Security: Cascade TCP mode has no TLS — plaintext credentials on network #77

New issue

Open

opened 2026-05-11 13:48:50 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:50 +00:00

Owner

Severity: High

Location

crates/hero_aibroker_server/src/main.rs — TCP accept loop; crates/hero_aibroker_lib/src/providers/ai_broker_mother.rs

Finding

When --address and --port are provided, the broker exposes a combined REST+RPC listener over plain TCP with no TLS option. Cascade mother brokers connect via plaintext HTTP:

let base_url = format!("http://{}:{}/v1", cfg.address, cfg.port);

Attack Scenario

API keys, request content, and billing data transmitted in cleartext
Network sniffing captures all traffic between cascade brokers
MITM attacks can inject/modify requests

Recommendation

Add TLS support via rustls or native-tls
At minimum: support mutual TLS for broker-to-broker communication
Document that TCP mode requires network-level encryption (VPN, WireGuard)

## Severity: High ## Location `crates/hero_aibroker_server/src/main.rs` — TCP accept loop; `crates/hero_aibroker_lib/src/providers/ai_broker_mother.rs` ## Finding When `--address` and `--port` are provided, the broker exposes a combined REST+RPC listener over plain TCP with no TLS option. Cascade mother brokers connect via plaintext HTTP: ```rust let base_url = format!("http://{}:{}/v1", cfg.address, cfg.port); ``` ## Attack Scenario - API keys, request content, and billing data transmitted in cleartext - Network sniffing captures all traffic between cascade brokers - MITM attacks can inject/modify requests ## Recommendation - Add TLS support via `rustls` or `native-tls` - At minimum: support mutual TLS for broker-to-broker communication - Document that TCP mode requires network-level encryption (VPN, WireGuard)