Add checksum / signature for content delivered from server to prevent fake nodes from sending fake content

PixelsCommander / ViralJS

Express.JS middleware to enable P2P distribution for your app. Your decentralized CDN made easy.

959 stars 54 forks source link

Add checksum / signature for content delivered from server to prevent fake nodes from sending fake content #5

Open qgustavor opened 8 years ago

qgustavor commented 8 years ago

Are data being checked in order to prevent bad nodes from sending other peers invalid or corrupted data? Also, if it is implemented or if it will be implemented: how it works (or will work)?

For the demo seems HTTPS isn't being used. It can improve security and will allow some new Web Platform features to be used, like Service Workers.

PixelsCommander commented 8 years ago

Valid points, there is a huge place for improvement in terms of security. There should be a signature/checksum for content delivered.

HTTPS would not help since data transfer happens over WebRTC and it is secured pretty well on protocol level.

qgustavor commented 8 years ago

If you want to use WebCrypto (and get better crypto performance) then you will need HTTPS.

tracker1 commented 8 years ago

Using a checksum/hash sent by the orchestrating server against the application content would go a long way... derived byte based on pbkdf2 would work. There's also HMAC...

https://github.com/diafygi/webcrypto-examples#pbkdf2---derivebits

http://caniuse.com/#feat=cryptography