Insecure HTTP communication in full node's API

[SA124]

Severity: [LOW] Insecure HTTP communication in full node's API Auditor: Halborn

The API of the Suzuka full node currently supports both HTTP and HTTPS protocols. When transactions and other data are transmitted over HTTP, the data is vulnerable to interception and modification by malicious actors within the network. While intercepted data can be spied upon, the primary concern is the potential for modification. Such modifications would not allow the creation of valid fake transactions on behalf of the victim; instead, they would cause the transaction to fail. Although this prevents attackers from forging transactions, the ability to disrupt transactions by tampering with their contents can still lead to operational inefficiencies and potential denial-of-service (DoS) conditions. To maintain secure and reliable node communications, it is recommended to enforce the use of HTTPS, ensuring that all data transmitted to and from the node is encrypted and protected against tampering.

[mzabaluev]

Duplicate of #414.

This can be important for mom-and-pop deployments, but in the cloud infrastructure we assume a trusted private network and the responsibility of the HTTP load balancer to enforce HTTPS and deploy TLS certificates.

[mzabaluev]

Perhaps it's better to keep it as a low priority backlog issue.

[l-monninger]

I would mark this as a usability issue honestly, for said mom-and-pop deployments.

[mzabaluev]

I would mark this as a usability issue honestly, for said mom-and-pop deployments.

It will be a usability issue once we actually have built-in TLS support in the node. Right now, the mom and the pop have no other options than to deploy the node in a private network and front it to the public with an ingress proxy that can handle TLS.