mint_token lacks encryption/auth and is forgeable

[cyberspace61]

Hi team,

I noticed that the current mint_token implementation is unencrypted and unauthenticated. This makes the tokens easily forgeable by attackers and exposes client IPs in plaintext.

Due to these security risks, this feature essentially cannot be enabled in real-world production environments (such as Cloudflare's own live websites).

Could you share your considerations regarding this design? Are there plans to provide a secure, production-ready implementation in the future?

Thanks!

[LPardue]

Hi,

The example servers in this project are not intended to be used in production environments; no performance, security or reliability guarantees are provided, per https://github.com/cloudflare/quiche?tab=readme-ov-file#disclaimers-and-notes

Furthermore, the example mint_token functions include this reinforcing text:

/// Note that this function is only an example and doesn't do any cryptographic
/// authenticate of the token. *It should not be used in production system*.

Production server need to implement their own schemes for Retry token.

Finally, security-related matters should be reported in line with the policy at https://github.com/cloudflare/quiche/security/policy