Securing Websockets

javascript security encryption websocket
12,669

Solution 1

Connecting to a wss:// WebSocket URL rather than ws:// will use the browser's standard TLS/SSL encryption to connect to the server. It's equivalent to HTTPS vs HTTP. If you trust your browser's SSL/TLS implementation then you can trust WebSocket wss:// connections since they use the same engine. You will need to have a signed SSL certificate configured with your websocket server, but that's pretty much required anyways.

Solution 2

Securing(encrypting using SSL/TLS) is very import for your data. But you should consider authentication as well. Anyone with ws capable device that know your endpoint for your server will be able to get data if it doesn't require authentication first. See http://simplyautomationized.blogspot.com/2015/09/5-ways-to-secure-websocket-rpi.html Includes a 3-way handshake method (CHAP) which requires both client and server to have a "pre-shared secret".
Other ways are detailed on the post.

Cheers

Solution 3

With regard to cookies, it might be worth considering, that (currently), the WebSockets protocol spec does not require a browser to provide all, or even any of the cookies that were set by the web server originally serving the JavaScript you use to open a WebSockets connection to that server.

See here for a description of how Firefox behaves (from a FF developer).

Share:
12,669
fancy
Author by

fancy

Updated on June 06, 2022

Comments

  • fancy
    fancy almost 2 years

    Right now our application is designed to facilitate all communication via websockets after the initial load.

    We are trying to figure out a solution to safely pass sensitive data via this transport.

    So far we are thinking about a few things:

    1. Authentication of the websocket transport by passing back a unique hash stored in a session cookie delivered via SSL on initial load.

    2. Client-side encryption using something like a javascript bcrypt implementation to encrypt everything before it is transported.

    3. Just passing all sensitive data with a normal post via SSL even though we dont want to.

    Something like number 1 would be the best outcome but we are unaware if websokets are vulnerable to things like man in the middle attacks even after authentication.

    Any help sussing out possible security downfalls, or any other ideas on how to achieve true security over websockets would be greatly appreciated!

  • Sonny
    Sonny over 8 years
    I looked at that website of yours and it is not clear what a person writing the WebSocket server has to do. Does the server have to be HTTPS mode only?
  • Entrabiter
    Entrabiter over 8 years
    @Sonny no you will need to write a routine to handle the handshake it isn't part of the HTTPS/SSL standard.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Password hashing (non-SSL)
Storing Credentials in Local Storage
Why is there no same-origin policy for WebSockets? Why can I connect to ws://localhost?
Two-way password encryption without ssl
Secure login: public key encryption in PHP and Javascript
Dart "encrypt" library gives unreadable string after encryption
Encrypt and decrypt from Javascript (nodeJS) to dart (Flutter) and from dart to Javascript
How to decrypt AES with CryptoJS
Check if Android filesystem is encrypted
Nodejs createCipher vs createCipheriv