> It's not "JWT is broken". The cryptography is fine. The tymondesigns/jwt-auth package is fine. The concept of using JWT as your app's session is what's broken.
If only that was true. JWT came with a lot of questionable cryptographic choices. It went hard on fine-grained cryptographic agility like it was 1995 all over again. It started with the wrong suite of outdated ciphers like RSA and no good security requirements and implementation guides, and even the notorious "none" algorithm. The end result is a string of CVEs that affected a wide swath of JWT libraries.
JWT has many other ill-conceived features such as embedded JWK, token-declared URLs and the complex mess that is JWE (which you'll need if you want encryption). This complexity, useless features (the "none" algorithm), together with picking algorithms that are hard to implement correctly[1] and not setting any kind of security requirements made vulnerable libraries spread like wildfire, and introduced at least 5 different classes of vulnerabilities[2].
The craziest thing, is that easiest vulnerability to abuse (the "none" algorithm), is a required by the JWT RFC, you read it too literally:
Of the signature and MAC algorithms specified in JSON Web Algorithms
JWA], only HMAC SHA-256 ("HS256") and "none" MUST be implemented by
conforming JWT implementations.
Now, the RFC writers obviously meant that conforming JWT libraries, should support "none" if explicitly requested, but did not mean that the libraries have to accept the "none" aglorithm by default. In fact, it's clearly stated:
An Unsecured JWS uses the "alg" value "none" and is formatted
identically to other JWSs [...]
Implementations that support Unsecured JWSs MUST NOT accept such
objects as valid unless the application specifies that it is
acceptable for a specific object to not be integrity protected.
Implementations MUST NOT accept Unsecured JWSs by default. In order
to mitigate downgrade attacks, applications MUST NOT signal
acceptance of Unsecured JWSs at a global level, and SHOULD signal
acceptance on a per-object basis
Or in another section:
Unsecured JWSs (JWSs that use the "alg" value "none") provide no
integrity protection. Thus, they must only be used in contexts in
which the payload is secured by means other than a digital signature
or MAC value, or they need not be secured.
Unfortunately, the JWA spec is huge and complex because it needs to definy many useful, secure and totally not bonkers algorithms like PBES2-HS256+A128KW and RSAES-PKCS1-v1_5, and the very important(?) reasons for storing the coefficients for RSA. So I guess the end result is that almost nobody ever read the JWA RFC, and somehow half of the first crop of JWT libraries let anyone strip the signature, change "alg" to "none" in the header and freely manipulate the token. Good times.
So yes, stateless tokens are a bad tradeoff for many (if not most) web applications. But even if they weren't, there many formats that would do much better than JWT[3]. If you end up going with JWT, it's really better to thoroughly review your library, and stick to safer algorithms that doesn't result in a 5kb token (I'm looking at you RSA). Ed25519 is now supported by a decent amount of libraries.
OP mentions backward compatibility and popular YAML libraries as the reason why the "Norway problem" is still an issue, but I'm a little bit doubtful about this explanation.
It's been 10 years, if not more, since I've seen YAML configuration files using "yes/no" or "on/off". Even back in the day, these alternative boolean values were never extremely popular: the community more or less settled on true/false.
The libraries issue is real, but my issue is with the word "popular". These are libraries that used to be very popular, and kinda stuck on as the default,
even though most of them semi-abandoned and (at least in my opinion) shouldn't really be used by any new project.
PyYAML's last major release was in 2021, and it's only seen security fixes since then. Even the last major release in 2021 was only a major release becasue Python 2.7 support was removed. Before that there were some API changes in 5.1 released in 2019 (only because the PyYAML defaults have been ridiculously insecure and everyone has been complaining about this for years), and between 2008 and 2019 there were barely any worthwhile changes. tl;dr: PyYAML has been in maintenance mode since 2008.
Libyaml (which PyYAML is based on) hasn't seen a new release since 2020, and while it introduced some YAML 1.2 support, the development pace on this library has been glacial since 2009. Between 2009 and 2020, the project had 3 commits touching actual code per year on average, and since then the number went down to 1 commit on average.
