Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: insecure RPCs are subject to MITM attacks #86

Merged
merged 1 commit into from
Jun 4, 2018
Merged

Problem: insecure RPCs are subject to MITM attacks #86

merged 1 commit into from
Jun 4, 2018

Conversation

yrashk
Copy link
Contributor

@yrashk yrashk commented May 24, 2018

Solution: by default, disallow use of non-TLS RPC endpoints

For testing, there's an escape hatch of a command line
argument --allow-insecure-rpc-endpoints (purposefully
long) that will reduce the severity of using a non-TLS
RPC endpoint to a warning in a log file.

It was not made to be a configuration file option to reduce
the risk of this option slipping into a production configuration
file by mistake.

Closes #79

@ghost ghost assigned yrashk May 24, 2018
@ghost ghost added the in progress label May 24, 2018
akolotov
akolotov reviewed May 26, 2018
View reviewed changes
Copy link
Contributor

@akolotov akolotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update README.md with description of new command line parameter.

@yrashk
Copy link
Contributor Author

yrashk commented May 28, 2018

Done

akolotov
akolotov approved these changes May 29, 2018
View reviewed changes
Copy link
Contributor

@akolotov akolotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. But in order to minimize number of changes in the next version of bridge, the merge needs to be done as soon as the tag for the commit for #93 is published as a new release.

@yrashk
Problem: insecure RPCs are subject to MITM attacks
18802df 
Solution: by default, disallow use of non-TLS RPC endpoints

For testing, there's an escape hatch of a command line
argument `--allow-insecure-rpc-endpoints` (purposefully
long) that will reduce the severity of using a non-TLS
RPC endpoint to a warning in a log file.

It was not made to be a configuration file option to reduce
the risk of this option slipping into a production configuration
file by mistake.

Closes omni#79
@yrashk yrashk merged commit 0968c6f into omni:master Jun 4, 2018
@ghost ghost removed the in progress label Jun 4, 2018
noot pushed a commit to noot/poa-bridge that referenced this pull request Jul 18, 2018
@snd
Merge pull request omni#86 from paritytech/snd-issue85-erc20
6a40abf 
omni#85 (ERC20 for ForeignBridge) and more
noot pushed a commit to noot/poa-bridge that referenced this pull request Jul 18, 2018
@yrashk
Merge pull request omni#86 from yrashk/force-tls
a4c5571 
Problem: insecure RPCs are subject to MITM attacks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akolotov akolotov akolotov approved these changes

Assignees

@yrashk yrashk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yrashk @akolotov