Also just by accident I found a very minor “security issue”. I don’t see, how golioth wants to handle such issues.
The issue itself is pretty simple, if you use a wrong PSK identity, you get an alert with internal error. There are two point to mention:
- that the wrong error code
- according some research a while ago, the current common approach for a wrong PSK identity is to handle that as wrong “MAC” and with that, it results in a timeout of the handshake. The reason behind that is to make it harder for attackers. I personally don’t agree on that “common approach”, because that identity is sent in plain and so this protection doesn’t help, but too frequently you get asked about such things in audits and then it’s easier to comply with it.