1. 0

  2. 2

    This isn’t end-to-end encryption. It’s dangerous to ask people to enter their SSH credentials into a page that’s served over HTTP.

    If it were served over HTTPS, it might provide “end-to-end” encryption, but it still wouldn’t be MITM-proof (see this and this for an explanation of why that is).

    Edit: What could make this better would be to position it as software that people are supposed to install on their own servers and serve over HTTPS. Then at least the MITM issue would be reduced to X.509 (inferior to SSH alone, which does TOFU). But… then people would wonder why on earth they’re using this in the first place instead of just using an SSH client. :P

    1. 2

      The http site now directs to https. I’d be interested in further input on the possible security implications.

      1. 1

        It supports https. I should probably redirect http to https. Just so it’s clear, the credentials don’t touch the server they are encrypted in browser. I don’t believe the server could MITM the connection any more than a normal ssh connection could be (unless the Javascript was modified).

        In it’s present form it’s a technical demo (as the faq suggests). But I think it’s an interesting alternative to something like shellinabox.

      2. 1

        I’ve been working on this little side project, it’s my first web/golang project so I’m sure the code is quite cringe-worthy but I found it interesting. Unlike other web-based terminals the project provides a complete ssh client in Javascript (an Emscripten port of libssh2). This means that all session data from the client to the target server is encrypted. The mediating server just acts as a proxy. Connections are currently sent over Tor, but the Eliza demo will connect to the local server if you’d like to try it out.