Closed Vraj2811 closed 5 days ago
naveeeeeeeeeen
commented
1 week ago This is not a bug per se. Clients do not have access to private key. And you are just using the private key to decrypt it.
P.S. The commands received will not be shown in the latest code.
Vraj2811
commented
1 week ago Yeah, I used the private key to decrypt it, but that's not what I'm pointing out. If you check, the output from logread isn't encrypted and shows up in plain text.
naveeeeeeeeeen
commented
1 week ago Yes, That was done deliberately. Output doesn't need encryption. It is to be shown in plain text.
Vraj2811
commented
1 week ago If this was done on purpose, it’s a big problem because securing command outputs is super important. Even if it wasn’t intentional, it still makes the system vulnerable to eavesdropping.
bichhawat
commented
1 week ago So is the claim here that the responses from the server to the client are unencrypted?
Vraj2811
commented
1 week ago Yes
bichhawat
commented
1 week ago If the data is sent unencrypted over the network, it is a bug that needs to be resolved because anyone can now read the data violating the confidentiality requirements.
naveeeeeeeeeen
commented
5 days ago Bug Resolved
Now the responses from the server to the clients are also encrypted.
Screencast From 2024-11-15 10-42-52.webm
In the video, commands like ./logread are encrypted using RSA, requiring decryption with the private key before execution. However, the output from these commands is displayed in plain text, without encryption.