Comments (5)
Kaos, thanks for your comment. I agree—I personally wouldn't send over keys to the Google API—but it's an option that is set to false
by default:
qr_codes
(defaultfalse
): generate links to QR codes for each encoding (ASCII, hexadecimal, and base32). It uses the Google Charts API and they are served over HTTPS. A future version might allow for QR code generation client-side for security.
Security-conscious folks should use a library such as node-qrcode.
I'm hesitant to add a dependency to node-qrcode and do this by default since that might add bloat, but I'm happy to hear other opinions.
from speakeasy.
even if it is a request over SSL, it doesn't secure the data passed via GET
@kaosdynamics This is completely untrue. GET queries are still encrypted in a TLS connection. Try loading up https://google.com/?q=tls with wireshark/tcpdump watching. You'll see the TLS handshake (with the domain name if your browser supports SNI). That's the extent of the visibility into a TLS GET request.
It's true that you should not send secrets to a third-party, as it is bad practice and opens you up to additional attack vectors. Querystring parameters can (and do, by default) get logged by most web servers, and they are shown in the clear in the browser history. It's not as dire as you're implying however.
Just wanted to set the record straight.
from speakeasy.
If I would use node-qr to generate the QR on my server rather than using Google's service, could the secret key still be reverse engineered by someone intercepting the QR using MITM between my Node server and my client?
from speakeasy.
If you are using https, then nobody should be able to MITM the connection. if they do MITM, the secret will be compromised.
from speakeasy.
That's what I thought, thanks for confirming @gcochard
Might be something worth stressing in the README. If any part of the key or QR are sent over non-secure HTTP the entire system becomes easy to compromise and basically moot. This might not be obvious to first time users.
from speakeasy.
Related Issues (20)
- command line interface (CLI) HOT 1
- Valid usage question (using this in reverse)
- Add function Speakeasy.otpauthFromURL HOT 1
- Demo site not working
- The issuer option is not included in latest realease HOT 3
- I made a fork, use that instead HOT 1
- Base32 secrets with a length not a multiple of 8 may produce incorrect codes
- New totp every function call HOT 2
- weird behaviour always gets false HOT 1
- [hotp] Was not giving right code...(So I Maintained for 2021) HOT 2
- Send key/secret to client
- TOTP verification failure HOT 2
- The URI format is described here: https://github.com/google/google-authenticator/wiki/Key-Uri-Format <https://github.com/google/google-authenticator/wiki/Key-Uri-Format>
- Old secrets doesnt work
- Ping
- can't read property generateSecretASCII of undefined HOT 2
- Buffer() is deprecated due to security and usability issues.
- TFA With Google authenticator not working for IOS HOT 2
- Unmaintained Package - Recommended Alternative
- util.deprecate is not a function, The function that is being deprecated
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from speakeasy.