State of the Nat^W Misfin
I have just learned about something, that I find truly bizarre.
Advanced Misfin servers may perform CA validation in addition to TOFU. In this scheme, upon receiving a message from a sender with an unrecognized host, the Misfin server may perform a single blank request to the sender's host, and store its certificate. That stored certificate can then be used to verify the certificates of senders purporting to be from that host.
I'm baffled, as why is this is not a _required_ feature.
I've just generated cert foo@localhost, and I noticed I can send misfin messages to a known public misfin instance, without any issues.
I'm not sure which particular software the instance runs, but this seems like an encouragment to spam.
I tend to believe, people are actually good, but I also think, there's this ancient trait present that manifests itself under "because I can" approach. Imo design should not encourage such things.
2025-09-09 · 8 months ago
4 Comments ↓
🚀 stack · 2025-09-09 at 13:20:
You mean that TOFU should be in both directions? Yes.
⛄️ gim [OP] · 2025-09-09 at 19:04:
not that, it irritates me, that I can create cert with any hostname and just throw msgs.
I would expect server to at least friggin check if host that signed sender's cert actually has the same pub key as is in cert itself.
*edit*:
So at minimum I can spoof basically any host, in worst case, I can completely spoof sender. In general this makes me question the idea of using certs for this purpose at all...
I think I might do some longer write up.
🚀 stack · 2025-09-09 at 20:23:
All self-signed certs are good for is making sure that repeat connections are with the _same_ party. Assuming anything else is not good.
What's in the certificate or in the message is just words that someone types in.
⛄️ gim [OP] · 2025-09-09 at 20:49:
I think I just had bad luck with mentioned public instance.
I looked at estampa misfin server just a few minutes ago, and this one actually gets cert from the host set inside senders cert and uses that to verify senders cert (good/sane).
Still, that functionality should be a requirement, and not an optional feature.