search

DarkRiftNetworking / DarkRift

DarkRift Networking by Unordinal
http://darkriftnetworking.com
Other
216 stars 67 forks source link

SSLStream for TCP #29

Open MrGadget1024 opened 6 years ago

MrGadget1024 commented 6 years ago

Quick Description

Implement SSLStream for TCP (reliable) connections for both server and client certs.

Explanation

Encryption has several known benefits, including compression.

For Feature Requests

SSLStream on MSDN

JamJar00 commented 6 years ago

Thanks for the suggestion!

My concern with this is that I am in no way a cyber security expert and I have very little experience with cyber security and encryption; I would be very surprised if there are not vulnerabilities in DarkRift that could be exploited to get around any encryption in place.

I agree that being able to enable compression on messages would be very useful and it is definitely something I want to look into soon but I'm not sure about encryption at the moment, purely because I'm not convinced DarkRift should take on responsibility for secure data transmission.

I welcome any thoughts you can add!

Jamie

MrGadget1024 commented 6 years ago

What the client and server do with the data at each end is not your problem, nor part of what is asked for here. By its very nature, encryption gives compression...that's just how it works. Adding SSL Stream and a cert on the server side and having the client use an SSL stream leverages the built-in encryption technology of .Net. You're not reinventing it. The code sample on that page shows how little extra code is added to each side. The OS does all the heavy lifting. An extra bonus of course is that it prevents man-in-the-middle attacks (listening / altering packets) so that secures transmission of logins, payment data, etc. on the wire. Again, what we do with that data in terms of best practices for secure handling and storage is outside the scope of this feature request. We're also responsible for buying a $15 cert from a CA that the client machine will trust.

Obviously this would be a "pro" feature.

Poke MrGadget on Discord when you have time and we can discuss further. No hurry...whenever.

JamJar00 commented 6 years ago

My concern isn't the vulnerabilities in customer's code added on top of DarkRift nor the encryption code in the OS, it's that there could be vulnerabilities in DarkRift itself! For example, if developers do start sending payment data or login data over DarkRift then there mustn't be any way that DarkRift can be exploited to reveal it.

I'd feel better with proper penetration testing done on DarkRift (or even if I just had more experience with security) to make sure that there's no obvious exploits. Perhaps a good strategy would be to add encryption but warn that personal or sensitive data should still be sent using secure means like HTTPS.

MrGadget1024 commented 6 years ago

HTTPS is SSL Stream over TCP...just sayin' :)