View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002677 | GNUnet | transport service | public | 2012-11-30 17:13 | 2024-05-03 14:01 |
| Reporter | Matthias Wachs | Assigned To | Matthias Wachs | ||
| Priority | high | Severity | feature | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.10.0 | ||||
| Summary | 0002677: HTTPs should enable validation check to prevent MITM attacks | ||||
| Description | To prevent MITM attacks the server should send the expected hostname or include it in the certificate. The client should verify the certificate and sent a response containing "I validated you as server with hostname x.y.z" If the server receives the response with the correct hostname it responds otherwise it disconnects | ||||
| Tags | No tags attached. | ||||
| related to | 0002910 | closed | Matthias Wachs | Add a option field to transport addresses |
|
|
We also should add a few bits to the other transport addresses to support things like the SilentKnock feature. Maybe it is time for a generic "options" word to be added everywhere to all addresses, so we can be backwards-compatible in the future? |
|
|
Implemented in: tcp udp http(s) client / server |
|
|
Implemented: Servers sets option to verify certificate in address, client extracts option and tells curl to verify certificate. But there is no way to interact with curl while verifying the certificate: Connection fails if connection cannot be verified |
|
|
That sounds fine, if validation is on and cert fails to validate, connections should fail IMO. So is this 'fixed'? |
|
|
I think note 7197 can be misunderstood: The option to verify is included in the address, not the certificate itself. So an attacker can create a valid certificate for the hostname the server uses. |
|
|
Implementation as described above fixes the problem |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-11-30 17:13 | Matthias Wachs | New Issue | |
| 2012-11-30 17:13 | Matthias Wachs | Status | new => assigned |
| 2012-11-30 17:13 | Matthias Wachs | Assigned To | => Matthias Wachs |
| 2012-11-30 17:20 | Matthias Wachs | Description Updated | |
| 2012-12-22 16:19 | Christian Grothoff | Product Version | => Git master |
| 2012-12-22 16:19 | Christian Grothoff | Target Version | => 0.10.0 |
| 2013-03-18 15:00 | Christian Grothoff | Priority | normal => high |
| 2013-06-25 12:17 | Christian Grothoff | Note Added: 0007169 | |
| 2013-06-26 10:02 | Matthias Wachs | Relationship added | related to 0002910 |
| 2013-06-27 17:02 | Matthias Wachs | Note Added: 0007195 | |
| 2013-06-28 10:44 | Matthias Wachs | Note Added: 0007197 | |
| 2013-07-10 23:50 | Christian Grothoff | Note Added: 0007228 | |
| 2013-07-11 08:42 | Matthias Wachs | Note Added: 0007234 | |
| 2013-07-11 18:00 | Matthias Wachs | Note Added: 0007237 | |
| 2013-07-11 18:00 | Matthias Wachs | Status | assigned => resolved |
| 2013-07-11 18:00 | Matthias Wachs | Resolution | open => fixed |
| 2013-12-24 20:54 | Christian Grothoff | Status | resolved => closed |
| 2024-05-03 14:01 | Christian Grothoff | Category | HTTP transport => transport service |
