Comment by vbezhenar

Comment by vbezhenar 6 days ago

Theoretically TCP packets have checksums, however it's fairly weak. So for HTTP, additional checksums make sense. Although I'm not sure, if there are any internal AWS S3 deployments working over HTTP and why would they complicate their protocol for everyone to help such a niche use case.

I'm sure that they have reasons for this whole request signature scheme over traditional "Authorization: Bearer $token" header, but I never understood it.

easton 6 days ago

AWS has a video about it somewhere, but in general, it’s because S3 was designed in a world where not all browsers/clients had HTTPS and it was a reasonably expensive operation to do the encryption (like, IE6 world). SigV4 (and its predecessors) are cheap and easy once you understand the code.

https://youtube.com/watch?v=tPr1AgGkvc4, about 10 minutes in I think.

Reply View 0 replies

formerly_proven 6 days ago

Because a bearer token is a bearer token to do any request, while a pre-signed request allows you to hand out the capability to perform _only that specific request_.

Reply View 1 reply

degamad 6 days ago

Bearer tokens have a defined scope, which could be used to limit functionality in a similar way to pre-signed requests.
However, the s3 pre-signed requests functionality was launched in 2011, but the Bearer token RFC 6750 wasn't standardised until 2012...

Reply View | 0 replies