Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include the host name inside signed replies #24

Open
daveschaefer opened this issue Sep 14, 2013 · 1 comment
Open

Include the host name inside signed replies #24

daveschaefer opened this issue Sep 14, 2013 · 1 comment
Labels
security bug

Comments

@daveschaefer
Copy link
Collaborator

Currently the notary reply does not contain the host name. We should include it so clients can verify that the fingerprint returned is indeed for the host they expected.

Using SSL to encrypt the reply would also protect against attacks, but we should include it in the reply just in case.
@danwent
Copy link
Owner

danwent commented Sep 14, 2013

Dave, the signature on the reply include the service_id, which includes the hostname + port, so there is no risk of the reply being for a different host and still being accepted by the client.

See: https://github.com/danwent/Perspectives-Server/blob/master/client/client_common.py#L67

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danwent @daveschaefer