WebStorm 2023.2 Help

Code With Me security overview

Code With Me is a powerful tool that gives you an ability to collaboratively work on your code. With that ability comes responsibility to keep your code and level of access secure.

Code With Me workflow

Connection workflow

Let's say we have two users that want to connect to each other using Code With Me.

  1. A user (Host) clicks the Start Code With Me Session action to create a session in their local IDE.

    Start Session

    The local IDE sends a notification about the session creation to a lobby server, and asks for the session connection.

  2. After the registration, the link is created.

  3. The generated link is sent to another user (Guest) by any means that are available.

    For example, it can be sent via Slack, WhatsApp messenger, e-mail, and so on.

  4. The other user (Guest), clicks the received link. Alternatively, click Join Session on the main toolbar in the local IDE, copy and paste the received link.

    Join Session
  5. A guest receives parameters on how to connect to the host and starts connecting.

    At this point, the authorization from the host is requested. If the host grants the access, the connection is continued, and the guest connects to a session.

Data encryption

During a session, a host and a guest exchange private information including source code, passwords, and so on.

That is why the connection between a host and a guest is end-to-end encrypted using TLS 1.3. Whether the traffic flows between users directly, or through JetBrains relay servers, no third party, including JetBrains, can access this communication channel.

Code With Me encrypted channel

Protection against Man-in-the-Middle (MitM) attacks

Arguably, the biggest risk is malicious actors impersonating either the host or the guest to access the communication channel, or so-called Man-in-the-Middle attacks.

Impersonating a legitimate host

Hacker is impersonating a legitimate host

In the beginning of the connection, both a guest and a host generate a unique SSL certificate consisting of a public and a private sections. The guest and the host are authenticated by this pair of SSL certificates.

A join link contains a fingerprint of the host’s certificate, which is a hash of the public part of their SSL certificate. No one but the host holds a private section of this certificate. So, a guest cannot physically connect to a malicious actor, impersonating a host.

Impersonating a legitimate guest

Hacker is impersonating a legitimate guest

Let's say a host created a link that leaked. For example, the host shared the link in a public channel.

So, if a host is not sure of the guest who is trying to connect to the created session, the host can check a pin code. The pin code must match the one of a guest. A host should check that a guest can name the pin code displayed on the host's side using any available channel. If the pin code matches, then the user who is trying to connect to the session is the legitimate one.

Audio and video calls encryption

The audio and video calls between two participants are not end-to-end encrypted by default, but it can be enabled in the call security options.

Enable end-to-end encryption

  1. After the session has started, on the right toolbar, click Code With Me to open the Code With Me tool window.

  2. On the Voice Call tab, on the tool window's menu, click the More Actions icon.

  3. From the list of available options, select Security options.

    Security Options

    You can add a password for your audio or video call, so it can be password protected. You can also use the Enable End-to-End Encryption option to encrypt your call.

    Enabled Security Options
Last modified: 23 August 2023