Open qgustavor opened 8 years ago
Valid points, there is a huge place for improvement in terms of security. There should be a signature/checksum for content delivered.
HTTPS would not help since data transfer happens over WebRTC and it is secured pretty well on protocol level.
If you want to use WebCrypto (and get better crypto performance) then you will need HTTPS.
Using a checksum/hash sent by the orchestrating server against the application content would go a long way... derived byte based on pbkdf2 would work. There's also HMAC...
https://github.com/diafygi/webcrypto-examples#pbkdf2---derivebits
Are data being checked in order to prevent bad nodes from sending other peers invalid or corrupted data? Also, if it is implemented or if it will be implemented: how it works (or will work)?
For the demo seems HTTPS isn't being used. It can improve security and will allow some new Web Platform features to be used, like Service Workers.