i am trying to secure the connection between a single-page webApp (angularJS, lo

Question

i am trying to secure the connection between a single-page webApp (angularJS, loaded from a secure source via SSL) to a local server (called BOX) inside the private, local wifi of the user.

So the webApp is loaded in the browser via HTTPS and then uses ajax to connect to the local BOX Ressource in the local wifi.

At this point, the webApp might have lost internet connection, only loading data from the local source.

Now, i can not ensure that the wirekless is secure (people near the wifi could listen in) so i need ajax/javascript to securely authenitcate with the local resource somehow.

Most browsers do not support HTTPS Pinning which is why i can not use HTTPS, simple digest/basic Auth is not gonna do it for the client so i thought about using SRP.

My HTML/Javascript is delivered via HTTPS so that should be secure enough to protect it from being altered by a man-in-the-middle attack.

Reviewed SRP libs for Javascript exist.

Question: Does anyone see any flaws in this concept?

Explanation / Answer

SRP protects only against a man in the middle sniffing the password. It does not protect against an active man-in-the-middle manipulating the transferred data.

Since active man-in-the-middle attacks in a local network are easy (ARP spoofing etc) anybody can make/manipulate the data and cause unwanted actions inside your securely authenticated but not tamper resistant connection.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.