It's a sad state that both libyaml and PyYAML are part of the official YAML project, but hasn't budged forward in supporting YAML 1.2. There is something to be said about open-source project being feature complete and requiring only light maintenance, but if they don't support the latest major YAML spec version that was released all the way back in 2009, I don't think we can call them feature-complete.
There are newer libraries out there for all these languages that support 1.2, are more well-maintained and often offer better and safer API, like libfyaml for C, yaml-cpp for C++, ruaemel for Python and goccy/yaml for Go (not the same as the original go-yaml, does support most of YAML 1.2, but has strangely chosen to keep the "Norway booleans").
LDAP might have won over DAP, but it's still heavily based on the X.500-family of standards. Unlike SMTP (which is a completely different standard), LDAP is strongly based on DAP and other X.500 family standards.
Besides LDAP and X.509, you've got old standards that were very successful for a while. I'm perhaps a little bit too young for this, but I vaguely remember X.25 practically dominated large-scale networking, and for a while inter-network TCP/IP was often run over X.25. X.25 eventually disappeared because it was replaced by newer technology, but it didn't lose to any contemporary standard.
And if you're looking for new technology, CTAP (X.1278) is a part of the WebAuthn standard, which does seem to be winning.
I'm pretty sure there are other X-standards common in the telco industry, but even if we just look at the software industry, some ITU-T standards won out. This is not to say they weren't complex or that we didn't have simpler alternatives, but sometimes the complex standards does win out. The "worse is better" story is not always true.
The OP article is definitely wrong about this:
> “Of all the things OSI has produced, one could point to X.400 as being the most successful,
There are many OSI standards that are more successful than X.400, by the seer virtue of X.400 being an objective failure. But even putting that aside, there are X-family standards that are truly successful and ubiquitous.X.500 and X.509 are strong contenders, but the real winner is ASN.1 (the X.680/690 family, originally X.208/X.209).
ASN.1 is everywhere: It's obviously present in other ITU-T based standards like LDAP, X.509, CTAP and X.400, but it's been widely adopted outside of ITU-T in the cryptography world. PKCS standards (used for RSA, DSA, ECDSA, DH and ECDH key storage and signatures), Kerberos, S/MIME, TLS. It's also common in some common non-cryptographic protocols like SNMP and EMV (chip and pin and contactless payment for credit cards). Even if your using JOSE or COSE or SSH (which are not based on ASN.1), ASN.1-based PKCS standards are often still used for storing the keys. And this is completely ignoring all the telco standards. ASN.1 is everywhere.
Unlike many other developed countries, foreign employees working in cleaning and maintenance are still a minority. This is gradually changing, but I believe the main issue is that young people are completely uninterested in this kind of work. Most people working in these industries in Japan are old rather than foreign. The average is probably over 50+, and there are quite a few people working past retirement.
And this makes the entire application server and Servlet model the wrong abstraction. Microprofile simplifies things, but in the end I feel Java EE is just pushing the wrong abstractions here. Cloud native microservices are meant to be small, and receive their "cloud native dependency injection" through standard Unix interfaces like environment variables standard input and output, command line arguments and sometimes files. Cloud native apps are close in spirit to twelve-factor applications (which is a stricter rendition of that).
Jakarta EE, even with its latest updates, comes from a different world. Standardized library API with interchangeable implementations that are injected by the application server. But wait! We flip the script by embedding the application server inside a fat JAR and shipping everything in a single docker/OCI container. A lot of the stuff that used to happen in the application server (load balancing, shared connection pooling, configuration, service discovery, service bus) happens now at the cloud infrastructure level.
You can still use a MicroProfile-based framework, and Quarkus (which is based on MicroProfile) is very popular nowadays, but once you went along with a certain framework, you're not very likely to replace it. Standardization was the selling point of Java EE in the past, but in the microservice world when you're only betting a smallish microservice on Framework X, people are not so concerned about putting all their eggs in one basket anymore.
I remember all the excitement about Spring Cloud... But that was back in 2017.
I never thought of Spring (or Spring Boot) as good technology, but even for the right audience Spring boot is as exciting as React is exciting for frontend developers or C is exciting for kernel developers. It's a pretty established technology that was new and cool at one point and has just become commonplace and boring for better or worse (I would argue worse, but that's just me).
