XRPLF / xrpl-dev-portal

Source code for xrpl.org including developer documentation
https://xrpl.org
Other
533 stars 1.02k forks source link

Possible security concern in Use Payment Channels tutorial #1854

Open DennisDawson opened 1 year ago

DennisDawson commented 1 year ago

[@ledhed2222] We were looking at the docs for payment channels. the tutorial recommends using channel_authorize here. i don’t think it should, since it represents a serious security issue unless the sender of the payment controls their own rippled node. the tutorial instead should recommend using the libraries/SDKs to sign the payment. in xrpl.js this is the authorizeChannel method.

intelliot commented 1 year ago

On the other hand, if someone is willing to run their own rippled node, I'm strongly in favor!

Even without using channel_authorize, there are still other risks to using third party rippled servers. It's always possible (even if exceedingly unlikely) that they will lie to you or deceive you in some way.