Join token can be (re)used for a DoS attack (minogrpc)

[pierluca]

When a new node (J) joins the blockchain, say by joining an existing node (X), it provides its own address (A) and certificate (C) to the node X, and authenticates with a joining token (T).

Node X doesn't validate whether the new node is effectively reachable at the address A, it is thus possible for J to submit an invalid (or malicious) certificate C for an address A matching that of existing nodes. This new certificate then gets broadcast by the node X to all other joined nodes (and promptly accepted by them).

Thus, node J can effectively carry out a denial-of-service attack against any existing (joined) node by replacing its certificate.
If node J also gains control of the network, this can lead to a MITM attack.

Furthermore, joining tokens can be reused multiple times, which entails that this attack can be carried out against multiple nodes at once.

[pierluca]

Potential solutions:

• Ensure that joining token (T) is specific to a given hostname
• Ensure that joining token (T) can only be used once (and for a limited time period)
• Connect to address A to retrieve the certificate
• Do not allow changing an existing certificate without a manual authorization