Websocket安全 [英] Websocket Security

问题描述

我希望使用WebSockets与我们的服务器通信来实现Web(角度)和iPhone应用程序.过去使用HTTP请求时，我们使用哈希处理来使用请求数据，URL，时间戳等来认证和保护请求.

I am looking to implement web (angular) and iPhone apps using WebSockets to communicate with our server. In the past using HTTP requests we have used hashes using the request data, url, timestamp etc to authenticate and secure the requests.

据我所知，我们无法通过WebSockets请求发送标头，因此我想知道如何保护每个请求.

As far as I am aware we can't send headers with WebSockets requests therefore I am wondering how I can secure each request.

有人有什么想法或好的做法吗?

Does anyone have any ideas or good practices?

推荐答案

与服务器进行安全通信包括对双方进行身份验证.如果您需要通过一个通信渠道使用不同的身份验证凭据来引导不同的用户(这在当今是一种罕见的想法)，那么您将需要单独的身份验证.否则，您只需要提出密钥分配方案(以便您的应用知道服务器的公共密钥，并且服务器具有熟悉客户端的公共密钥的协议，因此有很多模式).

Having secure communication with server includes authenticating both parties to each other. If you need to channel different users with different authentication credentials through one communication channel (which is a rare idea nowadays), you'll need separate authentication. Otherwise, you just need to come up with key distribution scheme (so that your apps know public keys of your server and your server has a protocol of getting acquanted to public keys of clients, there are plenty of patterns for this).

要做到这一点，选择梯度要比SSL或您自己的加密货币宽一些(尝试避免不惜一切代价编写自己的加密货币).

To do that, there is a choice gradient a bit wider than SSL or your own crypto (try to avoid writing your own crypto at any cost).

对于从堆栈到Web服务器到浏览器的部分，SSL是您唯一的选择，但是，它不应被视为一种很好的安全措施，每年都会出现越来越多的漏洞，密码降级案例和信任问题.它承载了20年的糟糕工程决策和紧急修复包，因此，如果您能得到更好的东西-这样做是值得的.不过，对于常规网站而言，它总比没有好.

For webserver-to-browser part of stack, SSL is your only choice, however it shouldn't be considered as a good safety measure, each year unfolds more and more vulnerabilities, cipher degradation cases and trust problems. It carries 20 years of baggage of bad engineering decisions and urgent fixes, so if you can get something better - it's worth doing so. Still, it's much better than nothing for the regular webs.

在您的移动应用中，您可以轻松地使用多种加密库之一，从而提供与服务器的安全会话消息传递，并具有更高的安全性保证，而无需依赖:

In your mobile app you could easily use one of a number of cryptographic libraries providing secure session messaging with server with significantly higher security guarantees, no reliance:

• https://github.com/mochtu/libsodium-ios ， libsodium-ios ，NaCl的ios包装器，NaCl是最好的现代密码库之一，它具有ECC密码学的许多新颖实现，在学术界受到高度赞扬，并由一个狂热的疯子撰写，渴望表现出最佳性能在所有情况下(简而言之:我都很喜欢:)).

• https://github.com/mochtu/libsodium-ios, libsodium-ios, an ios wrapper for NaCl, one of the best modern cryptographic libraries, which has lots of novel implementations to ECC cryptography, is highly praised in academic circles and written by a madman keen to have best performance under all circumstances (in short: I adore it :) ).

Themis ，这是我参与的项目，我们拥有非常友好的ObjC iOS版本的库，以及有关在iOS中通过网络套接字进行安全流量的便捷教程: https://www.cossacklabs.com/building-secure-chat

Themis, a project I'm a contributor in, we have very ObjC-friendly iOS version of our library, and a handy tutorial on doing secure traffic over websockets in iOS: https://www.cossacklabs.com/building-secure-chat

这篇关于Websocket安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！