开放式websocket连接的安全问题是什么? [英] What are the security issues around an open websocket connection?
问题描述
我正在构建一个使用websockets的应用程序。我只是允许经过身份验证的用户在登录后打开与服务器的websocket连接并且已被授予会话ID。
I am building an application that is using websockets. I am only going to allow authenticated users to open a websocket connection with the server after they have logged in and have been granted a session id.
-
一旦我与经过身份验证的用户打开了websocket连接,当前的页面就会保存打开的websocket连接的详细信息。此时,这种连接是否相对安全?或者我应该在我自己的应用程序级协议中的每个消息上检查一些令牌吗?
Once I have opened a websocket connection with an authenticated user, the current "page" then holds the details of the open websocket connection. At this point, is this connection relatively safe? Or should I really be checking some token on every message within my own application level protocol that comes in over the websocket?
是否有任何已知的跨站点伪造类型安全问题?有人可以通过让经过身份验证的用户以某种方式执行某些javascript来合作开放的websocket - 从而能够利用开放的websocket连接?
Are there any known cross-site forgery type security issues? Where someone could coop an open websocket by getting the authenticated user to execute some javascript in some manner - resulting in the ability to exploit the open websocket connection?
推荐答案
1)当您在服务器端安全时,连接是安全的。因此,您必须通过WebSockets发送会话ID,在服务器端验证它是否正确并将连接标记为有效。 HTTP的身份验证更加困难,因为HTTP是无状态的(与原始TCP不同)。当然,仍然可以劫持TCP连接,但这并不容易(例如参见这篇文章)如果它发生了,那么没有任何东西(除了TLS)可以帮助你。
1) The connection is safe, when you make it safe on the server side. So you have to send a session ID via WebSockets, verify on the server side that it is correct and mark the connection as valid. Authentication is more difficult with HTTP, because HTTP is stateless ( unlike raw TCP ). Of course it is still possible to hijack TCP connection, but it's not that easy ( see for example this article ) and if it happens, then nothing ( except for TLS ) can help you.
2)好吧,如果你用一个匿名函数包装你的WebSocket连接像那样:
2) Well, if you wrap your WebSocket connection with an anonymous function like that:
(function() {
var ws = new WebSocket("ws://localhost:1000");
// some other stuff
})();
然后没有外部JavaScript可以访问它,所以你不必担心这个。
then no external JavaScript will be able to access it, so you don't have to worry about that.
这篇关于开放式websocket连接的安全问题是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!