Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementing encrypted connections #1

Open
elonen opened this issue Dec 30, 2019 · 0 comments
Open

Implementing encrypted connections #1

elonen opened this issue Dec 30, 2019 · 0 comments
Labels
enhancement New feature or request

Comments

@elonen
Copy link
Owner

elonen commented Dec 30, 2019

HTTP/Websocket code already supports TLS, but CLI options for it are disabled for now. A good way to implement end-to-end encryption (immune to man-in-the-middle attacks) would be:

  • An administrator provides a TLS cert, TLS key and a PSK (password to join the swarm) to master node. The cert needs to be verifiable by the peer nodes (eg. domain-specific cert from Letsencrypt, a company-wide cert etc).
  • Administrator tells the PSK to users who need to connect the swarm.
  • Peer nodes generate their own (self signed) cert and key upon startup -- for p2p connections.
  • When a peer connects to master, master's HTTP/Websocket endpoint requires the PSK as a HTTP password (using "basic auth").
  • Peer sends the fingerprint of its own p2p cert to the master.
  • When master sends a download proposal to one of the peers, it includes cert fingerprint it got from the uploading peer. Downloading peer then uses certificate pinning to verify uploading peer's identity when connecting over HTTPS.

This would provide secure file distribution to a trusted subset of LAN users, and also secure transfers over the Internet without a VPN, while requiring only one user-generated cert (Websocket endpoint cert on master - which could also be a general HTTPS cert for the site).

@elonen elonen added the enhancement New feature or request label Dec 30, 2019
@elonen elonen changed the title Encrypted connections Implementing encrypted connections Jan 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant