A safe client device?, and an safe server device?

unless you are writing both pieces, in general, just worry about your side, assuming the server offers mTLS

I'm writing the frontend and backend code, is that what you mean?

yeah

look into mTLS

that would be my first suggestion

"mTLS is just an extension of TLS (Transport Layer Security). This is commonly found in verifying endpoints and for encrypting communications and for TLS specifically, browsers. The ‘HTTPS’ in a URL is the evidence for this." Does this mean if I have

HTTPS

I have

mTLS

no, that's TLS one direction, mTLS is TLS both directions

This is my oneway setup currently for all subdomains: https://www.ssllabs.com/ssltest/analyze.html?d=test.lucacastelnuovo.nl

Oh like this https://smallstep.com/hello-mtls/doc/client/axios

That's certainly one way.

if the data in intercepted by your MITM, then it can't decrypt it because it's been encrypted with second set of keys.

Cool, if I implemented this I wouldn't need this bandaid, semi-fix right? > 1. Client: Before sending data to the server, Axios middleware will request

https://server.com/auth/key

> 2. Server: Generate keypair (maybe 2048bits if performance allows it) > 3. Server: Encrypt

privateKey

with

applicationKey

(set in .env) > 4. Server: Store

encryptedPrivateKey

in DB with an random

keyId

> 5. Server: Return

publicKey

and

keyId

to Client > 6. Client: The middleware will then encrypt the original payload with this

publicKey

and also provide the

keyId

> 7. Client: Sends request > 8. Server: Looks up

keyId

in DB and gets

encryptedPrivateKey

> 9. Server: Decrypts

encryptedPrivateKey

and gets

privateKey

> 10. Server: Decrypts request > 11. Server: Handles request

yeah, but that bandaid, actually doesn't do anything, because if TLS is vulnerable then so is that code

shame right 🙂

it happens

tableau did have this kind of system in place for some time, what would be the reason for this?

poor security practices?

although it's possible that they were running inside a corporate firewall

Sure, I thought maybe they had some nextlevel bigbrain developers

and not using DNS with TLS

like if you want to go to tableau running inside your company go to

tmetrics/

rather than

https://tmetrics.companyname.com

and so TLS doesn't work there

so it's possible that they created that to implement TLS when it didn't already exist

That makes sense

Hi everybody, it's me again. Today I was trying to start implementing the basics of supertokens (my work so far https://github.com/Luca-Castelnuovo/Secure/tree/master/client)

I've set the url to the demo server

js
SuperTokensRequest.init(
        'https://try.supertokens.io',
        440,
        'example.com',
        {}
    );

and created the following function

js
const isLoggedin = () => SuperTokensRequest.doesSessionExist();

https://github.com/Luca-Castelnuovo/Secure/blob/master/client/src/services/Auth.js