2

I'm building a web chat using socket.io

In order to communicate on port 3000 through https I need to pass my ssl key and cert files.

Socket.io is an open source and I don't know how trustworthy it is to allow it to access such secured files as my cert and key files.

Here is the code from socket.io that runs on the server side by nodeJS:

var fs = require('fs');
var https = require('https');

var express = require('express');
var app = express();

var options = {
  key: fs.readFileSync('../chat/file.pem'),
  cert: fs.readFileSync('../chat/file.crt')
};

var server = https.createServer(options, app);
var io = require('socket.io')(server);
Niv Apo
  • 121
  • 2
  • Cross posted here: http://stackoverflow.com/questions/41987825/is-it-safe-to-pass-my-ssl-key-and-cert-files-to-socket-io – jfriend00 Feb 01 '17 at 21:39

1 Answers1

4

This is code you're running on your own system. If you don't trust it, then don't give it access to secrets. If you do trust it, then go ahead.

Short of paying for a full security audit of the code, there's not much you can do about this. You should consider that yes, while your TLS key is indeed secret, it's likely not the only private information you will be entrusting to this code. Do you trust it to manage all of your data correctly, not just your key?

In short, only you can determine if you trust the socket.io code enough to give it access to secret information.

If you decide you do not trust socket.io with your secrets, then perhaps you could use nginx as a reverse proxy in front of socket.io, and nginx can handle TLS termination. Of course then you need to ask the question: do you trust nginx?

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I disagree with you. Im asking here to know better from people with more experience than me in socket.io. Based on your experience with this open source code I will decide if I'm willing to "take the risk" with them. – Niv Apo Feb 01 '17 at 19:32
  • 6
    Whether or not this is "open source" is completely orthogonal to your question. What you're asking for is for someone to do a security analysis of this software. I guarantee you - there is not an active member of SF that has done this, or could speak with any degree of authority on the security of socket.io. This is a decision *you* need to make, not one that we can help you with. If you're unable to review the code on your own, then pay someone to do it. – EEAA Feb 01 '17 at 19:34