WS on HTTP vs WSS on HTTPS

security http https websocket
115,139

Solution 1

Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not?

Yes.

Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server?

Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure, but an attacker might modify the HTML/JavaScript while being sent from the Web server to browser. A HTTP connection isn't protected against man-in-the-middle sniffing or modification.

Solution 2

"wss works on both http and https" ??? This is a strange phrase.

wss is secure only because it means "WebSocket protocol over https". WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just "WebSocket protocol over http" and "WebSocket protocol over https". See also this answer.

As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase "if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure" in the answer by oberstet.

Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don't avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.

Share:
115,139
Isaac
Author by

Isaac

I'm not a rapper.

Updated on February 27, 2021

Comments

  • Isaac
    Isaac about 3 years

    I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

window.opener.document.getElementById("parentId1").value = myvalue not working
Why do I get browser warnings on my new lets encrypt ssl setup?
Is there a security concern exposing NTLM authentication over http or should it only be https?
Are there any HTTP/HTTPS interception tools other than Fiddler, Charles, Poster, and Achilles?
Is HTTP header Referer sent when going to a http page from a https page?
Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?
How to redirect all HTTP requests to HTTPS
Difference between http and https
handshakeexception handshake error in client (os error wrong_version_number tls_record cc 242) Flutter app/Node server
Unexpected websocket requests after my http requests