SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: Enhanced demo mode security and vulnerability fixes

Browse Source 
- **Fixed demo mode timing attack vulnerability** - Added strict rate limiting and user fingerprinting
- **Eliminated replay attack vectors** - Implemented preimage tracking and expiration validation
- **Enhanced key reuse protection** - Added cryptographic validation and session isolation
- **Strengthened free tier abuse prevention** - Multi-layer cooldown system with global limits

- **Secure user fingerprinting** - Browser-based identification without privacy invasion
- **Global session limits** - Maximum 10 concurrent demo sessions across all users
- **Per-user daily limits** - 3 demo sessions per 24 hours with smart cooldown
- **Session completion tracking** - Prevents rapid reconnection abuse
- **Enhanced preimage generation** - Timestamped, versioned, and entropy-validated

- **Configurable security layers** - Individual toggle for encryption, obfuscation, and traffic features
- **Debug mode controls** - `window.DEBUG_MODE` for detailed logging and diagnostics
- **Emergency security disable** - Graceful fallback when advanced features cause issues
- **Vulnerability testing support** - Controlled security layer bypass for penetration testing

- **Cross-session compatibility** - Works seamlessly with both paid and free sessions
- **Real-time UI updates** - Synchronized timer display across all components
- **Session state management** - Automatic cleanup and notification system
- **Payment integration** - Smooth transition between demo and paid sessions

- **Layered security architecture** - 7+ configurable security features with independent controls
- **Traffic analysis protection** - Advanced obfuscation with fake traffic and packet padding
- **Connection state monitoring** - Enhanced logging for security audit and debugging
- **Fallback mechanisms** - Robust error handling with security-first degradation

- **Structured security logs** - Detailed audit trail for security events
- **Performance monitoring** - Connection state and encryption layer metrics
- **Attack detection logging** - Comprehensive tracking of security violations
- **Development diagnostics** - Enhanced debugging for faster development cycles

- Refactored `PayPerSessionManager` with enhanced security controls
- Added `generateUserFingerprint()` with privacy-preserving identification
- Implemented `checkDemoSessionLimits()` with multi-tier validation
- Enhanced `EnhancedSecureWebRTCManager` with configurable security layers
- Added emergency security disable functionality for testing environments
- Improved session timer with cross-component synchronization

**Breaking Changes:** None - All changes are backward compatible
**Security Impact:** High - Eliminates critical vulnerabilities in free tier
**Testing Impact:** Significantly improved - New debug modes and security layer controls
This commit is contained in:
lockbitchat
2025-08-14 23:34:54 -04:00
parent 19e3047282
commit 5437bef9c5
7 changed files with 2211 additions and 901 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/styles/components.css
View File

@@ -219,11 +219,8 @@ button i {
margin-right: 0.5rem;
}
/* Pay-per-session UI */
/* Pay-per-session UI - Обновленный трехцветный таймер */
.session-timer {
background: linear-gradient(135deg, #f97316 0%, #ea580c 100%);
border: 1px solid rgba(249, 115, 22, 0.3);
color: white;
padding: 8px 16px;
border-radius: 8px;
font-weight: 600;
@@ -231,16 +228,24 @@ button i {
display: flex;
align-items: center;
gap: 8px;
border: 1px solid rgba(255, 255, 255, 0.1);
backdrop-filter: blur(10px);
transition: all 0.5s ease;
}
.session-timer.warning {
background: linear-gradient(135deg, #eab308 0%, #ca8a04 100%);
animation: pulse 2s ease-in-out infinite;
.session-timer:hover {
transform: translateY(-1px);
box-shadow: 0 4px 12px rgba(0, 0, 0, 0.2);
}
.session-timer.critical {
background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);
animation: pulse 1s ease-in-out infinite;
/* Анимация пульсации для красной зоны */
@keyframes timer-pulse {
0%, 100% { opacity: 1; }
50% { opacity: 0.7; }
}
.session-timer.animate-pulse {
animation: timer-pulse 2s ease-in-out infinite;
}
/* Lightning button */