You probably had a CoE (Certificate of Eligibility to Reside in Japan, 在留資格認定証明書). This piece of paper needs to be taken to your local embassy or consulate and be converted to a visa there, which then gets stamped on your passport.
But Japan is working quite differently from other countries here, so you're probably not the first person to be confused, although I don't think any country issues a long-term visa that is not stamped on your passport.
Oh, Yes. Windows 10 had big issues on arrival. But this is also selective Amnesia. The Windows 8 UI was nearly unusable on release. Windows Vista was so legendarily broken on release, that even after it became stable, the majority of technical users refused to give up Windows XP went straight to Windows 7. And even Windows XP that everybody fondly remembers was quite a mess when it came out. Most home users migrated from the Windows 9x line of Windows, so they probably didn't notice the instability so much, but a lot of power users who were already on Windows 2000 held up until SP2 came out. And let's not even talk about Windows ME.
The only major Windows version release that wasn't just a point upgrade that was stable in the last century was Window 7 and even then some people would argue this was just a point upgrade for Windows Vista.
I'm sure that Microsoft greatly reducing their dedicated QA engineers in 2014 had at least some lasting impact on quality, but I don't think we can blame it on bad releases or bungled Patch Tuesdays without better evidence. Windows 10 is not a good proof for, consider Vista had 10 times as many issues with fully staffed QA teams in the building.
It also doesn't matter. It doesn't feel like it, but Win11 released almost 5 years ago (October 5, 2021) and there's already rumors of a Win12 in the near future.
We're way past the "release issues" phase and into the "it's pure incompetence" phase.
Oh wow, I hadn't even paid any attention to that. To me Windows 11 was released on October 1, 2024, when the LTSC version came out, and is roughly when I upgraded my gaming PC to the said LTSC build from the previous Windows 10 LTSC build.
> Windows Vista was so legendarily broken on release, that even after it became stable
Vista is different. Vista was _not_ bad. In fact, it was pretty good. The design decisions Microsoft made with Vista were the right thing to do.
Most of the brokenness that happened on Vista's release was broken/unsigned drivers (Vista required WHQL driver signing), and UAC issues. Vista also significantly changed the behavior of Session 0 (no interaction allowed), which broke a lot of older apps.
Vista SP2 and the launch version of 7 were nearly identical, except 7 got a facelift too.
Of course, the "Vista Capable" stickers on hardware that couldn't really run it didn't help either.
But all things considered - Vista was not bad. We remember it as bad for all the wrong reasons. But that was (mostly) not Microsoft's fault. Vista _did_ break a lot of software and drivers - but for very good reasons.
Vista was good by the time it was finished. It was terrible at launch. I bought some PCs with early versions of Vista pre-installed for an office. We ended up upgrading them to XP so that we could actually use them.
Yeah. I challenge the idea that Vista was terrible but 7 was peak. 7 was Vista with a caught-up ecosystem and a faded-away "I'm a mac, I'm a PC" campaign
I have this vague memory of people being shown a rebranded Vista and being told it was a preview of the next version of Windows, and the response was mostly positive about how much better than Vista it was. It was just Vista without bad reviews dragging it down.
Every version of Windows released was an unusable piece of garbage, back to the beginning. MS put it out, it was crap, but somehow managed to convince users that they needed to have it, patched it until it was marginally usable, then, when users were used to it, forced them to move on to the next.
> The only major Windows version release that wasn't just a point upgrade that was stable in the last century was Window 7 and even then some people would argue this was just a point upgrade for Windows Vista.
IIRC Windows 7 internally was 6.1, because drivers written for Vista were compatible with both.
Windows 8 was an insane product decision to force one platforms UI to be friendly to another (make desktop more like tablet). Mac is doing this now by unifying their UIs across platforms to be more AR friendly
Speaking of XP. Windows XP SP2 is really when people liked XP. By the time SP2 and SP3 were common, hardware had caught up, drivers were mature, and the ecosystem had adapted. That retroactively smooths over how rough the early years actually were.
Same thing with Vista. By the time WIndows 7 came out, Vista was finally mature and usable, but had accumulated so much bad publicity from the early days, that what was probably supposed to be Vista SP3 got rebranded to Windows 7.
