Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encryption #10

Open
mifi opened this issue Apr 7, 2020 · 0 comments
Open

Encryption #10

mifi opened this issue Apr 7, 2020 · 0 comments
Labels
enhancement New feature or request

Comments

@mifi
Copy link
Owner

mifi commented Apr 7, 2020

Either:

  1. Generate an encryption key during startup and put it in the URL. This has the disadvantage that if the user needs to type the URL, it will be longer. Or...
  2. Generate an encryption key and send it to the FIRST user that connects and loads the page. Then set the key in that user's local storage, and never send it again from the backend. The user will then use this key. Reset key next session. Maybe show a simple challenge (4 digit PIN) on the server, and make the client type this before handing the key.

After the key has been exchanged, we can encrypt all requests and responses, maybe similar to this:
https://github.com/mwiesmueller/express-crypto

Need to also verify that every request is coming from the one sender

In any case if an attacker sniffs the initial key exchange, they can intercept the data being sent

https://tools.ietf.org/html/rfc8188

@mifi mifi added the enhancement New feature or request label Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant