Security

How HCKConnect protects your sessions, and how to report a vulnerability.

Encryption

• End-to-end encrypted sessions. Screen video, audio, input, clipboard, and files are encrypted between the controlled computer and the viewing device using an ephemeral X25519 key exchange and AES-256-GCM. Our relay transports this encrypted data and does not record or store session content.
• Transport security. All client–server communication uses TLS.
• Fail-closed. Clients refuse to send or accept session data in the clear if the end-to-end handshake has not completed.

Accounts

• Passwords are stored only as Argon2 hashes — never in plaintext.
• Optional two-factor authentication (TOTP).
• Failed-login rate limiting to slow brute-force attempts.
• The controlled computer shows a visible indicator when a remote session is active, with an optional approval prompt.

Honest limitations (current)

We believe in being precise rather than over-claiming:

• The end-to-end key exchange is not yet mutually authenticated, so a compromised relay could in principle attempt a man-in-the-middle on the handshake. Hardening this (authenticated keys / a verification code) is on our roadmap. We do not market the product as "zero-knowledge."
• Desktop builds are working toward code signing; until then, your OS may show an "unknown publisher" prompt on first run.

Reporting a vulnerability

We welcome responsible disclosure. Please email [SECURITY EMAIL] with details and steps to reproduce. Please do not publicly disclose until we have had a reasonable chance to remediate. We aim to acknowledge reports within [X business days].