From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).
Current behavior: HTTPS egress is allowlisted by SNI host name (blind tunnel — the proxy matches the name, not the content or destination).
Risk: SNI is client-controllable and decoupled from the actual destination IP — a client can present an allowlisted SNI while connecting elsewhere (domain-fronting-style bypass of the egress allowlist).
Proposed fix: pin/verify the SNI against the resolved destination IP (and/or enforce the connection target), rejecting mismatches.
From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).
Current behavior: HTTPS egress is allowlisted by SNI host name (blind tunnel — the proxy matches the name, not the content or destination).
Risk: SNI is client-controllable and decoupled from the actual destination IP — a client can present an allowlisted SNI while connecting elsewhere (domain-fronting-style bypass of the egress allowlist).
Proposed fix: pin/verify the SNI against the resolved destination IP (and/or enforce the connection target), rejecting mismatches.