taproot-assets icon indicating copy to clipboard operation
taproot-assets copied to clipboard
verified publisher icon lightninglabs

[bug]: price oracle TLS/SSL certificate validation missing

Open ZZiigguurraatt opened this issue 1 year ago • 2 comments

The price oracle client inside tapd does not seem to do SSL certificate validation of the price oracle server. This is a security issue as we have no confidence that we trust the price oracle we are talking to is the one we think we are talking to.

We should have the following choices:

  1. Root CAs to trust (in addition to or instead of the operating system root CA list)
  2. Trust operating system root CA list (yes or no)
  3. Require certificate checking
  4. Don't require certificate checking
  5. Pin to a specific certificate (either signed by a CA or self signed)

ZZiigguurraatt avatar Jan 07 '25 21:01 ZZiigguurraatt

The issue is how we create the server dial opts in oracle.go: https://github.com/lightninglabs/taproot-assets/blob/8719b4035391bf2fda2430c5bd07907b4d638824/rfq/oracle.go#L124-L135

This should inherit dialInsecure from the earlier context.

Roasbeef avatar Jan 10 '25 17:01 Roasbeef

In addition to not verifying the signatures, I don't think tapd is currently verifying certificate expiry time either.

ZZiigguurraatt avatar Feb 18 '25 17:02 ZZiigguurraatt