Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
End-to-End encryption with SNI proxy on top of a TCP multiplexer
[ CLIENT ] --AUTH/CONFIG--> [ SESSION MASTER ] (Trusted connection)
[ CLIENT ] <--FERNET-TOKEN- [ SESSION MASTER ]
[ CLIENT ] --------FERNET-TOKEN---------------------> [ SNITUN ] (Unsecure connection)
[ CLIENT ] <-------CHALLENGE-RESPONSE-(AES/CBC)-----> [ SNITUN ]
<---> <------------------------------>
[ ENDPOINT ] <---> [ CLIENT ] <---------MULTIPLEXER---(AES/CBC)--------> [ SNITUN ] <------EXTERNAL-CONECTIONS-----> [ DEVICE ]
| <---> <------------------------------> |
| |
| <--------------------------------------------------END-TO-END-SSL------------------------------------------------->|
(Trusted connection)
The session master creates a Fernet token from the client's configuration (AES/whitelist) and attaches the hostname and a UTC timestamp until which the token is valid.
{
"valid": 1923841,
"hostname": "myname.ui.nabu.casa",
"aes_key": "hexstring",
"aes_iv": "hexstring"
}
The SniTun server must be able to decrypt this token to validate the client's authenticity. SniTun then initiates a challenge-response handling to validate the AES key and ensure that it is the same client that requested the Fernet token from the session master.
Note: SniTun server does not perform any user authentication!
The SniTun server creates a SHA256 hash from a random 40-bit value. This value is encrypted and sent to the client, who then decrypts the value and performs another SHA256 hash with the value and sends it encrypted back to SniTun. If it is valid, the client enters the Multiplexer mode.
The header is encrypted using AES/CBC. The payload should be SSL. The ID changes for every TCP connection and is unique for each connection. The size is for the data payload.
The extra information could include the caller IP address for a new message. Otherwise, it is random bits.
|________________________________________________________|
|-----------------HEADER---------------------------------|______________________________________________|
|------ID-----|--FLAG--|--SIZE--|---------EXTRA ---------|--------------------DATA----------------------|
| 16 bytes | 1 byte | 4 bytes| 11 bytes | variable |
|--------------------------------------------------------|----------------------------------------------|
Message Flags/Types:
0x01
: New | The extra data includes the first byte as an ASCII value of 4 or 6, followed by the caller IP in bytes.0x02
: DATA0x04
: Close0x05
: Ping | The extra data is a ping
or pong
response to a ping.FAQs
SNI proxy with TCP multiplexer
We found that snitun demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.