Network connection completely unsecured. SSL would be nice.



  • A raw connection like that is very dangerous. Any XSS script in the user’s web browser can exploit that and send commands to click OK on a rootkit install dialog.

    And since both Linux and Android support SSL very well, and SSL is easy to use, this is a an even better idea.
    With it you just have to call one function to auto-negotiate an SSL connection based on a optional config file.
    See the openssl s_client and openssl s_server commands for how easy it is.

    :)


  • developer

    I know OpenSSL, but I wouldn't say that a secure solution with client-side certificates is "easy" (and without client certificates, every browser script that is allowed to connect to local sockets would still be able to do malicious things).

    (If it is enough to click OK [no password required] to install a rootkit, it doesn't matter if GfxTablet is present anway.)

    So, thanks for your suggestion :) But GfxTablet is a prototype/proof of concept and not intended to be a secure server that supports authentication. If you're interested in implementing this, please fork and submit a patch request.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.