When I add my IP to announce-addr on core-lightning, I though about this connection requiring a TLS certificate, but you cannot obtain those with IPs alone, you would need an actual domain. Which made me thinking, if bitcoin lightning even requires or benefits from a certificate? Or are other nodes connecting to mine over the clearnet not interested in my node being my node, instead of a man-in-the-middle node?
Add a comment
|
1 Answer
Lightning network connections do not use TLS or certificates at all, as far as I know (note that this may be different for other types of connections, like RPC).
To explain why, let us look at how they are used in the HTTPS setting. There, a browser makes a connection to a website server. To encrypt the connection, the server hands the browser its public key. To convince the browser that this public key is indeed the one belonging to the hostname it tries to connect to, it also hands a certificate that was created by an authority the browser trusts, which says "public key X is owned by site Y. Signed, Z".
Back to Lightning. When you create a connection between your node and another, you specify the peer public key directly (PUBKEY@HOSTNAME syntax). There is no need for a trusted third party to attest to the correctness of that public key, because it is the user's responsibility to configure the public key correctly.
-
Oh, interesting! Thanks a lot for this detailed explanation!codepleb– codepleb2025-12-07 13:15:33 +00:00Commented 19 hours ago