It's a very superficial "truth", in the "I don't really understand the problem" kind of way. This is visible when you compare to something like ME. Vista introduced a lot of things under the hood that have radically changed Windows and were essential for follow-up versions but perhaps too ambitious in one go. That came with a cost, teething issues, and user accommodation issues. ME introduced squat in the grand scheme of things. It was a coat of paint on a crappy dead-end framework, with nothing real to redeem it. If these are the same thing to you then your opinion is just a very wide brush.
Vista's real issue was that while foundational for what came after, people don't just need a strong foundation or a good engine, most barely understand any of the innards of a computer. They need a whole package and they understand "slow" or "needs faster computer" or "your old devices don't work anymore". But that's far from trash. The name Vista just didn't get to carry on like almost every other "trash" launch edition of Windows.
And something I need to point out to everyone who insists on walking on the nostalgia lane, Windows XP was considered trash at launch, from UI, to performance, to stability, to compatibility. And Windows 7 was Vista SP2 or 3. Windows 10 (or maybe Windows 8 SP2 or 3?) was also trash at launch and now people hang on to it for dear life.
It delivered a terrible user experience. The interface was ugly, with a messy mix of old and new UI elements, ugly icons, and constant UAC interruptions. On top of that, the minimum RAM requirements were wrong, so it was often sold on underpowered PCs, which made everything painfully slow.
Everything you said was perfectly applicable (and then some!) to Windows XP, Windows 7, or Windows 10 at launch or across their lifecycle. Let me shake all those hearsay based revelations you think you had.
Windows XP's GUI was considered a circus and childish [1] and the OS had a huge number of compatibility and security issues before SP3. The messy mix of elements is still being cleaned up 15 years later in Windows 11 and you can still find bits from every other version scattered around [2]. UAC was just the same in Windows 7.
Hardware requirements for XP were astronomical compared to previous versions. Realistic RAM requirements [3] for XP were 6-8 times higher than Win 98/SE (16-24MB) and 4 times those of Windows 2000 (32MB). For CPU, Windows 98 ran on 66MHz 486 while XP crawled on Pentium 233MHz as a bare minimum. Windows 98 used ~200MB of disk space while XP needed 1.5GB.
Windows 7 again more than quadrupled all those requirements to 1/2GB or RAM, 1GHz CPU, and 16-20GB disk space.
But yeah, you keep hanging on to those stories you heard about Vista (and don't get me wrong, it wasn't good, but you have no idea why or how every other edition stacked up).
I’ve been using Windows since version 3.0, so I know what I’m talking about.
Vista peaked at around 25% market share and then declined. The lowest peak of any major Windows release. Compare that with Windows XP at 88%, Windows 7 at 61%, or Windows 10 at 82%. Why do you think that is? Because Vista was great and people just didn’t understand it?
Windows XP was already perfectly usable by SP1, not SP3. The UI was childish looking, but you could easily make it look and behave like Windows 2000 very easily.
Vista, on the other hand, was bad at launch and never really recovered. I very clearly remember going to friends’ and family members’ homes to upgrade them from Vista to Windows 7, and the difference was night and day.
Your arguments don't show it and if you have to tell me you know what you're talking about, you don't. It's tiresome to keep shooting down your cherry picked arguments.
> Vista peaked at around 25% market share and then declined.
Then IE was the absolute best browser of all times with its 95+% peak. And Windows Phone which was considered at the time a very good mobile OS barely reached low single digit usage. If you don't know how to put context around a number you'll keep having this kind of "revelation".
You're also comparing the usage of an OS which was rebranded after 2.5 years, with the peak reached years later by OSes that kept their name for longer. After 2.5-3 years XP had ~40% and Win7 ~45%, better but far from the peak numbers you wave. If MS kept the Vista name Win7 might as well have been Vista SP2/3, and people would have upgraded just like they always did. But between the bad image and antitrust lawsuits based on promises MS made linked to the Vista name, they rebranded.
