09:18:31 <m-relay> <c​oncepcion:unredacted.org> https://youtu.be/5xi0ukN49bs
10:54:20 <m-relay> <j​hendrix:imagisphe.re> There are remote nodes with HTTP on xmr.ditatompel. Does this mean those nodes are not using TLS by default? There is a comment about Cuprate in issue 7078 from May 2, 2023, stating that TLS 1.3 will be enforced, but does that mean it is not in the current codebase? My concern is that if remote nodes are not connected over TLS, then traffic is transmitted in plaintext, allowing IS<clipped message>
10:54:20 <m-relay> <j​hendrix:imagisphe.re> Ps to listen to it without running a single node. There is a comment in issue 3402 stating that "Default is SSL autodetection, clients and servers can switch to mandatory." Wouldn't it be better to enforce TLS usage via consensus rules?
10:55:58 <m-relay> <s​yntheticbird:monero.social> Could you clarify which connections you are talking about?
10:55:58 <m-relay> <s​yntheticbird:monero.social> > There are remote nodes with HTTP
10:56:00 <m-relay> <s​yntheticbird:monero.social> Indicate you are talking about Wallet RPC, which uses HTTP Protocol
10:56:02 <m-relay> <s​yntheticbird:monero.social> > There is a comment about Cuprate in issue 7078 from May 2, 2023, stating that TLS 1.3 will be enforced
10:56:04 <m-relay> <s​yntheticbird:monero.social> This issue is related to P2P, which do not use HTTP but TCP sockets and Levin protocol
10:56:06 <m-relay> <o​frnxmr:xmr.mx> Just means that the person who submit them did so with an http prefix
10:58:08 <m-relay> <o​frnxmr:xmr.mx> Rpc ssl uses self-signed certs, regenerated at each node startup. Also to note is that wallets (aside from cli) dont allow cert pinning. This is all to say that replacing the certs or mitm the connection should be easy
10:59:31 <m-relay> <o​frnxmr:xmr.mx> enforcing tls would likely break a lot of nodes that have domain names and dont have static certs against the domain
11:00:27 <m-relay> <o​frnxmr:xmr.mx> If he's talking about autodetect, he's talking about rpc. P2p has no tls at all
11:04:41 <m-relay> <o​frnxmr:xmr.mx> Unless tls is strictly disabled in the node, all ip address nodes will use tls if the wallet specifies that the connection is https.
11:09:11 <m-relay> <o​frnxmr:xmr.mx> Some wallets attempt to use https automatically (feather), some require the user to check an ssl toggle or type https, and some dont support https at all.
11:09:12 <m-relay> <o​frnxmr:xmr.mx> --rpc-ssl=autodetect flag means that the node will use https if a client attempts to connect over https. enabled and disabled args will make it strictly force tls only, or disallow tls entirely
11:50:09 <m-relay> <m​onero.arbo:matrix.org> Stack wallet does cert pinning <3
11:52:10 <m-relay> <o​frnxmr:xmr.mx> stack doesnt pin
11:52:54 <m-relay> <o​frnxmr:xmr.mx> Its _never_ warned me when a self signed cert changed. It has given a popup about ca signed certs that havent changed though lol
11:56:54 <m-relay> <m​onero.arbo:matrix.org> https://matrix.monero.social/_matrix/media/v1/download/matrix.org/KCIfvWiaXuIKWVBZWjxuMPgH
11:57:07 <m-relay> <m​onero.arbo:matrix.org> this screen is absurdly misleading if it's not pinning the cert
11:59:24 <m-relay> <s​yntheticbird:monero.social> ig you guys can open an issue on stack wallet repo
12:05:07 <m-relay> <o​frnxmr:xmr.mx> Is this on a CA signed node?
12:08:03 <m-relay> <m​onero.arbo:matrix.org> true. just always been kinda wild to me how unsupported cert pinning is among xmr wallets
12:08:04 <m-relay> <m​onero.arbo:matrix.org> nah ofrn this is my node with a fixed self signed cert
12:10:50 <m-relay> <m​onero.arbo:matrix.org> now I feel like I should change the cert and test it tho
12:29:41 <m-relay> <j​hendrix:imagisphe.re> I meant P2P. Correct me if I am wrong, but when running a node, the end user will have encryption by default only if the remote P2P node supports it. If it doesn't, the traffic is transmitted in plaintext. This is why I asked whether it would be better to enforce communication over TLS 1.3 and make P2P encryption mandatory.
12:32:11 <m-relay> <o​frnxmr:xmr.mx> No, p2p has no encryption
12:32:45 <m-relay> <o​frnxmr:xmr.mx> https://github.com/monero-project/monero/pull/8996