Everyone using this proxy needs to provide an OpenAI ChatGPT access token to the server. Let me break this down:
Using the ChatGPT npm package enables an opaque third party access to your credentials to use ChatGPT — or exactly what a botnet / social media manipulation operation would need / want for a convincing bot. They just have to distribute load among all the active access tokens they’ve collected from users.
DO NOT use this library.
DO NOT trust code from authors who either don’t see this obvious vector or are in on it.
To recommend using an opaque third party proxy with no encryption is not acceptable. This lets someone peep into your conversations with the bot on top of the other malicious uses with credential hijacking. And while OpenAI is peeping as well, they are at least using the data to advance AI and most researchers have a deep relationship with the ethics of their field.
Here is the repo in question: https://github.com/transitive-bullshit/chatgpt-api
And also HTTPS is still sent as plain-text. Cert authority in itself doesn't have the keys to decode the text, it just an authority to show the plain-text, but all along, it was a plain-text.
The cert authority simply signs a cert saying “this public key belongs and is controlled by the owner of this domain name”. Since we both trust the cert authority, that signature allows us to prevent mitm attacks.
From there, we can do a Diffie-Hellman key exchange and derive our secret key for encryption / decryption.
That is secure and is the backbone of the internet today. It allows all of us to send messages to an intended recipient without worrying about other parties prying into our business.
A proxy introduces an unnecessary and unvetted third party into an exchange. There is significant financial and political motivation for hijacking sessions for higher access to the chatbot & future versions of it. It is not a good pattern to make a habit of.
