Dialer.Dial takes remote peerID but does not confirm that it is peer that it connected to #137
Labels
exp/expert
Having worked on the specific codebase is important
help wanted
Seeking public contribution on this issue
kind/bug
A bug in existing code (including security flaws)
It potentially exposes libp2p users to MitM attack if the check isn't done manually after the Dial. We do it in go-libp2p-swarm code but if someone uses Dial directly it might be a problem.
It currently isn't done as secio handshake is done lazily on first usage.
The text was updated successfully, but these errors were encountered: