Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure backend socket.io from other applications that can access localhost i.e. browser #114

Closed
vinkabuki opened this issue Dec 6, 2021 · 6 comments
Closed

Secure backend socket.io from other applications that can access localhost i.e. browser #114

vinkabuki opened this issue Dec 6, 2021 · 6 comments
Assignees
@vinkabuki @Kacper-RF
Labels
bug Something isn't working security

Comments

@vinkabuki
Copy link
Contributor

https://stackoverflow.com/questions/14600472/securing-socket-io
@vinkabuki
Copy link
Contributor Author

https://stackoverflow.com/questions/40009917/end-to-end-encrypt-a-socket-io-chat-application

@vinkabuki vinkabuki transferred this issue from TryQuiet/waggle Jan 4, 2022
@holmesworcester
Copy link
Contributor

what's the threat here? can other apps running on the same device see network traffic?

@vinkabuki
Copy link
Contributor Author

@holmesworcester not sure about if other apps can see this, afair not, but also I think other app can connect to our socket so it's even worse, but I am again not 100% sure, but I don't see any reason against it

@holmesworcester holmesworcester moved this to Backlog - Desktop & Backend in Quiet Apr 19, 2023
@holmesworcester holmesworcester moved this from Backlog - Desktop & Backend to Next Sprint in Quiet Oct 5, 2023
@holmesworcester holmesworcester added the bug Something isn't working label Oct 5, 2023
@holmesworcester holmesworcester changed the title Secure socket.io Secure backend socket.io from other applications that can access localhost Oct 5, 2023
@holmesworcester
Copy link
Contributor

holmesworcester commented Oct 6, 2023
edited
Loading

Note: we can generate a token in the frontend and send it to the backend, or we could use a socket instead. The main thing to protect against is the browser. See: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Example

@holmesworcester holmesworcester changed the title Secure backend socket.io from other applications that can access localhost Secure backend socket.io from other applications that can access localhost i.e. browser Oct 6, 2023
@holmesworcester holmesworcester moved this from Next Sprint to Sprint in Quiet Oct 6, 2023
@holmesworcester holmesworcester mentioned this issue Oct 6, 2023
Closed
@holmesworcester
Copy link
Contributor

Note: we should fix these on master and release an update before 2.0

@Kacper-RF Kacper-RF moved this from Sprint to In progress in Quiet Oct 9, 2023
@Kacper-RF Kacper-RF self-assigned this Oct 9, 2023
@Kacper-RF Kacper-RF moved this from In progress to Sprint in Quiet Oct 9, 2023
@Kacper-RF Kacper-RF removed their assignment Oct 9, 2023
@vinkabuki vinkabuki moved this from Sprint to In progress in Quiet Oct 9, 2023
@Kacper-RF
Copy link
Contributor

#1940

@Kacper-RF Kacper-RF moved this from In progress to Waiting for review in Quiet Oct 18, 2023
@Kacper-RF Kacper-RF moved this from Waiting for review to Merged (master) in Quiet Nov 9, 2023
@Kacper-RF Kacper-RF moved this from Merged (master) to Ready for QA in Quiet Nov 9, 2023
@siepra siepra moved this from Ready for QA to Done in Quiet Nov 14, 2023
@siepra siepra closed this as completed Nov 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinkabuki vinkabuki

@Kacper-RF Kacper-RF

Labels
bug Something isn't working security
Projects
Quiet
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@holmesworcester @siepra @vinkabuki @Kacper-RF