Comment by simonw
4 days ago
"Warning: The URL is the only authentication. Anyone with the link has full terminal access."
Could you make it so the URL is one-use only, such that once you've scanned it with your phone you can stop worrying because anyone else who uses it won't be able to start a session?
it is indeed disposable and the prefix is like your secure key. it is safe unless someone has access to your screen. I can add an option to permit a single session.
>it is safe unless someone has access to your screen
It's not, because the "secure key" is only in the domain name, which is transmitted in the clear via SNI. That means anyone along the network path can get the key, and therefore can get access in your terminal.
And the domain shows up in CT logs too.
I would argue that it should be the default option. Cool idea!