[crazy?] completely neutered self-signed certificate verification administering akash hosting providers?
Undescribed Horrific Abuse, One Victim & Survivor of Many
gmkarl at gmail.com
Wed Jul 19 21:37:14 PDT 2023
https://github.com/akash-network/support/issues/109
Clients Do Not Authenticate Provider Certificates #109
xloem opened this issue now
**Describe the bug**
The [current client peer certificate verification
code](https://github.com/akash-network/provider/blob/44c85af39a56a43830efbdcbe7a2fd83c1d9776b/gateway/rest/client.go#L290L355)
completely ignores the on-chain certificate and public key data,
allowing a network adversary to provide a false certificate to any
client.
**To Reproduce**
Note: I have not tested this, but it looks like you could generate a
certificate with matching owner address and serial number to any
active one on-chain, and offer it to a client in a
machine-in-the-middle attack, and it would be accepted because the
certificate is not sufficiently verified. All communications could be
logged, and fake responses provided.
**Expected behavior**
It looks like the code should retrieve the certificate and public key
fields from the QueryCertificatesResponse object and compare them with
the data from the network
[here](https://github.com/akash-network/provider/blob/44c85af39a56a43830efbdcbe7a2fd83c1d9776b/gateway/rest/client.go#L320L337).
**Additional context**
I'm a crazy old software developer and I [spammed a mailing list about
this issue](https://lists.cpunks.org/pipermail/cypherpunks/2023-July/115544.html).
More information about the cypherpunks
mailing list