auth: use fixed jwt-secret when hosting on 127.0.0.1 #302
Conversation
lightclient
force-pushed
the
fixed-jwt
branch
from
b8ff196
to
3551ada
Compare
|
This is supported in Nimbus as of v22.3 for anyone that wants to test it on the execution side. |
|
Are you sure that browsers do not allow setting the Web pages can set headers in requests made by JS, but certain headers are forbidden when they have low-level meaning or when they are part of the security framework of the web platform: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name |
|
@fjl my wording was a little confusing, but browsers strip So a random website trying to call |
|
As discussed, I think stripping does not occur, and websites can in fact set this header. In general, the security of our mechanism should probably not lean into the browser's security model too much. |
That's not how In interpret the proposition. BUT: the proposition is that 'anyone who can send data to localhost to address the api'. And a typical way that could be exploited, would be if a victim accesses a malicious webpage, and that webpage manages to trigger the browser to interact with the protected api. And the question is if such an attack is possible. And the answer is that it should not be possible, due to the regulations for the ability of webpages for setting arbitrary headers. So basically, in order to evaluate this possible attack, we must consider the browser security model. |
|
Yes, if we are specifically concerned about browser-based attacks, we could rely on the defenses implemented by browsers. But it's still a fine line to walk, because relying on these also means we will be affected by any breach of cross-origin request prevention. What I was trying to say is, best if we don't rely on that at all. I think #297 is a better alternative. |
|
Late to the party, but it is not uncommon to have App A bound to 127.0.0.1 and then a reverse proxy server bound to 0.0.0.0 which blindly forwards all requests to App A. I like the idea behind this proposal, but I think in reality listening only to 127.0.0.1 is not sufficient to be sure outside requests won't make it to the server. |
This is quite nuts though as far as setups go and requires explicit action not unlike jwt itself - we're trying to protect "default"/simple setups from fishy web sites, not users that go out of their way to open their host to the world. The JWT file remains one of the top contenders for broken setups in terms of user support - it is not a "free security feature" but rather a poorly understood (by users) and complex mechanism - in these discussions, it's important remembering this is not at all free in terms of how much (economic) damage it is actively causing in terms of user support, downtime due to setup problems, higher barrier of entry etc. If we want home staking, UX research in this area would be much welcome. |
|
The default CORS policy in EL clients prevents requests from browsers and I think this provides enough of a protection for the concerns raised here, but there are some reasonable ways to improve the security. We can derive the default JWT value from system-specific pieces of information that are easy to obtain from system software, but not accessible from browsers. Some examples would include the MAC address of the first network interface, the first CPU serial number, etc. |
This is a replacement of ideas in #297 and #300.
--
Currently, if a user wanted to casually run an EL and CL on the same host without the aid of any virtualization, it is required that the user specify the
--jwt-secretflag for at least one client. Example:I think this is both an unnecessary and confusing behavior for users. Ideally, the user should be able to, in any order, bring up an EL and CL and have them communicate by default.
The preferred behavior would be:
This PR requires that when a user i) starts a client without specifying
jwt-secretand ii) binds the Engine API to127.0.0.1, the client will used the defaultjwt-secretvalue. This alleviates the need for the user or the clients to be aware of ajwt-secretbeing generated in the background.Because sockets bound to
127.0.0.1are not accessible outside the localhost and webpages are unable to set arbitrary HTTP headers, this provides a similar level of security as the file-basedjwt-secretdoes. (h/t @arnetheduck, @holiman)