1. 45

    1. 15

      I really feel like that by now this should be well known and none of the currently in-use libraries should accept alg=none tokens without additional flags being set (yes_i_really_want_no_security=true or something)

      However the real issue is, of course, the spec which allowed this in the first place even though it makes zeros sense aside of making unit tests a tiny bit easier to write. But the cost is not worth the gains. At. All.