CoreParadox
commented
5 months ago Is there a reason for this to be a whitelist instead of any AP server since it's possible to self-host AP?
Closed cdhowie closed 5 months ago
CoreParadox
commented
5 months ago Is there a reason for this to be a whitelist instead of any AP server since it's possible to self-host AP?
cdhowie
commented
5 months ago @CoreParadox Yes. Asking CT to open a tracker results in a GET request to the provided URL. Allowing any URL to be provided creates a security vulnerability that allows an attacker to use the CT server to send GET requests to any desired URL. GET requests are supposed to be idempotent but there is no requirement for them to be. Even idempotent GET requests might cause significant load (e.g. an inefficiently-implemented search endpoint) and so this would allow CT to be used as a proxy for a denial of service attack.
Add support for a whitelisted set of alternate AP servers such as the AP beta server.