Support wss:// as binding address
gjchentw opened this issue · 3 comments
Currently astilectron uses tcp socket to bind other languages stack, but the data over this connection are easy to be sniffered and insecure for renderer passing data like password or tokens.
Maybe we can consider when start() with [tcp://]ip:port and use the classic tcp way,
and when start() with something like wss://localhost[:port] , use ws to create a secured connection between clinet and language bindings.
Cheers.
@gjchentw this is a good idea, but who is handling the SSL handshake in this scenario ? And who generates the SSL certificate ?
Language binding side should start a wss server instead of a tcp server, therefore it should create self-signed certificate every time application launched. Go-astilectron for example, should achive this easily by using mkcert . And the electron js main process side, the astilectron, uses rejectUnauthorized to skip checking self-signed certificate and finished ssl handshaking:
var soc = new WebSocket("wss://localhost:9000", {
protocolVersion: 8,
origin: 'https://localhost:9000',
rejectUnauthorized: false
});
@asticode for now I did a little work on my fork of astilectron and go-astilectron and they can work on websocket like wss://localhost:8443.
https://github.com/gjchentw/astilectron/blob/735b45b3de54e52e368d9d1d1c1d4eb3abea8a72/src/client.js
and use SocketType as an option in main.go:
a, err := astilectron.New(l, astilectron.Options{
AppName: "Test",
BaseDirectoryPath: "example",
TCPPort: &port,
SocketType: astilectron.SocketWSS,
// SkipSetup: true,
})
The problem is, to make astilectron can use websocket, I added ws (https://github.com/websockets/ws/) as the only dependency in astilectron, and this makes example in go-astilectron not work due to ws is not provisioned properly. I'd like to hear advices from you and the community, maybe add new provisioner for ws, or try to implement websocket natively even it's seems more hard work to though.
Cheers.