Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure backend socket.io from other applications that can access localhost i.e. browser #114

Closed
vinkabuki opened this issue Dec 6, 2021 · 6 comments
Closed

Secure backend socket.io from other applications that can access localhost i.e. browser #114

vinkabuki opened this issue Dec 6, 2021 · 6 comments
Assignees
@vinkabuki @Kacper-RF
Labels
bug Something isn't working security

Comments

@vinkabuki
Copy link
Collaborator

https://stackoverflow.com/questions/14600472/securing-socket-io
@vinkabuki
Copy link
Collaborator Author

https://stackoverflow.com/questions/40009917/end-to-end-encrypt-a-socket-io-chat-application

@vinkabuki vinkabuki transferred this issue from TryQuiet/waggle Jan 4, 2022
@holmesworcester
Copy link
Contributor

what's the threat here? can other apps running on the same device see network traffic?

@vinkabuki
Copy link
Collaborator Author

@holmesworcester not sure about if other apps can see this, afair not, but also I think other app can connect to our socket so it's even worse, but I am again not 100% sure, but I don't see any reason against it

@holmesworcester holmesworcester added the bug Something isn't working label Oct 5, 2023
@holmesworcester holmesworcester changed the title Secure socket.io Secure backend socket.io from other applications that can access localhost Oct 5, 2023
@holmesworcester
Copy link
Contributor

holmesworcester commented Oct 6, 2023
edited
Loading

Note: we can generate a token in the frontend and send it to the backend, or we could use a socket instead. The main thing to protect against is the browser. See: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Example

@holmesworcester holmesworcester changed the title Secure backend socket.io from other applications that can access localhost Secure backend socket.io from other applications that can access localhost i.e. browser Oct 6, 2023
@holmesworcester holmesworcester mentioned this issue Oct 6, 2023
Closed
@holmesworcester
Copy link
Contributor

Note: we should fix these on master and release an update before 2.0

@Kacper-RF Kacper-RF assigned Kacper-RF and unassigned Kacper-RF Oct 9, 2023
@Kacper-RF
Copy link
Contributor

#1940

@siepra siepra closed this as completed Nov 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinkabuki vinkabuki

@Kacper-RF Kacper-RF

Labels
bug Something isn't working security
Projects
Quiet
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@holmesworcester @siepra @vinkabuki @Kacper-RF