Closed tleyden closed 7 years ago
From http://lanrat.com/android-wifi-sniffing/:
Promiscuous mode requires the hardware driver to support it. Currently android drivers do not support this, so that is unlikely.
@hideki What is the latest plan on this? Pls confirm..
Hi @NitzDKoder, You can enable SSL on Listener module. But you need to modify the Java code. Some of our user already does this.
Note to Self: CBL Android Listener can support SSL. So we might be able to close this ticket.
@hideki "You can enable SSL on Listener module. But you need to modify the Java code. Some of our user already does this." http://developer.couchbase.com/documentation/mobile/1.2/develop/guides/couchbase-lite/tech-notes/p2p-replications-ssl/index.html
Pls brief more on the above, what changes is needed at java..only cert feeding is enough??
Queries: 1)How to avoid the 3rd party app access the CBL server using REST requests.(Knowing the db name and credentials).?
2) How https is achieved and does it cover server and Client certificate validation.
https://docs.oracle.com/cd/E19528-01/819-0997/6n3cs0brm/index.html#aakhc https://docs.oracle.com/cd/E19528-01/819-0997/6n3cs0brm/index.html
Even after doing https the 3rd party can access the data (Knowing the db nam/credentials/ certificate information)?
3) @snej How is the iOS behavior? Local CBL server is not accessible from 3rd party app?
https://github.com/couchbase/couchbase-lite-ios/blob/master/Source/CBL_URLProtocol.m#L70
4)When is Digest auth will be implemented for JS to CBL listener module communication?
Above seems to be a major security flaw..Pls share you thoughts how to avoid the same..
Thanks Nithin
@NitzDKoder,
@hideki with above 2 not working.. we need to open this issue.. https://github.com/couchbase/couchbase-lite-java-listener/issues/78
@NitzDKoder, Let me confirm.
If 2. is yes, Can you ask Cordova or PhoneGap community if anyone solved this problem before?
Thanks,
@hideki have not tried 1) But 2) yes we have problem with cordova based html/javascript stand alone app talking to listener has ssl issue. Will research more on this..
Hi @NitzDKoder, As I am not expert of Cordova/PhoneGap, so I guess it is faster to solve if you could ask this Cordova community.
After https://github.com/couchbase/couchbase-lite-java-listener/issues/35 has been fixed, there are still known security issues with phonegap. An app running on the same device that was able to run a sniffer (eg, libpcap -- meaning the device would probably need to be rooted), would be able to sniff the basic auth parameters and use them to connect to the couchbase lite rest endpoint.
Possible solutions: