How to encrypt a dnode connection? - node.js

I am using dnode as an RPC-style library within my Node.js application.
Now I would like to have secure dnode's connection using public-key-cryptography. I guess that this should be possible anyhow using Node.js' TLS module, but I have never used that, hence I am missing some experience with that.
Has anybody already done this, and can provide a small, but complete example on how to set up an encrypted and secured dnode connection?

Substack has an example on the upnode page
https://github.com/substack/upnode/#ssl-stream-example
So for if you want to use dnode, just swap upnode out

Okay, I got it.
All you need to do is to create a TLS server / client and pipe its stream to dnode.
For an example see my question How to verify that a connection is actually TLS secured?

Related

Node TLS Ticket Reestablish Connection

I am doing experimenting in nodejs. I'm trying to use a TLS Ticket to resume a TLS Session. So I will make a client save off the TLS Ticket after successful connection. After shut down I would like it to use the same TLS ticket to reestablish the TLS connection.
I have found the node tls command tlsSocket.getTLSTicket() however I am not sure how to use it to reestablish a connection because it's "Useful only for debugging".
What i want is the ability to get the TLSTicket from the client and manually validate it against a TLSTicketKey in a server in nodejs.
Thanks
After spending way more time than I should have, these are what I found:
There doesn't seem to be any API or exposed JavaScript functions that would allow you to validate TLSTickets.
Reusing sessions via session tickets works out-of-the box, the implementation is completely transparent for your node.js
https://strongloop.com/strongblog/improve-the-performance-of-the-node-js-https-server/
However, as you will see in the link, it is possible to manually handle sessions with a session store (which obviously defeats the purpose of TLS tickets).
Node uses the following function provided by OpenSSL to do Ticket processing.
SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing
Full Details: https://github.com/joyent/node/blob/d13d7f74d794340ac5e126cfb4ce507fe0f803d5/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
It's done from here: https://github.com/joyent/node/blob/master/src/node_crypto.cc
Node does not emit resumeSession when it receives valid TLS ticket.
The following GitHub issue describes why and is an easy reference to Node's TLS ticket implementation details.
https://github.com/joyent/node/issues/5872

If I only want to use redis pubsub to create some real time client functionality, is it ok security-wise to connect to redis direct from client?

I'm trying to create a Flash app with some real time functionality, and would like to use Redis' pubsub functionality which is a perfect fit for what I need.
I know that connecting to a data store directly from client is almost always bad. What are the security implications of this (since I'm not an expert on Redis), and are there ways to work around them? From what I read, there is a possible exploit of doing config sets and changing the rdb file location and be able to arbitrary overwrite files. Is there anything else? (If I don't use that particular redis instance for anything at all, i.e. no data being stored)
I understand the alternative is to write some custom socket server program and have it act as the mediating layer for connecting to redis and issuing commands -- that's the work I'd like to avoid having to write, if possible.
** Edit **
Just learned about the rename-command configuration to disable commands. If I disable every single command on the redis instance and leave only SUBSCRIBE and PUBLISH open, would this be good enough to run on production?
I think it would be a bad idea to connect directly your client to Redis. Redis offers an authentication system for a unique user only. It expects this user to be your server app.
From my point of view, directly exposing Redis is always a bad idea. It would allow anybody to access all of your data. This is confirmed by the Redis doc.
So you won't avoid adding or developing the server side of your app.

would TLS prevent others reverse engineer my protocol?

I'm working on a network program and I don't want anyone to know what kind of information is being passed when they sniff the network. Would using TLS achieve this? My main reason is that I want to keep the protocol I'm using to myself for now. If not please tell me if there is anything that can achieve my goal.
It depends on a lot of things, e.g. what your exact threat model is, and how much information leakage you can tolerate.
For TLS to provide adequate protection, these assumptions must be true:
Obviously, you should use a correct implementation, otherwise, if for instance, you are using SecureTransport from iOS 7.0.4, all bets are off.
You should enforce a minimum version requirement and only support secure ciphersuites. If you allow downgrade to SSLv2, you are setting yourself up for problems.
You check for validity of the server public key. You'd be surprised how many client apps skip this.
You use client certificates to authenticate the client, as well as the server, otherwise, it is possible to write a phony client that talks to your TLS server and reverse engineer your protocol. (You can also authenticate the client early in the protocol lifecycle using other means, but that part of your protocol would not be safe).
You keep the private keys secure.
(If you are using X509 certificates and trust chains:) Certificate authorities that you trust do what they are supposed to do, i.e. not sign certificates in your name for others.
You will still leak some packet length and timing information that you hope would not be complete enough for the reverse engineer.
The attacker does not control your client or server or have access to the binaries on any side. If, like an iPhone app, you are giving away the client binary, you have already lost.
Your higher level protocol cannot be tricked into say, redirecting to another server blindly, or lose its mind and do some other crazy thing when the client secure channel is interrupted. This can be hard to notice at times and depends on many other factors.
Something else I have probably missed here.
Would TLS prevent others reverse engineer my protocol?
Probably not. Pentesters do it all the time. They use something like Burp Suite to proxy the connection and watch all the web requests.
If not please tell me if there is anything that can achieve my goal.
Common practice is: if you don't want it stolen, copied, pilfered, abused, etc, then you don't put it on a client. So all sensitive code and data goes on a server you control. Since the client gets to see the request, you have to remove all sensitive information from it.

TCP secured connection - only via my client

so I have this TCP connections between my server and client, and anyone can connect to my server. But I want to make sure that the client is really using MY client application and not just faking messages from a fake TCP client. What would be the ways to do that, check that the connection really is from my game client?
Thanks!
EDIT
If I'm gonna use TLS, can I solve that problem?
There will probably not be a complete solution to your problem, since whatever you do, the other party might always take your program, run it in a monitored environment, manipulate the runtime data and let it use its "secure" network protocol. Since the client application is in uncontrollable hands, you can never be sure that it is your own program.
Baby example: My application runs your application and plays back the data to your server, and forwards your response back to the application. How can you tell?
That said, it might be a very promising "99%" approach to use SSL and hardcode the client's private key into the application -- with some trickery you can try and make it hard to find (e.g. see how Skype does it). If you then also build integrity checks into your program that figure out whether anyone is manipulating the memory or debugging into your program, you can try and make it a bit harder for a potential adversary. (But note that you will always have to ship the private key with your application, so it isn't really safe from discovery.)
Others have suggested useful answers to your question, but I'm going to suggest another approach. Re-examine your requirements.
Ask yourself why you want to know the identity of the client program. Is it so that you can trust your client program more than you trust 3rd-party client programs?
If you need to trust the identity or integrity of software that you have already shipped to your customers, I claim your security model is broken. Once the software runs on a client's PC, you should assume it is evil, even if you originally wrote it.
Any status, any command, any data whatsoever that comes from the network must be checked before it is relied upon.
My default response is to use a challenge/response authentication.
After connection, send a random number from the server to the client
The client then computes, using a hash/key/.... a response message and returns that to the server
If the response matches the servers computation, your chances of authenticity are better. Note though that a reverse engineer of your client will leave this method open to fraud.
You could use a public/private key pair in order to verify that you are who you say you are.
http://en.wikipedia.org/wiki/RSA#Signing_messages

Browser to browser communication without a server?

Is there any possible way to have browsers communicating to each other over lan/wan without the use of a server (direct peer-to-peer)?
Looks like there may be hope on the horizon: http://www.w3.org/TR/webrtc/
Yes you can try http://httprelay.io with the AJAX calls. It is simple as that:
* Send data: POST https://demo.httprelay.io/link/your_secret_channel_id
* Receive data GET https://demo.httprelay.io/link/your_secret_channel_id
IIRC, Opera released some kind of addition to their browser that embedded a webserver for just that functionality:
http://unite.opera.com/
Not sure it really went anywhere, but I think its time will come.
In pure HTML/Javascript? Probably not.
To my knowledge, there's no good way in native JavaScript to listen for connections. In HTTP, the client opens a port, sends a request, and receives a response. You could use the XHTTP or similar class to make a request but there's no good way within a normal web page to create a server on the other end that would listen for requests.
Given that, I know that Flash provides a socket library that allows you to listen for connections. (I imagine Silverlight does this as well, though I haven't researched it.) If you were to create an object using either of these technologies, you could listen for connection requests from any client (assuming that you're not behind a firewall or some other connection-filtering device), maintain an open socket and send whatever you want over the wire.
Summary:
Probably can't do this in JavaScript/HTML/CSS.
BUT, you could pull it off in Flash or Silverlight.
If the browsers are behind firewalls you can look at using NAT traversal.
Protocols like STUN and TURN are used by WebRTC to do this.
This web site has some nice examples/tutorials HTML5 Rocks
Short answer: Nope. Not possible.
Long answer: You could write a signed java applet that implements a web server in each browser. Then browser "a" could talk to browser "b's" applet (don't' close that tab!). You would then have limited access to the others browser state in this way.
Similarly, you could write a plugin/addon that could accomplish much of the same thing.
The real question is why would you want to do this? what are you trying to accomplish? Answer that question and we might be able to come up with a solution.
Yes, they could, but they would need to be designed to establish the connection (or would need to have a module that does it).
Even if I'm wondering why would they need to..
Flash - Stratus. New stuff in latest flash that provides P2P connections.

Resources