From 97da517a0e125a1a2bc012f7c93a77c1b7c7394c Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Wed, 9 Feb 2022 03:03:45 +0000 Subject: [PATCH] Connection: oops, we're vulnerable to a replay attack --- src/lib/transport/Connection.mjs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/transport/Connection.mjs b/src/lib/transport/Connection.mjs index 70c5253..6bc389b 100644 --- a/src/lib/transport/Connection.mjs +++ b/src/lib/transport/Connection.mjs @@ -177,6 +177,9 @@ class Connection extends EventEmitter { // TODO: Consider anonymous TLS, with jpake for mututal authentication // TODO: Consider https://devdocs.io/node/crypto#crypto.createCipheriv() - which lets us use any openssl ciphers we like - e.g. ChaCha20-Poly1305 + + // TODO: We're currently vulnerable to a replay attack. We need to mitigate this somehow. + let payload = JSON.stringify({ event, message }); payload = encrypt_bytes( this.session_key,