search

ehloonion / onionmx

Onion delivery, so delicious
197 stars 26 forks source link

Verify the projects map.yml file #26

Open tnias opened 5 years ago

tnias commented 5 years ago

I did not find a policy on how to get a domain added or removed from the project's map.yml file. It seems like a nice possibility for MitM attacks.

I propose to require prove of ownership by the non-onion domain owner. This can be done simply by requiring the presents of a SRV record pointing to the provided onion domain.

In #25 I created a simple script to check for the SRV records. This or something similar could be used for regular checking of currently present records and those to be added.

taggart commented 1 year ago

Agreed this is a problem, and maybe a good reason to not keep the map at all but move to using SRV only. If the map is kept, verifying the SRV record (maybe with DNSSEC too?) seems like a good idea.