                           Cryptographer hate for JWT
    What some cryptographers and other security professionals say about JWT
--------------------------------------------------------------------------------

Cryptographer hate for JWT
==========================

4 min read

/------------------------------------------------------------------------------\
|    Sophie, indistinguishable from random noise @SchmiegSophie@twitter.com    |
|------------------------------------------------------------------------------|
| I hate JWT                                                                   |
| [L1] 7/8/2021                                                                |
\------------------------------------------------------------------------------/

/------------------------------------------------------------------------------\
|    Sophie, indistinguishable from random noise @SchmiegSophie@twitter.com    |
|------------------------------------------------------------------------------|
| If alg=none was the only issue with this abomination of a standard, I could  |
| ignore it, and work around it. But the way this standard is used, it's       |
| almost impossible to build a secure JWT library                              |
| [L2] 7/8/2021                                                                |
\------------------------------------------------------------------------------/

/------------------------------------------------------------------------------\
|             Tony "Abolish ICE" Arcieri 🦀🌹 @bascule@twitter.com             |
|------------------------------------------------------------------------------|
| This vulnerability is a trifecta of things I hate: - JWT - Ruby OpenSSL      |
| extension - AES-GCM (great performance but so brittle) Expect years and      |
| years and years and years of ongoing JWT related vulnerabilities, with       |
| people continuing to claim "this isn't a problem with JWT!"                  |
| [L3] 7/6/2018                                                                |
\------------------------------------------------------------------------------/

/------------------------------------------------------------------------------\
|                  Filippo Valsorda @FiloSottile@twitter.com                   |
|------------------------------------------------------------------------------|
| JWT is so bad that I find myself wondering what I was doing when it was      |
| being created and if I could have done something to stop it. Also, note that |
| this HN thread is full of developers just now learning that JWTs only does   |
| signing. Except it can also do encryption. 🤷‍♂️                             |
| [I1: Photo included with tweet]                                              |
|                                                                              |
| [L4] 9/1/2020                                                                |
\------------------------------------------------------------------------------/

/------------------------------------------------------------------------------\
|                 Scott Arciszewski @CiPHPerCoder@twitter.com                  |
|------------------------------------------------------------------------------|
| One of the most damning observations about JWT is that, whenever you         |
| introduce someone to a new way that you can shoot yourself in the foot, they |
| automatically assume you're talking about some old way that you can shoot    |
| yourself in the foots.                                                       |
| [L5] [L6] 8/25/2021                                                          |
\------------------------------------------------------------------------------/

/------------------------------------------------------------------------------\
|                 Scott Arciszewski @CiPHPerCoder@twitter.com                  |
|------------------------------------------------------------------------------|
| This isn't an isolated incident. Every time someone talks about why JWT is   |
| bad, someone engages in a congruent fashion. "Blame the libraries, or the    |
| defaults. Don't blame the standard!" "The attack you're describing sounds    |
| like an old attack which was an implementation's fault"                      |
| [L7] 8/25/2021                                                               |
\------------------------------------------------------------------------------/

> Thomas H. Ptacek
>
> The issue with JWT in particular is that it doesn't bring anything to the
> table, but comes with a whole lot of terrifying complexity. Worse, you as a
> developer won't see that complexity: JWT looks like a simple token with a
> magic cryptographically-protected bag-of-attributes interface. The problems
> are all behind the scenes.
>
> For most applications, the technical problems JWT solves are not especially
> complicated.
>
> But there's a reason crypto people hate the JWT/JOSE/JWE standards. You should
> avoid them. They're in the news again because someone noticed that one of the
> public key constructions (ECDHE-ES) is terribly insecure. I think it's
> literally the case that no cryptographer bothered to point this out before
> because they all assumed people knew JWT was a tire fire.
>
> From a comment [L8] (archived [L9]) on 🍊 site.

--------------------------------------------------------------------------------

 [L1]: https://twitter.com/SchmiegSophie/status/1413248130225631232
 [L2]: https://twitter.com/SchmiegSophie/status/1413248896227155968
 [L3]: https://twitter.com/bascule/status/1015053995058925568
 [L4]: https://twitter.com/FiloSottile/status/1300946068411121665
 [L5]: https://twitter.com/CiPHPerCoder/status/1430484692764135425
 [L6]: https://archive.ph/EktNL
 [L7]: https://twitter.com/CiPHPerCoder/status/1430484706110459905
 [L8]: https://news.ycombinator.com/item?id=13866883
 [L9]: https://archive.ph/dlVNa
 [I1]: https://c.cdyn.dev/am5HcAXV