Skip to content

harden(authbridge): pin SNI to the resolved IP to close the HTTPS allowlist spoof #514

Description

@huang195

From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).

Current behavior: HTTPS egress is allowlisted by SNI host name (blind tunnel — the proxy matches the name, not the content or destination).

Risk: SNI is client-controllable and decoupled from the actual destination IP — a client can present an allowlisted SNI while connecting elsewhere (domain-fronting-style bypass of the egress allowlist).

Proposed fix: pin/verify the SNI against the resolved destination IP (and/or enforce the connection target), rejecting mismatches.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type
No fields configured for issues without a type.

Projects

Status
New/ToDo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions