Config service security

[ederuiter]

When working on our integration with the config-service I was debugging some issues we had with the new signer field, and while looking at some wireshark logs, I noticed some request/response data was clearly readable and thus not encrypted.

I assumed by using grpc everything was encrypted using ssl/tls, but it turns out this is not the case.
Sure all requests are signed, and authenticated .. but if someone manages to intercept traffic to/from the config service api's, nothing prevents them from replaying the api calls.

Most (not all!) endpoints seem to have a timestamp field in their requests; but it seems there is no logic present to prevent replay attacks.

In my opinion the current situation is not secure enough for our customers needs and I would strongly suggest to add another ssl/tls enabled grpc endpoint. This way existing users of the api could continue to use the insecure grpc endpoint and the newer clients can use the secure grpc endpoint.

[jeffgrunewald]

What endpoint are you using? The unsecured endpoint is only intended for gateways to request region params since they aren’t guaranteed to support tls. All of my interactions with the config service’s other rpcs are done over https

[jeffgrunewald]

using grpc does not however guarantee tls; grpc supports secure connections but like http 1.1 it doesn’t require them

[ederuiter]

What I did was using the helium-config-service-cli application (compiled from the latest commit) and capture this traffic with wireshark.
For example a ./helium-config-service-cli route list will display the server url + route id as plain text in the wireshark output.

For our own client we use the same endpoint as found in the helium-config-service-cli source code: mainnet-config.helium.io:6080 (see https://github.com/helium/helium-config-service-cli/blob/1cd741eb47d61a13695190193c02865038450f8e/src/cmds/mod.rs#L36)
That endpoint did not accept https when I tried it.

If there is a https endpoint I would be happy to use it.

[jeffgrunewald]

looks like there isn't a public-facing endpoint that supports tls yet and the one i've done all the testing and operating against is not publicly accessible. we've requested one get provisioned and i'll update this issue and that default in the cli once it's created

[jeffgrunewald]

@ederuiter thanks again for calling this one to our attention as an earlier integrator. Do us a favor and give the URL in this PR helium/helium-config-service-cli#52 a try and make sure it works for you as well (just tested myself and seems to be all in order).

[ederuiter]

Yes that works. I have updated our package + deployed the new version and it successfully adds/removes euis to/from our route when a device is activated/de-activated on our side.
Thanks for the quick response!

[jeffgrunewald]

glad to hear it

[ujals]

hello @ederuiter I have my own chirpstack and Helium network server hosted in it, I want to automatically add and remove devices in the chirpstack , and not add device through the helium cli every time, I think your solution is aligned with what I want , But I need some guidance, Is there any other platform that we can connect like discord?