Xpra html mode works over HTTP so it uses plain text URL. It means that a password and AES key can easily be intercepted. But we can use WebRTC transport with or without signaling server.
You can use https / wss if you wish.. Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.
The webrtc stuff could be useful for exporting the webcam back to the server, but apart from that I'm not sure it does anything useful for us.
Replying to antoine:
You can use https / wss if you wish.. Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.
Hm. Doesn't WebRTC without tls (https) provide DTLS https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security ?
I was thinking that if both client and server have access to signed wss signaling server they can establish secure direct connection. Or they can use other secure channels for the "manual" handshake like internet messengers. it wouldn't require fiddling with self signed certificates on the xpra server to use https.
You've just pushed the "CA's responsability" to a signaling server... I'm really not keen on the complexity this would bring but will gladly take patches to implement it.
Replying to antoine:
You've just pushed the "CA's responsability" to a signaling server... I'm really not keen on the complexity this would bring but will gladly take patches to implement it.
Ok I understand. Thank you for response.
I just don't want to use self signed certificates for tls, but without it this is in no way secure.
FYI: in the latest releases, the HTML5 client can do HMAC authentication without sending any credentials in plain text to the server. (just the HMAC)
See also #1590
Talks of webrtc:
Could be useful for audio and video mode, if we can manage dropped packets and re-transmits (see WebRTC AudioProcessing)
In python:
See also #2942 (RTP)
See also WebRTC/Chromium Updates In 2020.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1338