On 2/19/14 1:23 PM, Chris Karlof wrote:
There are a couple reasons why Hawk is (arguably) better than bearer tokens, particularly over HTTP connections. All our requests are over HTTPS, so using Hawk is a bit of a belt-and-suspenders situation for us.
[...]
2) *Dramatically scale back the replay protection of Hawk. *Hawk allows a time window of 1 min by default. I propose we change that to something big. A day, a week, a month, a year. Turn the knob until we stop seeing problems.
It's worth noting that if the client clock is too far out of whack, SSL probably won't be working either because the client thinks the cert has either expired, or is not yet valid (depending on the direction of the slew).
There is data about this, somewhere. I know I've seen a chart showing a distribution of grossly incorrect system clocks, but I can't recall if it was from our own data sources, or from a some third party's analysis. A couple minutes of Googling didn't turn up anything obvious.
Justin _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
