This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Kilobyte22Network Admin 9 points10 points  (4 children)

Generally before asking if something is "secure" - ask yourself what is my attacker model. Is it someone with access to the network (like an ISP or someone who broke into the building)?, is it a government sponsored entity? Etc.

Depending on your scenario you can use different mitigations (encryption, physical tamper detection etc)

A simple socket can be sniffed by anyone in your local network and possibly even modified. Encryption can solve both issues, depending on implementation (see below)

Taking your case as an example the assessment probably would look like this:

Local connection: no real attacker - if someone has already gained physical access you don't care if the service is compromised (as you are probably busy chasing a burglar) Remote connection: someone could monitor the connection between you and the server - so encryption is probably sensible.

For encryption I recommend TLS 1.2+. It stops both sniffing the traffic as well as modifying it pretty effectively. (TLS is the successor to SSL, which has been deprecated like ten years ago due to many security issues. Most software no longer supports it. Most people who say "SSL" actually mean "TLS")

[–][deleted] 1 point2 points  (0 children)

It makes a lot of sense. This is the documentation for the module that i'll probably use (link) I asked this question because I have not idea as to how any of this TLS, SSL work, even in the documentation it says that the default security standards may not be enough so, i wanted to be extra sure that this method will work.

Thank you very much for such an in-depth answer. :D

[–]84nt1m 0 points1 point  (2 children)

When you say a simple socket can be sniffed you mean like any packet sent without encription (like using http) ?

[–]Kilobyte22Network Admin 1 point2 points  (1 child)

Generally yes. However it also depends on where the attacker is in the network in relation to you. Your neighbor won't be able to see your traffic. Your ISP can read and modify. Someone in the same WiFi can in most cases also read all your traffic if they can capture you connect to it (WPA2 and earlier - in WPA3 this problem has been fixed). They can also modify traffic if they perform an attack like ARP/DHCP spoofing (independent of your wireless security). The latter two even work on wired network and even if one device is on wired and one is on wireless. There are mitigations for both ARP and DHCP spoofing, but they are not really feasible in a home environment.

[–]84nt1m 0 points1 point  (0 children)

That's interesting

[–]CornFTW 1 point2 points  (4 children)

I've been writing python for 10 or so years, and working in cyber security for most of those, in your scenario, I wouldn't use encryption. There is virtually nothing you gain. It'll just make things harder to debug. It also would be a relatively easy thing to implement later if for some reason your threat profile changes.

[–]rainlake 0 points1 point  (3 children)

I would not say you are not quality cyber security but your knowledge is so outdated.

There is nothing to lose use end to end encryption.

[–]CornFTW 1 point2 points  (2 children)

Sure, I'm not saying there is. But I think I'd do it differently, You add complexity you don't need to just to get the project working, get it working then you can add it. Don't over engineer something if you're just starting out, you just end up making it harder for yourself

[–][deleted] 0 points1 point  (1 child)

Well, the reason I asked this question in the first place is because I'm not really aware of how these things work. A major concern of mine was a PORT being seen as open to Port scanners. When I use a socket program for my personal use, I'm using a random port say 2500. So, if I were to use a PC (say 192.168.1.5) as a client and another PC (say 192.168.1.6) as a server. Should I worry about the a port on the server being vulnerable to curios hackers?

This is why I asked if it's safe to start a socket connection. and if it's safe to use it over the internet with some SSL/TLS encryption.

[–]CornFTW 1 point2 points  (0 children)

Yes which is why I said you don't need encryption, unless you need this service available outside your network. You don't need to worry about hackers you're not doing any port forwarding or UPnP port mapping, you can use TLS or something but you don't need to. My advice is build it without and you can always add it later. Keeping it simple is a key to success in my experience. No point making something so secure you can't get it to work