You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The client used to connect to the gateway is posting the credentials to the login endpoint with out verifying the self signed tls cert presented by the gateway. It’s possible to spin up a web service and steal this info with some manipulation of the container network. The client will happily talk to any https server without checking the cert against a bundle.
I actually don’t know what you can do with such info, but it feels wrong. And checking the thumbprint feels like cheap insurance to guard against this.
The text was updated successfully, but these errors were encountered:
The client used to connect to the gateway is posting the credentials to the login endpoint with out verifying the self signed tls cert presented by the gateway. It’s possible to spin up a web service and steal this info with some manipulation of the container network. The client will happily talk to any https server without checking the cert against a bundle.
I actually don’t know what you can do with such info, but it feels wrong. And checking the thumbprint feels like cheap insurance to guard against this.
The text was updated successfully, but these errors were encountered: