But if the server is allowed to vary X, it can basically act like different serv... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

echoangle 81 days ago | parent | context | favorite | on: Privacy Pass Authentication for Kagi Search

But if the server is allowed to vary X, it can basically act like different servers to each client, and can then when given a token check for which server would have been valid. The solution I got from the other replies is to make sure that the server uses the same X for everyone by verifying it as a client.

faeranne 81 days ago [–]

It appears that the public side of X is sent as the first part of the handshake, without any login info yet, and can be verified as part of B, thus a varying X would be easy to detect... I think.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact