Make strict signing the default

[vyzo]

We have had message signing for a little while now, and the signature is critical in preventing cache poisoning attacks.

I suggest it is time to make strict signing the default.

cc @Stebalien @whyrusleeping

[yusefnapora]

This seems like a sensible default to me, and it seems like it would be the least surprising behavior as a new user.

[Stebalien]

It's been long enough.

[lidel]

cc @alanshaw @vasco-santos are we doing this in JS land?

[Stebalien]

Dammit! I'm sorry, I completely didn't consider that. @vyzo let's back out of this for now.

[vyzo]

ugh, you want to revert? We can just delay making default in ipfs.
Besides, let's apply some (friendly) pressure on the js folks to implement it, it's really crucial.

[Stebalien]

I just don't want to break libp2p interop. Let's see what the js people think.

[raulk]

Unless we plan a gomod release really soon, we should be having some slack for js-libp2p to catch up.

[vyzo]

I've tagged a release and propagated to p2pd, but other than that it's up to the individual users to upgrade.
For instance, go-ipfs hasn't been updated yet.

Regardless, I really think this should be high priority for the js folks, we've been living with a DoS vector for too long.

[vyzo]

Plus it's pretty simple to implement!

[alanshaw]

@jacobheun / @vasco-santos do you have bandwidth to implement it before the end of this quarter?

I’d rather not unnecessarily add pressure before IPFS Camp but if it can be done easily then it would be good to get in.

[jacobheun]

We can implement it but something will likely have to drop for one of us, it wasn't on our radar for Q2. Now that we have libp2p/interop with pubsub tests, it should help speed up the release of this.

Default signing would probably be an ideal thing to roll out in tandem with moving pubsub out of experimental configuration.

[raulk]

@jacobheun let's implement this in js-libp2p-pubsub in two steps:

1. sign outgoing messages -- this will reinstate interop -- urgent -- should be easy.
2. validate signature of incoming messages.

If we do step 1 quickly, we can keep this patch merged. If it takes any longer than a few hours, we can't live with broken interop too long, and we'll have to revert this patch, re-release (sigh), and integrate the reversal upstream.

[vyzo]

there isn't such urgency as to "fix in a few hours", it can take a couple of days because it hasn't bubbled up in the interop suite.
Btw, we are still interoperable as we can disable strict message signing with an option.

[raulk]

Yeah, I meant a few hours of effort, not as in a few hours from now, should've clarified. As long as we can get outbound signing implemented by Monday, I'm fine.

Also, posting a quick heads-up in the users forum would be great: https://discuss.libp2p.io/c/users ;-)

[jacobheun]

1. sign outgoing messages -- this will reinstate interop -- urgent -- should be easy.
2. validate signature of incoming messages.

I'll start working on these, should be able to get 1 tested against interop on Monday.

[jacobheun]

Signing work is done and passing in interop, it just needs final review and release.

I'll look at adding validation this week.

[jacobheun]

Signing is released and I cut a new patch release of js-libp2p, any new installs of the latest js-ipfs will also get the change.

[Stebalien]

@vyzo this is done, right?

[vyzo]

Yeah, this looks pretty done. I guess we can close.