Security News
Combatting Alert Fatigue by Prioritizing Malicious Intent
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
Upgrade a regular net.Stream
connection to a secure tls
connection.
Based on a version by Andris Reinman, itself based on an older version by Nathan Rajlich.
This library has one method and accepts either an options hash or a prepared socket as the first argument. It returns a SecurePair
.
The following options are supported:
socket
- if not provided, a socket will be created using net.createConnection
host
- used to perform automatic certificate identity checking, to guard against MITM attacksport
- only used to create a socket (along with the host
option) if socket
is not providedpair
- if you want to provide your own SecurePair
objectThe onSecure
callback is optional and receives null
or an error object as the first argument (see below for error cases). Within the callback context, this
refers to the same SecurePair
object returned by starttls
.
var net = require('net');
var starttls = require('starttls');
var options = {
port: 21,
host: example.com
};
net.createConnection(options, function() {
options.socket = this;
starttls(options, function(err) {
if (err) {
// Something bad happened!
return;
}
this.cleartext.write('garbage');
});
});
You should always check for an error before writing to the stream to avoid man-in-the-middle attacks. Errors are produced in the following cases:
If you only pass a socket object, server identity checking will not be performed automatically. In that case you should perform the check manually.
starttls(socket, function(err) {
if (!tls.checkServerIdentity(host, this.cleartext.getPeerCertificate())) {
// Hostname mismatch!
// Report error and end connection...
}
});
See socks5-https-client for use-case.
Run make test
or npm test
to run tests.
Portions of this code copyright (c) 2012, Andris Reinman and copyright (c) 2011, Nathan Rajlich.
Modified and redistributed under an MIT license.
FAQs
Upgrade a regular `net.Stream` connection to a secure `tls` connection.
The npm package starttls receives a total of 2,445 weekly downloads. As such, starttls popularity was classified as popular.
We found that starttls demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.