1112zakaria
commented
10 months ago TODO:
- implement defenses against repeated online attacks, implement timer on the client-side that locks clients out for a certain period of time -> Defends against online guessing attack
- Implement timer on the server-side that rate-limits IP/port after failed # of guesses -> Defends against online attack
- implement auto-generated TLS certificate in server -> Using a new TLS key on-startup reduces the value of information acquired by the attacker if they break in
- implement auto-updating TLS certificate refresh every time interval in server? -> what if TLS key gets cracked? Reduces the value of information acquired by the attacker
- find alternative to storing certificates in the repo? Maybe its in own little folder so it doesn't mix with the code?
Q: is it possible to test successful login?
Other TODO:
- setup dotenv environment variables
- make all user input interactions mockable in order to be able to test
Design a simple login user interface that enables a user to enter their user ID and password.
Observability:
I used HTTPS encrypted communication between the client and the server. To verify that this was the case, I sniffed the packets on Wireshark to verify that I could not read the messages sent.