Disable nonlocal rpc-endpoint connections without tls

raiden-network / raiden

Raiden Network

https://developer.raiden.network

Other

1.84k stars 376 forks source link

Disable nonlocal rpc-endpoint connections without tls #2094

Closed err508 closed 5 years ago

err508 commented 6 years ago

We should protect raiden users from connecting to ill/miss - configured remote ethereum nodes via allowing only tls connections for nonlocal endpoints.

ulope commented 6 years ago

IMO there are legitimate use cases for non-local connections that are not easily able to be fitted with a (valid) certificate. The most common one would be a local node hosted on a dedicated machine in a private / company network (possibly with no public hostname).

Also since we only submit locally signed tx I don't see a big security risk of allowing non-tls connections.

LefterisJP commented 6 years ago

@err508 Before starting work on something, first make sure we are aligned, that we want that something implemented and that it should be included in our current milestone. (referring to the assignment).

That said I agree with Ulo, there are legitimate cases to allow for nonlocal non-TLS connection so I don't see this as something that should be enforced on our side in anyway.

err508 commented 6 years ago

@ulope the use case you described would be feasible with a self signed certificate. IMO it's worth the effort; a compromised ethereum node with several raiden nodes connected to it is a dedicated attack vector. The client is not only relying on signed tx, but also on events (i.e. partner deposits) which could be tampered with/faked.

@LefterisJP I'll not start to work on an issue without milestone assignment, I self assigned as I already worked on a related issue.

ulope commented 6 years ago

A self signed cert will not help in any way with the scenario you describe.

Since self signed certs are by definition not valid anyone can replace the node (e.g. via DNS spoofing, ARP poisoning and probably ten different other ways) with a compromised one that equally serves a self signed cert.

The only thing self singed certs improve over not using TLS is transport encryption, but for our use case that doesn't matter since all the data is public on the blockchain anyway.

err508 commented 6 years ago

A node would have to add a security exception for the self signed cert, otherwise wouldn't be accepted by the OS, no? At least this is how it works with cert pinning in browsers right now.

ulope commented 6 years ago

Ok if you want to go that far then yes, that would help. Although implementing that would probably be quite a bit of work.

hackaugusto commented 5 years ago

duplicate: https://github.com/raiden-network/raiden/issues/446