docs(overlay): add URL of blog post and clarify wording

[ckeshava]

There appears to be a mistake in the wording of the Overlay README file. I believe the private key is used to sign the fingerprint and the public key is used to verify the authenticity of the signature. This is a change to that effect.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

[ckeshava]

I'd like to ask a question, since we are looking into the Overlay corner of the codebase.

Why did we choose the xor operation to compare the local and remote data (data received from the peer)?

rippled/src/ripple/overlay/impl/Handshake.cpp

Line 164 in aded4a7

auto const result = (*cookie1 ^ *cookie2);

In order to prevent Man-in-the-middle attacks, we are including a "Session-Signature" field in the response. (

rippled/src/ripple/overlay/README.md

Line 346 in aded4a7

That fingerprint, which is never shared over the wire (since each endpoint will

) I don't think we are doing this in a robust way.

Isn't it likely that the local and remote data is identical? (For ex: sharing identical sets of validations, proposals, etc) Isn't it better to concatenate the two sets of data and then sign them with SecretKey::signDigest() ? @nbougalis @gregtatcam

[ckeshava]

ok 👍

[gregtatcam]

👍 LGTM

[intelliot]

@manojsdoshi I think this could be ok to consider for 1.12.0-rc2 because it is only docs/comments, and does not touch any code