search

scratchfoundation / scratch-link

Device interoperability layer for Windows and MacOS
BSD 3-Clause "New" or "Revised" License
102 stars 83 forks source link

Remove SSL #204

Closed cwillisf closed 2 years ago

cwillisf commented 2 years ago

Resolves

Proposed Changes

Remove SSL entirely. Scratch Link will listen over regular WebSockets (ws://) instead of Secure WebSockets (wss://).

Reason for Changes

With this change, Scratch Link will no longer be vulnerable to a certificate revocation attack.

Unfortunately this will also break compatibility with Safari and other WebKit-based browsers, which represent a majority of our macOS-based users. We'll need more extensive changes to get Scratch Link working again for those users.

easrng commented 2 years ago

Scratch Link will no longer be vulnerable to a certificate revocation attack.

Certificate revocation, while it does prevent use of Scratch Link, is not the real issue here. Before the certificate was revoked it was possible to MITM users and gain access to their accounts just by changing 1 DNS response, which is a serious security issue.

cwillisf commented 2 years ago

The two of you made your stance clear in the discussion on #200. I explained why I disagree. Either way, that discussion is off-topic for this PR. Please stop trolling.

easrng commented 2 years ago

A screenshot of me demoing the exploit and getting my session ID captioned "We do a little trolling".

calerga commented 2 years ago

This isn't just the stance of "the two of us", it's shared by those who understand TLS, asymmetric encryption and PKI. Certificate revocations are a part of it (RFC 5280). There is no such thing as a "certificate revocation attack". Of course that's also the point of view of Sectigo, your certificate authority (and mine). Here is a quote of the email they sent me Saturday:

Thank you for reporting the key compromise, the report is also appreciated. Keep up the good work!

And if we're here, that's because you closed #200 early.

colbygk commented 2 years ago

We understand your positions and we disagree with your stance on the threat model. Adding an ad hominem attack ("...those who understand TLS...") doesn't bolster your point of view.

The attack surface area here isn't just the certificate involved, it requires a level of access and subversion that are more work than if you simply have direct access to the computers involved, for which there are many easier attack vectors than what is described in #200.

The appropriate venue to continue this conversation is via https://hackerone.com

If you like, we can invite you to the program if you provide us with your hackerone username.