Git Product home page Git Product logo

Comments (5)

markbao avatar markbao commented on May 18, 2024

Kaos, thanks for your comment. I agree—I personally wouldn't send over keys to the Google API—but it's an option that is set to false by default:

qr_codes (default false): generate links to QR codes for each encoding (ASCII, hexadecimal, and base32). It uses the Google Charts API and they are served over HTTPS. A future version might allow for QR code generation client-side for security.

Security-conscious folks should use a library such as node-qrcode.

I'm hesitant to add a dependency to node-qrcode and do this by default since that might add bloat, but I'm happy to hear other opinions.

from speakeasy.

gcochard avatar gcochard commented on May 18, 2024

even if it is a request over SSL, it doesn't secure the data passed via GET

@kaosdynamics This is completely untrue. GET queries are still encrypted in a TLS connection. Try loading up https://google.com/?q=tls with wireshark/tcpdump watching. You'll see the TLS handshake (with the domain name if your browser supports SNI). That's the extent of the visibility into a TLS GET request.

It's true that you should not send secrets to a third-party, as it is bad practice and opens you up to additional attack vectors. Querystring parameters can (and do, by default) get logged by most web servers, and they are shown in the clear in the browser history. It's not as dire as you're implying however.

Just wanted to set the record straight.

from speakeasy.

rvdmla avatar rvdmla commented on May 18, 2024

If I would use node-qr to generate the QR on my server rather than using Google's service, could the secret key still be reverse engineered by someone intercepting the QR using MITM between my Node server and my client?

from speakeasy.

gcochard avatar gcochard commented on May 18, 2024

If you are using https, then nobody should be able to MITM the connection. if they do MITM, the secret will be compromised.

from speakeasy.

rvdmla avatar rvdmla commented on May 18, 2024

That's what I thought, thanks for confirming @gcochard

Might be something worth stressing in the README. If any part of the key or QR are sent over non-secure HTTP the entire system becomes easy to compromise and basically moot. This might not be obvious to first time users.

from speakeasy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.