On Mon, Jul 21, 2025 at 12:47 AM vyzo @.***> wrote:
vyzo left a comment (mighty-gerbils/gerbil#1339) https://github.com/mighty-gerbils/gerbil/pull/1339#issuecomment-3095615492
those web people.... so it us used as a fancy HMAC scheme.
— Reply to this email directly, view it on GitHub https://github.com/mighty-gerbils/gerbil/pull/1339#issuecomment-3095615492, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVTXLKBLPA6JPRQGTEL3L3JSLILAVCNFSM6AAAAACB6MTOQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOJVGYYTKNBZGI . You are receiving this because you authored the thread.Message ID: @.***>