保护Websockets [英] Securing Websockets

问题描述

现在，我们的应用程序旨在通过初始加载后的websockets来促进所有通信。

Right now our application is designed to facilitate all communication via websockets after the initial load.

我们正在设法找出一种解决方案，以便通过此安全传递敏感数据运输。

We are trying to figure out a solution to safely pass sensitive data via this transport.

到目前为止，我们正在考虑几件事：

So far we are thinking about a few things:

1. 验证通过传回存储在通过SSL传递的会话cookie中的唯一
   哈希的websocket传输。



2. 使用类似javascript bcrypt的客户端加密
   实现在传输之前对其进行加密。

1. Authentication of the websocket transport by passing back a unique hash stored in a session cookie delivered via SSL on initial load.

2. Client-side encryption using something like a javascript bcrypt implementation to encrypt everything before it is transported.

只要通过SSL传递所有敏感数据，通过SSL甚至
想要。

Just passing all sensitive data with a normal post via SSL even though we dont want to.

像数字1这样的东西是最好的结果，但是我们不知道websokets是否容易受到诸如即使身份认证后，中间人也会发生攻击。

Something like number 1 would be the best outcome but we are unaware if websokets are vulnerable to things like man in the middle attacks even after authentication.

任何帮助可以解决可能的安全性垮台，或任何其他想法非常感谢如何实现真正的Websockets安全性。

Any help sussing out possible security downfalls, or any other ideas on how to achieve true security over websockets would be greatly appreciated!

推荐答案

连接到 wss：// WebSocket URL而不是 ws：// 将使用浏览器的标准TLS / SSL加密连接到服务器。这相当于HTTPS vs HTTP。如果您信任浏览器的SSL / TLS实现，则可以信任WebSocket wss：// 连接，因为它们使用相同的引擎。您将需要使用您的Websocket服务器配置签名的SSL证书，但这几乎是必需的。

Connecting to a wss:// WebSocket URL rather than ws:// will use the browser's standard TLS/SSL encryption to connect to the server. It's equivalent to HTTPS vs HTTP. If you trust your browser's SSL/TLS implementation then you can trust WebSocket wss:// connections since they use the same engine. You will need to have a signed SSL certificate configured with your websocket server, but that's pretty much required anyways.

这篇关于保护Websockets的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！