search

Ammar64 / Sharing

Share files and apps on android to other devices using browser
GNU Affero General Public License v3.0
86 stars 8 forks source link

Add Encrypted sharing #34

Open freeburn12 opened 1 month ago

freeburn12 commented 1 month ago

You can add encrypted sharing like this app "Local Send" with a self-signed certificate https://f-droid.org/packages/org.localsend.localsend_app/

The code: https://github.com/localsend/localsend Or you can also share your code in Codeberg(best for privacy law) Screenshot_20241008-145755_LocalSend

https://codeberg.org/localsend/localsend

Ammar64 commented 1 month ago

Hacking self signed cert is simple.
A hacker would do some arp spoofing to act as if he was the server.

when the client try to connect to the server the hacker will intercept the request and provide his own self signed cert to the client.
The client can't tell whether this self signed cert is from the hacker or the server that's why a warning is shown in the browser.
if the client chose to continue the hacker will send the client's request to the server acting like the client. Then server will send its response to the hacker and hacker will pass it to the client (That's why it's called Man In The Middle Attack).

if that response was an important file then congrats it's with the hacker now.

NOTE: you are not likely to be hacked if you were using your home network. Not saying impossible though.

Ammar64 commented 1 month ago

A solution would be to somehow verify the public key of the cert on the client. But such info can't be obtained with JS without a browser addon.

freeburn12 commented 1 month ago

NOTE: you are not likely to be hacked if you were using your home network. Not saying impossible though.

Ok but it may be more secure than staying in http because there is a validation to be done. As you say, the people who use your application are on a local network, otherwise outside it is by message like Signal messenger or others.

Your app Sharing is mainly used for this at the moment, waiting for offline sharing by mobile phone 😊

If used externally, the hacker can also easily be on the http and without validation.

It would be really bad luck for them to be on the same network, then falsify the certificate and then for the user to accept... In http, it is directly hacked

Ammar64 commented 1 month ago

As you see here https://github.com/Ammar64/Sharing#todo Adding app-to-app sharing is planned. It's easier to encrypt traffic when sending from an app to app as we can include public key in QR Code and verify it or let users verify it visually if not connected through QR Code.

As for the https for browser I might make it an option in the settings.
Browser sharing is planned to be a side feature in the future InShaaAllah