为什么要屏蔽WebSocket? [英] Why are WebSockets masked?
问题描述
我正在遵循MDN在编写WebSocket上提供的指南服务器,该指南非常简单易懂...
I was following a guide provided by MDN on Writing a WebSocket server, the guide is pretty straightforward and easy to understand...
但是,在按照本教程进行操作时,我遇到了从客户端发送WebSocket消息的整个框架:
However upon following this tutorial I ran across the frame that WebSocket messages from the client are sent in:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-------+-+-------------+-------------------------------+
|F|R|R|R| opcode|M| Payload len | Extended payload length |
|I|S|S|S| (4) |A| (7) | (16/64) |
|N|V|V|V| |S| | (if payload len==126/127) |
| |1|2|3| |K| | |
+-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
| Extended payload length continued, if payload len == 127 |
+ - - - - - - - - - - - - - - - +-------------------------------+
| |Masking-key, if MASK set to 1 |
+-------------------------------+-------------------------------+
| Masking-key (continued) | Payload Data |
+-------------------------------- - - - - - - - - - - - - - - - +
: Payload Data continued ... :
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Payload Data continued ... |
+---------------------------------------------------------------+
在执行了一些功能以正确地对客户端发送的数据和帧进行解屏蔽之后,让我想知道为什么数据甚至从一开始就被屏蔽了.我的意思是,您不必屏蔽从服务器发送的数据...
After making some functions to properly unmask the data and the frame that are sent by client, it made me wonder why the data is even masked to begin with. I mean, you don't have to mask data you're sending from the server...
如果某人由于不良原因而获取数据,则将其屏蔽起来可能相对容易,因为整个消息中都包含了屏蔽键.甚至提供他们没有密钥的信息,帧中的掩蔽密钥也只有2个字节长.由于密钥非常小,因此有人可以轻易地取消屏蔽数据.
If someone were getting the data for bad reasons, it could be relatively easy to unmask it because the masking key is included with the whole message. Or even provided they didn't have the key, the masking-key in the frame is only 2 bytes long. Someone could easily unmask the data since the key is very very small.
我想知道为什么要屏蔽数据的另一个原因是,通过在TLS/SSL和HTTPS上使用WSS(WebSockets Secure),您可以比屏蔽更好地保护WebSocket数据.
Another reason I'm wondering why the data is masked is because you can simply protect your WebSocket data better than the masking by using WSS (WebSockets Secure) on TLS/SSL, and over HTTPS.
我错过了为什么WebSockets被屏蔽的问题吗?似乎在不添加任何安全性的情况下,揭露客户端发送的数据只会增加无意义的努力.
Am I missing the point of why WebSockets are masked? Seems like it just adds pointless struggle to unmask the data sent by the client when it doesn't add any security to begin with.
推荐答案
jfriend00的注释具有指向良好信息的很好的链接...
jfriend00's comment has great links to good information...
我确实想指出一点,以便表明屏蔽未加密的websocket连接是必要的要求,而不仅仅是有益的:
I do want to point out to the somewhat obvious, so as to show that masking unencrypted websocket connections is a necessary requirement, rather than just beneficial:
代理,路由器和其他中介(特别是ISP)通常读取客户端发送的请求,并纠正"任何问题,添加标头,否则优化"(例如从缓存中响应)网络资源消耗.
Proxies, routers and other intermediaries (esp. ISPs) often read the requests sent by the a client and "correct" any issues, add headers and otherwise "optimize" (such as respond from cache) network resource consumption.
某些标头和请求类型(例如 Connect )通常是针对这些中介而不是终结点服务器的.
Some headers and request types (such as Connect) are often directed at these intermediaries rather than the endpoint server.
由于这些设备中的许多设备较旧并且不了解Websockets协议,因此可能会编辑或执行类似于HTTP请求的明文.
Since many of these devices are older and unaware of the Websockets protocol, clear text that looks like an HTTP request might be edited or acted upon.
因此,有必要将明文转移"到无法识别的字节,以启动通过"而不是处理".
Hence, it was necessary that clear text would be "shifted" to unrecognized bytes, to initiate a "pass through" rather than "processing".
在这一点之后,只是要利用屏蔽来确保黑客不会逆转"该屏蔽来发送恶意帧.
After this point, it was just about leveraging the masking to make sure hackers didn't "reverse" this masking to send malicious frames.
关于需要 wss 而不是屏蔽-我知道这是在编写标准时考虑的...但是在证书免费之前,这将使任何需要SSL/TLS的网络标准成为富人的标准,而不是互联网范围内的解决方案.
As for requiring wss instead of masking - I know this was considered during the writing of the standard... but until certificates are free, this would make any web standard requiring SSL/TLS a "rich man's" standard rather than an internet wide solution.
至于为什么要屏蔽wss数据?"-我不确定这一点,但我怀疑这是为了使解析器与连接无关,并且更易于编写.在明文中,未屏蔽的帧是协议错误,会导致服务器启动断开连接.无论连接如何,解析器的行为都相同,这使我们能够将解析器与原始IO层分开,使其与连接无关,并为基于事件的编程提供支持.
As for "why mask wss data?" - I'm not sure about this one, but I suspect that it is meant to allow the parser to be connection agnostic and easier to write. In clear text, unmasked frames are a protocol error and result in a disconnection initiated by the server. Having the parser behave the same, regardless of the connection, allows us to separate the parser from the raw IO layer, making it connection agnostic and offering support for event based programming.
这篇关于为什么要屏蔽WebSocket?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
