You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 20, 2026. It is now read-only.
This opens up a "Rogue Certificate" man in the middle attack where a CA (or the owner of the tproxy domain) issues a malicious certificate. This could be used to steal the encrypted secrets. Basically the problem is introducing a reliance on the TLS PKI system in a core component that didn't need it.
One way to fix this is by passing the encryption key itself as a parameter or env var for the CLI.
I think the best place to get the reference values will ultimately be the on-chain KMS but less clear of a next step (include a light client in this cli too?)
When sending encrypted secrets to the application, right now the CLI just fetches the public key from the tproxy.
phala-cloud-cli/src/tee/phala-cloud.ts
Line 230 in 312b15d
This opens up a "Rogue Certificate" man in the middle attack where a CA (or the owner of the tproxy domain) issues a malicious certificate. This could be used to steal the encrypted secrets. Basically the problem is introducing a reliance on the TLS PKI system in a core component that didn't need it.
One way to fix this is by passing the encryption key itself as a parameter or env var for the CLI.
Another way is to get a reference value for the "public key fingerprint" of the tproxy TLS certificate. The CLI could then extract the public key from the certificate and check it against the fingerprint. For python like this CLI it could be patched just by using some custom https session into axios.post.
https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python/52072170#52072170
I think the best place to get the reference values will ultimately be the on-chain KMS but less clear of a next step (include a light client in this cli too?)