Skip to content
This repository has been archived by the owner on Feb 26, 2021. It is now read-only.

cryptoChallenge allows server to trick client into signing arbitrary messages #57

Open
tyler-smith opened this issue Aug 7, 2018 · 1 comment

Comments

@tyler-smith
Copy link

The scheme used to authenticate that the client owns a given peerid is to give them a random nonce to sign, but there is no way for the client to know that what they're signing is actually random data versus data they don't want to sign. For example, a hash of a message they didn't write.

A better scheme is for the server to encrypt the nonce, then have the client decrypt it and send back a hash of the nonce. The hash is important to prevent the server from tricking the client into decrypting arbitrary ciphertexts.

@mkg20001
Copy link
Member

mkg20001 commented Jan 8, 2019

Addressed with #70, please review

alanshaw pushed a commit to ipfs/js-ipfs that referenced this issue Feb 7, 2020
[`libp2p-websocket-star`](libp2p/js-libp2p-websocket-star#57) has a security vulnerability and was not converted in the refactor. This PR removes the `libp2p-websocket-star` information until libp2p/js-libp2p-stardust#14 lands and we can recommend using it instead.

refs #2600
alanshaw pushed a commit to ipfs/js-ipfs that referenced this issue Feb 7, 2020
[`libp2p-websocket-star`](libp2p/js-libp2p-websocket-star#57) has a security vulnerability and was not converted in the refactor. This PR removes the `libp2p-websocket-star` information until libp2p/js-libp2p-stardust#14 lands and we can recommend using it instead.

refs #2600
alanshaw pushed a commit to ipfs/js-ipfs that referenced this issue Feb 7, 2020
[`libp2p-websocket-star`](libp2p/js-libp2p-websocket-star#57) has a security vulnerability and was not converted in the refactor. This PR removes the `libp2p-websocket-star` information until libp2p/js-libp2p-stardust#14 lands and we can recommend using it instead.

refs #2600
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants