Instead of suggesting paseto, auth0 blog clearly says how to mitigate the vulnerability by using kid and specifically mentioning which algorithm during validation. I think most of the implementation do this way.

The auth0 blog recommends an incomplete mitigation.

The correct fix is to never trust the header for which algorithm you're using.

https://infosec.exchange/@sophieschmieg/115132001021790785

Aside: this was very informational for me, thanks!

> You should really consider not using JWT for new designs that don't a priori need to interop with JWT.

If you're trying to make the argument that because they can be insecure, we should not use JWTs. Thats not really a great argument for most people. JWTs provide a lot of value, and the idea of having some secure, validatable, and no network required check for authentication, or transporting information. Is too valuable for businesses. So we all use JWTs, they are a decent standard.

At the very least you should propose an alternative that people use besides JWTs if you're going to vaugly hand wave about the scary security issues of 2021 firebase, and 2020 Npm packages reported by Auth0.

> At the very least you should propose an alternative that people use besides JWTs

PASETO: https://paseto.io

I thought this was common knowledge on HN?

> if you're going to vaugly hand wave about the scary security issues of 2021 firebase, and 2020 Npm packages reported by Auth0.

These are issues caused by the JWT standard.

https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...

> I thought this was common knowledge on HN?

Just as an aside but I would never say this, this is why people hate security teams. I'm a security 'expert' with 15+ years in the industry including speaking at DEFCON, Blackhat, and all that.

I had no idea about these issues and have never heard of PASETO until now! I'm actually a few months in into my startup and we are using JWT for a lot of stuff so this is very relevant. Thanks for sharing! But if I can't keep up with everything then devs who don't do this all day simply cannot.

Okay fair. I just see it come up in every thread about JWT security, so I felt like I would be Captain Obvious for calling it out.

it's not common knowledge in hn because 99pct here is stuck with jwt, which only exist to sell auth SaaS subscriptions to people coding on nodejs, were the middle ware to habdle auth cannot talk to a database. it's crazy.

The JWT standard is known to be full of nonsense. Acting like this is some non-issue is hilariously disconnected from reality.