2

I'm building a web chat using socket.io

In order to communicate on port 3000 through https I need to pass my ssl key and cert files.

Socket.io is an open source and I don't know how trustworthy it is to allow it to access such secured files as my cert and key files.

Here is the code from socket.io that runs on the server side by nodeJS:

var fs = require('fs');
var https = require('https');

var express = require('express');
var app = express();

var options = {
  key: fs.readFileSync('../chat/file.pem'),
  cert: fs.readFileSync('../chat/file.crt')
};

var server = https.createServer(options, app);
var io = require('socket.io')(server);
Niv Apo
  • 121

1 Answers1

4

This is code you're running on your own system. If you don't trust it, then don't give it access to secrets. If you do trust it, then go ahead.

Short of paying for a full security audit of the code, there's not much you can do about this. You should consider that yes, while your TLS key is indeed secret, it's likely not the only private information you will be entrusting to this code. Do you trust it to manage all of your data correctly, not just your key?

In short, only you can determine if you trust the socket.io code enough to give it access to secret information.

If you decide you do not trust socket.io with your secrets, then perhaps you could use nginx as a reverse proxy in front of socket.io, and nginx can handle TLS termination. Of course then you need to ask the question: do you trust nginx?

EEAA
  • 110,608