The Problem 🚨
Security upgrade time! By default, BeamSync transfers all files and authentication tokens over unencrypted plain HTTP. While we do have an opt-in TLS configuration via environment variables (BEAMSYNC_ENABLE_TLS), almost no regular user sets those up. On an open local Wi-Fi connection, someone running a packet sniffer can see exactly what files are moving and hijack the session token.
We are completely removing unencrypted HTTP. BeamSync must be secure out-of-the-box by enforcing TLS-only connections, generating its own crypto keys entirely in memory so nothing sensitive is ever written to the host disk.
Architectural Design 🛠️
Step 1: In-Memory Cert Generation
In the backend startup sequence, dynamically generate a temporary, self-signed x509 certificate using Go's crypto/tls and crypto/x509 libraries:
- Generate an ECDSA P-256 key pair on daemon initialization.
- Set up the Subject Alternative Names (SANs) to explicitly include standard local spaces:
127.0.0.1, localhost, and common local subnets (192.168.x.x, 10.x.x.x, 172.16-31.x.x).
- Keep the certificate validity short (matching the lifetime of the active session, e.g., 24 hours).
- Calculate and store the SHA-256 fingerprint of the certificate's DER encoding.
Step 2: Enforce the TLS Listener
Refactor StartServer() and StartSender() to default to http.ListenAndServeTLS (or initialize a secure tls.NewListener). Plain text HTTP hooks must be completely removed.
Step 3: Wire Fingerprint to QR Code
Since self-signed certs normally cause browser security warnings, modify the QR generation code so the URL contains the certificate's fingerprint parameter: ?tlsfp=<SHA256>. This allows the receiving client page to explicitly trust and pin our certificate.
Where to Look 📂
beamsync/tls.go — Clean up or adapt existing functions like GenerateSelfSignedCertificate().beamsync/server.go — Refactor the listeners inside StartServer() and StartSender().beamsync/ui/ — Update the frontend template files where QR codes are generated and fetch requests are made.
The Goal 🎯
- Eliminate the plain HTTP fallback entirely.
- Keep certificate generation transient and isolated in memory (no disk file footprints).
- Successfully bind the certificate fingerprint to the generated QR code URL so receiving devices can validate the identity.
The Problem 🚨
Security upgrade time! By default, BeamSync transfers all files and authentication tokens over unencrypted plain HTTP. While we do have an opt-in TLS configuration via environment variables (
BEAMSYNC_ENABLE_TLS), almost no regular user sets those up. On an open local Wi-Fi connection, someone running a packet sniffer can see exactly what files are moving and hijack the session token.We are completely removing unencrypted HTTP. BeamSync must be secure out-of-the-box by enforcing TLS-only connections, generating its own crypto keys entirely in memory so nothing sensitive is ever written to the host disk.
Architectural Design 🛠️
Step 1: In-Memory Cert Generation
In the backend startup sequence, dynamically generate a temporary, self-signed x509 certificate using Go's
crypto/tlsandcrypto/x509libraries:127.0.0.1,localhost, and common local subnets (192.168.x.x,10.x.x.x,172.16-31.x.x).Step 2: Enforce the TLS Listener
Refactor
StartServer()andStartSender()to default tohttp.ListenAndServeTLS(or initialize a securetls.NewListener). Plain text HTTP hooks must be completely removed.Step 3: Wire Fingerprint to QR Code
Since self-signed certs normally cause browser security warnings, modify the QR generation code so the URL contains the certificate's fingerprint parameter:
?tlsfp=<SHA256>. This allows the receiving client page to explicitly trust and pin our certificate.Where to Look 📂
beamsync/tls.go— Clean up or adapt existing functions likeGenerateSelfSignedCertificate().beamsync/server.go— Refactor the listeners insideStartServer()andStartSender().beamsync/ui/— Update the frontend template files where QR codes are generated and fetch requests are made.The Goal 🎯