Comments (2)
ascheibal
commented on September 27, 2024
Thank you @BSI-TF-CWA. The current behaviour (as of 1.2.1 of cwa verification server) is that a response padding is generated but finally not added to the payload. In future versions it will be added if the fake header flag exists i. e. the behaviour is client controlled. This is a requirement to ensure client backward compatibility.
from cwa-verification-server.
jstohner
commented on September 27, 2024
I agree with @ascheibal, we will have "old version" of the app in the wild and "new versions". New versions will send the header and support the plausible deniability feature, however older versions do not support the feature and do not sent the header. The old versions will always be susceptible to traffic analysis. For the new versions, we have to make sure that the header is always sent.
We cannot rely on all users to update their apps immediately, so for compatibility reasons the verification server must accept request without fake header for a considerable period of time.
from cwa-verification-server.
Related Issues (20)
- Fake Header auf Int bereitstellen HOT 1
- Implement Plausbile Deniability (aka Fake Requests)
- Update Documents for PSA 1.2 HOT 4
- feat: accessing vault directly instead of OpenShift secrets HOT 1
- bug: cwa-fake-header-workaround
- FakeRequestService uses fakeTanDelay for all fake endpoint requests HOT 1
- bug: remove additional logging after verification server split
- fix: Update updated_at upon tan creation HOT 2
- Steps for a correct setup HOT 5
- [BSI][20210416] Insufficient SSL/TLS Configuration HOT 2
- Add timestamp to test result
- Add DCC Endpoints to Verification Server HOT 1
- fix: remove unnecessary env-parameters from application-cloud.yml
- A way to get the Test Status from QR-Code Data but without the App? HOT 1
- Lombok version upgrade required HOT 2
- bug: possible multiple entries with same hashed_guid
- Issue when starting the application locally HOT 1
- Question on issue HOT 1
- A certificate verification issue in JwtService class HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cwa-verification-server.