![]() Without TLS, you generally can't do that. ![]() The main thing that TLS would add to this scenario is the ability for the server to prove its identity to the client (by passing a certificate that only the legitimate service has the public key to), before the user submits a password. Finally, simple brute-forcing is a significant risk. Other, more complex side-channel attacks might also be possible. within a browser JS sandbox), so your app would need to be secure against that. For example, it is entirely possible to carry out a timing attack for linear-time brute forcing of a password if you have local code execution on the server, even with very limited privileges (e.g. See more detail in the next section.Īlso, depending on exactly what you mean by "plaintext password", this system might broken regardless of the communication channel. No, that restriction isn't sufficient by itself to protect the password, or the service in general. Or, since only root (or processes with certain capabilities) can sniff interfaces, does this mean even without TLS, the password is already safe from all non-privileged users? a network tap interface enabled with permissive access control). Almost every other method of IPC is much more secure, and usually also faster, more reliable, and more feature-rich.ĭo I need to put TLS on this loopback service to prevent sniffing of the plaintext password by unauthorized users? Besides, there's no good reason to use them in a system like this. NO, even with TLS, loopback sockets are generally not a secure method of IPC. If I add TLS, will that make this system secure? If the client is a thick app rather than a browser, you can quite substantially improve the security. It certainly won't reduce the security, and can prevent some attacks. YES, assuming you implement it in a good way. Would TLS meaningfully improve the security of this system? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |