You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Generate an encryption key during startup and put it in the URL. This has the disadvantage that if the user needs to type the URL, it will be longer. Or...
Generate an encryption key and send it to the FIRST user that connects and loads the page. Then set the key in that user's local storage, and never send it again from the backend. The user will then use this key. Reset key next session. Maybe show a simple challenge (4 digit PIN) on the server, and make the client type this before handing the key.
Either:
After the key has been exchanged, we can encrypt all requests and responses, maybe similar to this:
https://github.com/mwiesmueller/express-crypto
Need to also verify that every request is coming from the one sender
In any case if an attacker sniffs the initial key exchange, they can intercept the data being sent
https://tools.ietf.org/html/rfc8188
The text was updated successfully, but these errors were encountered: