Auto merge of #3890 - zebambam:add_dns_rebinding_warnings_security_3841, r=mdr0id
Added documentation warnings about DNS rebinding attacks, issue #3841 For AMQP and ZMQP.
This commit is contained in:
commit
6391741d1f
14
doc/amqp.md
14
doc/amqp.md
|
@ -40,6 +40,20 @@ In order to run the example Python client scripts in contrib/ one must
|
|||
also install *python-qpid-proton*, though this is not necessary for
|
||||
daemon operation.
|
||||
|
||||
## Security WARNING
|
||||
|
||||
Enabling this feature even on the loopback interface only (e.g. binding
|
||||
it to localhost or 127.0.0.1) will still expose it to the wilds of the
|
||||
Internet, because of an attack vector called DNS rebinding. DNS
|
||||
rebinding allows an attacker located remotely on the Internet to trick
|
||||
applications that you're running on the same computer as Zcashd to
|
||||
contact your supposedly localhost-only AMQP port, then, depending on the
|
||||
program they may be able to attempt to attack it.
|
||||
|
||||
Do not enable this feature unless you are sure that you know what you
|
||||
are doing, and that you have a strong reason for thinking that you are
|
||||
not vulnerable to this type of attack.
|
||||
|
||||
## Enabling
|
||||
|
||||
By default, the AMQP feature is automatically compiled in if the
|
||||
|
|
18
doc/zmq.md
18
doc/zmq.md
|
@ -1,8 +1,8 @@
|
|||
# Block and Transaction Broadcasting With ZeroMQ
|
||||
|
||||
[ZeroMQ](http://zeromq.org/) is a lightweight wrapper around TCP
|
||||
connections, inter-process communication, and shared-memory,
|
||||
providing various message-oriented semantics such as publish/subscribe,
|
||||
connections, inter-process communication, and shared-memory, providing
|
||||
various message-oriented semantics such as publish/subscribe,
|
||||
request/reply, and push/pull.
|
||||
|
||||
The Zcash daemon can be configured to act as a trusted "border
|
||||
|
@ -42,6 +42,20 @@ In order to run the example Python client scripts in contrib/ one must
|
|||
also install *python-zmq*, though this is not necessary for daemon
|
||||
operation.
|
||||
|
||||
## Security WARNING
|
||||
|
||||
Enabling this feature even on the loopback interface only (e.g. binding
|
||||
it to localhost or 127.0.0.1) will still expose it to the wilds of the
|
||||
Internet, because of an attack vector called DNS rebinding. DNS
|
||||
rebinding allows an attacker located remotely on the Internet to trick
|
||||
applications that you're running on the same computer as Zcashd to
|
||||
contact your supposedly localhost-only ZMQ port, then, depending on the
|
||||
program they may be able to attempt to attack it.
|
||||
|
||||
Do not enable this feature unless you are sure that you know what you
|
||||
are doing, and that you have a strong reason for thinking that you are
|
||||
not vulnerable to this type of attack.
|
||||
|
||||
## Enabling
|
||||
|
||||
By default, the ZeroMQ feature is automatically compiled in if the
|
||||
|
|
Loading…
Reference in New Issue