When XP was launched users had no accessible modern OS alternative, XP only had to compete with its own shortfalls. When Vista was launched it had to compete not only with an established and mature XP with already 75% of the market but soon after also with the expectation of the hyped successor. Windows 7 also had to compete with an even more mature and polished XP which is why it never reached the same peaks as XP or 10. Only Windows 10 had a shot at similar heights because by then XP was outdated and retired... And because MS forced people to upgrade against their will, which I'm sure you also remembered when you were typing the numbers.
> Windows XP was already perfectly usable by SP1, not SP3
And less then usable until then, which is anyway a low bar. You were complaining of the interface, the messy mix of old and new UI elements, minimum requirements, these were never fixed. XP's security was a dumpster fire and was partially fixed much later. Plain XP was not good, most of the target Win9x users had no chance of upgrading without buying beefy new computers, GUI was seen as ugly and inconsistent, compatibility was poor (that old HW that only had W9x drivers?), security was theater. Exactly what you complained about Vista. Usable, but still bad.
Just like XP, Vista became usable with SP1, and subsequently even good with "SP Win7".
You remember Vista against a mature XP, some cherry picked moments in time. And if your earlier comments tell me anything, you don't remember early XP at all. You remember fondly Windows 10 from yesterday, not Windows 10 from 2015 when everyone was shooting at it for the "built in keylogger spying on you", forced updates, advertising in the desktop, ugly interface made for touchscreens, etc. Reached 80% usage anyway, which you'll present as proof that people loved all that in some future conversation when you'll brag that you were using computers since transistors were made of wood.
All Windows OSes improve with time, so that point is moot.
> You're also comparing the usage of an OS which was rebranded after 2.5 years, with the peak reached years later by OSes that kept their name for longer. After 2.5-3 years XP had ~40% and Win7 ~45%, better but far from the peak numbers you wave. If MS kept the Vista name Win7 might as well have been Vista SP2/3, and people would have upgraded just like they always did. But between the bad image and antitrust lawsuits based on promises MS made linked to the Vista name, they rebranded.
With that line of reasoning, it's very hard to have a productive discussion. By that logic, one could just as well say that Windows 10 is simply "Windows Vista SP15".
If Vista had really been as successful and great as you claim, why didn't Microsoft just keep iterating on it? Why didn't they continue releasing service packs instead of effectively replacing it? If it was "great", that would have been the obvious path.
And again, the numbers support my argument, not yours. Vista remains the least adopted and least liked Windows version by market share. By far.
Stop going around in circles kwanbix, you made your arguments for Vista being "trash", I showed you (with links and numbers) they apply to OSes regarded as the best ever. Unless you plan to address that directly you're just trying and failing to save face. Trust me you're not saving face by insisting on "revelations" you learned from hearsay, in a forum where most people have vastly more experience than you.
> By that logic, one could just as well say that Windows 10 is simply "Windows Vista SP15".
It was an important but small incremental refinement on Vista [0], nothing like the transition between any other two major Windows editions (maybe 8.1 to 10, also to launder the branding). They even kept the Vista name here and there [1]. Tech outlets called it:
>> Windows 7 was ultimately just a more polished and refined version of Windows Vista — with lots of great new features, but with the same core [2]
That sounds a lot like an SP. Don't even wonder how/why MS just happened to have a fully baked OS in their pocket a mere couple of years after launching Vista?
> If Vista had really been as successful and great as you claim
Reading comprehension failure on your part. I said "Vista was far from trash" (tell me you think "not trash"=="great") and "all of your arguments applied to almost every other Windows edition". Both of these are true.
> why didn't Microsoft just keep iterating on it?
More reading comprehension failure. Literally explained in my previous comment that the Vista brand was tarnished, it was easier and safer to just change it. And just as important, MS made commitments about which old hardware the Vista OS would run on but didn't in reality. This brought class action lawsuits. Changing the name stopped future lawsuits related to those promises.
> the numbers support my argument, not yours
What numbers? Your stats comparing OSes at very different point in their lifecycle? Or the kernel version numbers between Vista and 7? And how is XP having more peak market share than Vista makes Vista "trash"? Let me show you how to lie with numbers and not say anything, kwanbix style.
>> Windows XP is trash because it only peaked at 250M users while Windows 11 already has 1bn [3].
>> Windows 10 is trash because Windows 11 grew unforced to 1bn users even faster than the "forced upgrade" Windows 10 [3].
