-
m-relay
<concepcion:unredacted.org>
youtu.be/5xi0ukN49bs
-
m-relay
<jhendrix:imagisphe.re> There are remote nodes with HTTP on xmr.ditatompel. Does this mean those nodes are not using TLS by default? There is a comment about Cuprate in issue 7078 from May 2, 2023, stating that TLS 1.3 will be enforced, but does that mean it is not in the current codebase? My concern is that if remote nodes are not connected over TLS, then traffic is transmitted in plaintext, allowing IS<clipped message>
-
m-relay
<jhendrix:imagisphe.re> Ps to listen to it without running a single node. There is a comment in issue 3402 stating that "Default is SSL autodetection, clients and servers can switch to mandatory." Wouldn't it be better to enforce TLS usage via consensus rules?
-
m-relay
<syntheticbird:monero.social> Could you clarify which connections you are talking about?
-
m-relay
<syntheticbird:monero.social> > There are remote nodes with HTTP
-
m-relay
<syntheticbird:monero.social> Indicate you are talking about Wallet RPC, which uses HTTP Protocol
-
m-relay
<syntheticbird:monero.social> > There is a comment about Cuprate in issue 7078 from May 2, 2023, stating that TLS 1.3 will be enforced
-
m-relay
<syntheticbird:monero.social> This issue is related to P2P, which do not use HTTP but TCP sockets and Levin protocol
-
m-relay
<ofrnxmr:xmr.mx> Just means that the person who submit them did so with an http prefix
-
m-relay
<ofrnxmr:xmr.mx> Rpc ssl uses self-signed certs, regenerated at each node startup. Also to note is that wallets (aside from cli) dont allow cert pinning. This is all to say that replacing the certs or mitm the connection should be easy
-
m-relay
<ofrnxmr:xmr.mx> enforcing tls would likely break a lot of nodes that have domain names and dont have static certs against the domain
-
m-relay
<ofrnxmr:xmr.mx> If he's talking about autodetect, he's talking about rpc. P2p has no tls at all
-
m-relay
<ofrnxmr:xmr.mx> Unless tls is strictly disabled in the node, all ip address nodes will use tls if the wallet specifies that the connection is https.
-
m-relay
<ofrnxmr:xmr.mx> Some wallets attempt to use https automatically (feather), some require the user to check an ssl toggle or type https, and some dont support https at all.
-
m-relay
<ofrnxmr:xmr.mx> --rpc-ssl=autodetect flag means that the node will use https if a client attempts to connect over https. enabled and disabled args will make it strictly force tls only, or disallow tls entirely
-
m-relay
<monero.arbo:matrix.org> Stack wallet does cert pinning <3
-
m-relay
<ofrnxmr:xmr.mx> stack doesnt pin
-
m-relay
<ofrnxmr:xmr.mx> Its _never_ warned me when a self signed cert changed. It has given a popup about ca signed certs that havent changed though lol
-
m-relay
-
m-relay
<monero.arbo:matrix.org> this screen is absurdly misleading if it's not pinning the cert
-
m-relay
<syntheticbird:monero.social> ig you guys can open an issue on stack wallet repo
-
m-relay
<ofrnxmr:xmr.mx> Is this on a CA signed node?
-
m-relay
<monero.arbo:matrix.org> true. just always been kinda wild to me how unsupported cert pinning is among xmr wallets
-
m-relay
<monero.arbo:matrix.org> nah ofrn this is my node with a fixed self signed cert
-
m-relay
<monero.arbo:matrix.org> now I feel like I should change the cert and test it tho
-
m-relay
<jhendrix:imagisphe.re> I meant P2P. Correct me if I am wrong, but when running a node, the end user will have encryption by default only if the remote P2P node supports it. If it doesn't, the traffic is transmitted in plaintext. This is why I asked whether it would be better to enforce communication over TLS 1.3 and make P2P encryption mandatory.
-
m-relay
<ofrnxmr:xmr.mx> No, p2p has no encryption
-
m-relay