Addressing security concerns about Casa Node
Update: Casa Node software is no longer maintained; we recommend looking at other build-your-own node projects.
Recently we’ve heard concerns about 2 purported undisclosed security vulnerabilities in our Casa Node 1 product.
To be absolutely clear – there are NO known undisclosed vulnerabilities with Casa Node at this time.
- Both concerns are known issues that are a result of intentional design decisions.
- There is no need to remove funds from your Casa Node.
- You should always be careful with any Lightning node. Lightning is still #reckless.
- For the highest level of security, we recommend our Keymaster product, which uses an entirely different security model and software stack.
At Casa, we take all security concerns seriously and want to clarify some misconceptions about these concerns. We want you to better understand the concerns being raised in order for you to make an informed decision regarding what level of risk they represent for your particular situation.
When using my Casa Node at home, I see my browser is using HTTP instead of HTTPS - why? Isn’t HTTP insecure?
HTTP connections are unencrypted, while HTTPS connections use TLS/SSL encryption using signed certificates. It’s definitely more secure to use an encrypted HTTPS connection, which is why HTTPS is the default security standard for internet browser connections on the open web.
However, for INTERNAL or home network connections, there are certificate and browser challenges that currently make HTTPS impractical at best, and dangerous at worst. Using a self-signed certificate can actually create a false sense of security.
We specifically chose not to create this false sense of security, and instead to share the realities of home network security with our customers.
We advise Casa Node customers to secure their home networks as much as possible, such that they can still easily access their node on their home network via HTTP while maintaining reasonably secure connectivity.
We highly recommend using Tor for even greater security and privacy.
Further background on TLS/SSL certificates - and why they’re a challenge for home network connections:
HTTPS connections require signed certificates. When you connect to a public internet site, your web browser negotiates a secure connection by verifying that site’s certificate is properly signed by a CA (Certificate Authority). These certificates include the public internet IP address and/or DNS name of the site, and are used to verify that you’re actually connecting to the destination you think you are.
For private internet sites (internal / home networks) - it’s impossible for a CA to verify the individual IP address and/or DNS name - because they’re not publicly accessible. In these cases, the only way to use HTTPS is with a “self-signed” certificate - where you generate the certificate yourself, and no CA verification is performed.
Unfortunately, modern web browsers throw VERY loud warnings when attempting to connect via HTTPS using self-signed certificates:
When a user sees these warnings, their only choices are to stop completely, or proceed against the (very explicit) warnings being shown to them. This is terrible user experience.
This is an unfortunate reality of the state of TLS/SSL in browsers, and is not unique to Casa’s products in any way. (Note that this is also why most home network routers take the same approach of using HTTP to access the device’s admin page, instead of HTTPS.)
Given this, we decided to take a practical approach and NOT advise users to undergo the certificate challenges of HTTPS over private home connections, and instead rely on the security of their network instead - and the additional security of using Tor for full encryption without these certificate challenges.
I heard that My Casa node has a default password, does that mean others can get into it?
No. This is also false.
By default, Casa Node is not remotely accessible because SSH remote access is disabled. A keyboard and monitor must be plugged into the Casa Node in order to access the command line with the default username and password.
- By default, we leave SSH remote access disabled on the node. During support calls we occasionally ask customers to enable SSH, which requires physically plugging in a monitor and keyboard to the node and typing commands - by default, you can’t access the node via SSH at all.
- We NEVER ask customers to enable SSH access over public internet connections, only from within the person’s internal home network.
- An advanced user could attempt to enable SSH on their Casa Node, but this is NOT advised.
We’ve made design decisions with the Casa Node that prioritize ease of use, while preserving appropriate levels of security.
Again – there are no known undisclosed vulnerabilities at this time.
Also note that Casa Node product is designed with a very different security model than Keymaster. We’ve always said it’s more secure to keep the majority of your funds in a multisig cold storage solution like our Keymaster product.
Keeping a large amount of funds on ANY lightning node device (from Casa or from any other manufacturer) is risky at this stage of the protocol’s growth. Usage of Lightning is still considered #reckless.
Finally, at Casa we take security concerns very seriously. If you believe you’ve discovered a security issue with ANY of our products, we welcome your input via email at email@example.com and ask that you work with us towards a potential responsible security disclosure.