-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect the Zebra RPC endpoint #8864
Comments
blocking #8830 |
For reference we discussed this in the past, but any of the proposed approaches look good.
Note that even in those cases we might need authentication, due to DNS rebinding attacks. |
Thanks for the reference, i knew we had discussed this earlier. I agree we might need authentication when the endpoint is localhost or private network, so i think Auth should be ON by default but there should be a way to turn it OFF if the user want it. |
I'd suggest using a This could be a good read, from the Ethereum JSON-RPC APIs: And the Rust Ethereum implementation: |
I suggest staying away from JWT because it's full of pitfalls. I think doing something similar to zcashd is enough (a random password or token), see https://fly.io/blog/api-tokens-a-tedious-survey/ ("Simply Random Tokens" and JWT sections) |
The Zebra RPC endpoint is currently unencrypted and accessible by anyone who knows the address and port. While the current recommendation is to restrict access to localhost or a trusted local network, there are cases where the endpoint needs to be open to the internet in production environments.
Implement one of the following authentication methods:
We could implement just one of these methods or explore alternative solutions.
Authentication should be enabled by default but turning it off should be an option for testing purposes and setups where the endpoint is restricted to localhost or a private network.
Encryption of RPC traffic (for example using TLS) is not part of this ticket but might be considered in the future.
The text was updated successfully, but these errors were encountered: