[crazy][spam][crazy][spam] [thread for further deliberations regarding akash certs]
Undescribed Horrific Abuse, One Victim & Survivor of Many
gmkarl at gmail.com
Thu Jul 20 16:29:24 PDT 2023
I'm trying to write a small akash client.
While discerning part of the protocol, I posted the three-post
https://lists.cpunks.org/pipermail/cypherpunks/2023-July/115544.html
which describes a potential vulnerability where a mitm can fake
servers. I have not tested it, and am using a compromised system that
often indicates mutated web content. I opened an issue for it.
Curiously, I also looked up certs the other way around -- server
validating client. I don't see this being done either, but have looked
at it less in depth.
This second option would be very serious as any old person could log
into anybody's server, and hence it's pretty unlikely that I'm seeing
it correctly, and one could infer from that the first vulnerability
may be nonexistent too.
But it's possible they're there!
The usual way to check a vulnerability is to try to exploit it. It's
very hard for me to spend time pursuing tasks, so I have not done this
at this time.
More information about the cypherpunks
mailing list