>> Windows 11 is trash because it only reached 55% market share compared to 82% for Windows 10.
>> Every other Windows is trash because Windows 10 peaked at 1.5bn users, more that any other.
Enough educating you, it's a failing of mine to think everyone can be helped. Have fun with the numbers and try not to bluescreen reading them.
SGML was designed for documents, and it can be written by hand (or by a machine). HTML (another descendant of SGML) is in fact written by hand regularly. When you're using SGML descendants for what they were meant for (documents) they're pretty good for this purpose. Writing documents — not configuration files, not serialized data, not code — by hand.
XML can still be used as a very powerful generic document markup language, that is more restricted (and thus easier to parse) than SGML. The problems started when people started using XML for other things, especially for configuration files, data interchange and even for programming language.
So I don't think GP is wrong. The authors of the original XML spec probably envisioned people writing this by hand. But XML is very bad for writing by hand the things that it eventually got used for.
> JSON has no such mechanism built into the format. Yes, JSON Schema exists, but it is an afterthought, a third-party addition that never achieved universal adoption.
This really seems like it's written by someone who _did not_ use XML back in the day. XSD is no more built-in than JSON Schema is. XSD was first-party (it was promoted by W3C), but it was never a "built-in" component of XML, and there were alternative schema formats. You can perfectly write XML without XSD and back in the heyday of XML in the 2000s, most XML documents did not have XSD.
Nowadays most of the remaining XML usages in production rely heavily on XSD, but that's a bit of a survivorship bias. The projects that used ad-hoc XML as configuration files, simple document files or as an interchange format either died out, converted to another format or eventually adopted XSD. Since almost no new projects are choosing XML nowadays, you don't get an influx of new projects that skip the schema part to ship faster, like you get with JSON. When new developers encounter XML, they are generally interacting with long-established systems that have XSD schemas.
This situation is purely incidental. If you want to get the same result with JSON, you can just use JSON Schema. But if we somehow magically convince everybody on the planet to ditch JSON and return to XML (please not), we'll get the same situation we have had with JSON, only worse. We'll just get to wear we've been in the early 2000s, and no, this wasn't good.
If only that was true. JWT came with a lot of questionable cryptographic choices. It went hard on fine-grained cryptographic agility like it was 1995 all over again. It started with the wrong suite of outdated ciphers like RSA and no good security requirements and implementation guides, and even the notorious "none" algorithm. The end result is a string of CVEs that affected a wide swath of JWT libraries.
JWT has many other ill-conceived features such as embedded JWK, token-declared URLs and the complex mess that is JWE (which you'll need if you want encryption). This complexity, useless features (the "none" algorithm), together with picking algorithms that are hard to implement correctly[1] and not setting any kind of security requirements made vulnerable libraries spread like wildfire, and introduced at least 5 different classes of vulnerabilities[2].
The craziest thing, is that easiest vulnerability to abuse (the "none" algorithm), is a required by the JWT RFC, you read it too literally:
Now, the RFC writers obviously meant that conforming JWT libraries, should support "none" if explicitly requested, but did not mean that the libraries have to accept the "none" aglorithm by default. In fact, it's clearly stated: Or in another section: Unfortunately, the JWA spec is huge and complex because it needs to definy many useful, secure and totally not bonkers algorithms like PBES2-HS256+A128KW and RSAES-PKCS1-v1_5, and the very important(?) reasons for storing the coefficients for RSA. So I guess the end result is that almost nobody ever read the JWA RFC, and somehow half of the first crop of JWT libraries let anyone strip the signature, change "alg" to "none" in the header and freely manipulate the token. Good times.So yes, stateless tokens are a bad tradeoff for many (if not most) web applications. But even if they weren't, there many formats that would do much better than JWT[3]. If you end up going with JWT, it's really better to thoroughly review your library, and stick to safer algorithms that doesn't result in a 5kb token (I'm looking at you RSA). Ed25519 is now supported by a decent amount of libraries.
[1] https://neilmadden.blog/2022/04/19/psychic-signatures-in-jav...
[2] https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-gu...
[3] https://fly.io/blog/api-tokens-a-tedious-survey/
reply