WebSocket 框架中的掩码是什么? [英] What is the mask in a WebSocket frame?
问题描述
我正在研究 websocket 实现,但不知道框架中掩码的含义.
I am working on a websocket implementation and do not know what the sense of a mask is in a frame.
有人可以解释一下它的作用以及为什么推荐它吗?
Could somebody explain me what it does and why it is recommend?
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-------+-+-------------+-------------------------------+
|F|R|R|R| opcode|M| Payload len | Extended payload length |
|I|S|S|S| (4) |A| (7) | (16/64) |
|N|V|V|V| |S| | (if payload len==126/127) |
| |1|2|3| |K| | |
+-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
| Extended payload length continued, if payload len == 127 |
+ - - - - - - - - - - - - - - - +-------------------------------+
| |Masking-key, if MASK set to 1 |
+-------------------------------+-------------------------------+
| Masking-key (continued) | Payload Data |
+-------------------------------- - - - - - - - - - - - - - - - +
: Payload Data continued ... :
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Payload Data continued ... |
+---------------------------------------------------------------+
推荐答案
Websockets 在 RFC6455 中定义,在 第 5.3 节:
Websockets are defined in RFC6455, which states in Section 5.3:
掩码键的不可预测性是防止恶意应用程序的作者选择出现在线路上的字节.
The unpredictability of the masking key is essential to prevent authors of malicious applications from selecting the bytes that appear on the wire.
在关于Websockets的博客条目中,我发现了以下内容解释:
In a blog entry about Websockets I found the following explanation:
掩码密钥(32 位):如果设置了掩码位(相信我,如果您是为服务器端编写的),您可以在此处读取无符号字节,这些字节用于对有效负载进行异或.它用于确保糟糕的代理不会被来自客户端的攻击者滥用.
masking-key (32 bits): if the mask bit is set (and trust me, it is if you write for the server side) you can read for unsigned bytes here which are used to xor the payload with. It's used to ensure that shitty proxies cannot be abused by attackers from the client side.
但我在邮件列表中找到的最清楚的答案存档.约翰·坦普林 (John Tamplin) 说:
But the most clearly answer I found in an mailing list archive. There John Tamplin states:
基本上,WebSockets 的独特之处在于您需要保护网络基础设施,即使你有恶意代码在客户端运行,完整的服务器的敌意控制,你唯一可以信任的是客户端浏览器.通过让浏览器为每个生成一个随机掩码框架,敌对客户端代码无法选择出现的字节模式并使用它来攻击易受攻击的网络基础设施.
Basically, WebSockets is unique in that you need to protect the network infrastructure, even if you have hostile code running in the client, full hostile control of the server, and the only piece you can trust is the client browser. By having the browser generate a random mask for each frame, the hostile client code cannot choose the byte patterns that appear on the wire and use that to attack vulnerable network infrastructure.
正如kmkaplan 所说,攻击向量在第10.3节 RFC.
这是一种防止代理缓存中毒攻击的措施1.它的作用是创造一些随机性.您必须将有效负载与随机掩码密钥进行异或.
As kmkaplan stated, the attack vector is described in Section 10.3 of the RFC.
This is a measure to prevent proxy cache poisoning attacks1.
What it does, is creating some randomness. You have to XOR the payload with the random masking-key.
顺便说一句:它不仅仅是推荐的.这是强制性.
By the way: It isn't just recommended. It is obligatory.
1:见黄,林雄等.为了乐趣和利润而自言自语."W2SP 论文集 (2011)
这篇关于WebSocket 框架中的掩码是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
