Connection: the issue at hand is more complicated than it first appears, as usual

This commit is contained in:
Starbeamrainbowlabs 2022-02-09 03:14:26 +00:00
parent a736acc1b7
commit 1e76226177
Signed by: sbrl
GPG key ID: 1BE5172E637709C2

View file

@ -178,7 +178,7 @@ class Connection extends EventEmitter {
// TODO: Consider anonymous TLS, with jpake for mututal authentication
// TODO: Consider https://devdocs.io/node/crypto#crypto.createCipheriv() - which lets us use any openssl ciphers we like - e.g. ChaCha20-Poly1305
// TODO: We're currently vulnerable to a replay attack. We need to mitigate this somehow.
// TODO: We're currently vulnerable to a replay attack. We need to mitigate this somehow - probably by maintaining a sequence number. Instead of sending the sequence number though we should instead compute a MAC that also includes the message length and a bunch of other things etc. Of course, we will also need to make sure we don't fall afoul of mac-then-encrypt, encrypt-then-mac, etc issues...
let payload = JSON.stringify({ event, message });
payload = encrypt_bytes(