保护 Websocket [英] Securing Websockets
问题描述
现在我们的应用程序旨在促进初始加载后通过 websockets 的所有通信.
我们正试图找出一种解决方案,通过这种传输方式安全地传递敏感数据.
到目前为止,我们正在考虑一些事情:
- 通过传回唯一的 websocket 传输验证初始加载时通过 SSL 传递的会话 cookie 中存储的哈希值.
使用类似 javascript bcrypt 的客户端加密在传输之前对所有内容进行加密的实现.
甚至只是通过 SSL 将所有敏感数据与普通帖子一起传递虽然我们不想.
第 1 项之类的事情将是最好的结果,但我们不知道即使在身份验证之后,Websokes 是否也容易受到中间人攻击之类的攻击.</p>
任何帮助解决可能的安全问题,或任何其他关于如何通过 websockets 实现真正安全的想法,将不胜感激!
连接到 wss:// WebSocket URL 而不是 ws:// 将使用浏览器的连接到服务器的标准 TLS/SSL 加密.它相当于 HTTPS 与 HTTP.如果您信任浏览器的 SSL/TLS 实现,那么您可以信任 WebSocket wss:// 连接,因为它们使用相同的引擎.您需要为您的 websocket 服务器配置一个签名 SSL 证书,但这无论如何都是必需的.
Right now our application is designed to facilitate all communication via websockets after the initial load.
We are trying to figure out a solution to safely pass sensitive data via this transport.
So far we are thinking about a few things:
- Authentication of the websocket transport by passing back a unique hash stored in a session cookie delivered via SSL on initial load.
Client-side encryption using something like a javascript bcrypt implementation to encrypt everything before it is transported.
Just passing all sensitive data with a normal post via SSL even though we dont want to.
Something like number 1 would be the best outcome but we are unaware if websokets are vulnerable to things like man in the middle attacks even after authentication.
Any help sussing out possible security downfalls, or any other ideas on how to achieve true security over websockets would be greatly appreciated!
Connecting to a wss:// WebSocket URL rather than ws:// will use the browser's standard TLS/SSL encryption to connect to the server. It's equivalent to HTTPS vs HTTP. If you trust your browser's SSL/TLS implementation then you can trust WebSocket wss:// connections since they use the same engine. You will need to have a signed SSL certificate configured with your websocket server, but that's pretty much required anyways.
这篇关于保护 Websocket的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
