Authenticate the Zebra RPC port. #4575
Replies: 3 comments 1 reply
-
|
This post has some other approaches: https://www.gabriel.urdhr.fr/2021/06/02/dns-rebinding-explained/#mitigations I like "Checking the Host header" for its simplicity, but we need to make sure it's robust enough. |
Beta Was this translation helpful? Give feedback.
-
|
For reference, I'd suggest the last solution (using a UNIX/local socket) if possible for mitigation DNS-rebinding/CSRF attacks against system-local services. It makes sure no internet-based connection can directly target it and provides some support for blocking other system users from accessing the service. |
Beta Was this translation helpful? Give feedback.
-
|
Currently, the RPC port doesn't have access to any secrets, so it is low risk. But it does let users submit transactions (and blocks with the We might want to document that RPCs are unauthenticated, and say they should be run bound to localhost on a dedicated machine or VM. |
Beta Was this translation helpful? Give feedback.
-
|
closing this in favour of #8153 |
Beta Was this translation helpful? Give feedback.
-
We noted that having the RPC port non authenticated can lead to some problems. We will want to take some action however we are not sure which option will be the best, there are several, for example:
Opening the discussion to share ideas and more details.
Beta Was this translation helpful? Give feedback.
All reactions