Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My understanding is that the signaling server could be used as the perfect place to perform MITM attack. The README does not mention how berb addresses this concern at all.



Oh I would love some more details if you think that's the case. With Berb only two clients can connect really. So let's say you somehow guess a peer ID, which is very tough, and connect to a random user. You can technically send a file but they can easily ignore it since they didn't initiate the transfer. That being said, I can definitely add a way to verify the file is legit like the suggestion in the reply with hashes.


Should users trust the signaling server? IIRC, the signaling server can easily intervene SDP offer/answer so that it can intercept user files or instruct users to send files wherever it wants.


Oh I see what you are saying. Yeah I guess if we didn't know what the signalling server was doing, that would be a valid argument. But in my case we can see the server code is pure and simple. Unless you mean there's a bug that allows an attacker to do that?

Either way, would love to know your thoughts on improving trust with this.


Do you have a proposal? (Showing file hashes could help, perhaps?)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: