Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Insecure Token Communication #1

Open
iwr-redmond opened this issue Dec 27, 2024 · 3 comments
Open

[SECURITY] Insecure Token Communication #1

iwr-redmond opened this issue Dec 27, 2024 · 3 comments

Comments

@iwr-redmond
Copy link

The TOKEN_TM_URL defined in token_utils.rs is currently reached using insecure http instead of encrypted https. This means that identifiable user information including mobile phone number is transmitted in plain text and can be easily intercepted for purposes including identity theft.

Notably, any defense mechanisms that have been implemented are prone to circumvention when SSL is not implemented (Karlström, 2015, p23).
@metercai
Copy link
Owner

The request body of the API is encrypted ciphertext, so using either HTTP or HTTPS ensures security

@iwr-redmond
Copy link
Author

Isn't the payload decrypted upstream to allow the DID to be authenticated? If so, the communication remains fundamentally insecure.

@metercai
Copy link
Owner

Isn't the payload decrypted upstream to allow the DID to be authenticated? If so, the communication remains fundamentally insecure.

DID is self validating and does not require upstream verification. Upstream provides additional third-party proof for traceability purposes.

@iwr-redmond iwr-redmond mentioned this issue Jan 14, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metercai @iwr-redmond