简体繁体 English

Websocket对于网页之间的通信是否更安全？

[英]Are Websockets more secure for communication between web pages?

原文 2010-12-19 16:17:39 7 5 ajax/ security/ websocket

This might sound really naive but I would really find a descriptive answer helpful. 这听起来似乎很幼稚，但我会发现描述性答案很有帮助。

So, my question is this: 所以，我的问题是这样的：

I can use Firebug to look at AJAX requests made from any website I visit. 我可以使用Firebug查看我访问的任何网站发出的AJAX请求。 So, am I right in saying that I wouldn't be able to examine the same communication between the client and the server if the website choses to use Websockets? 因此，我是说对了，如果网站选择使用Websocket，那么我将无法检查客户端与服务器之间的相同通信吗？ In other words, does this make it more secure? 换句话说，这是否使其更安全？

5 个解决方案

No. Not at all. 一点都不。 Just because the browser does not (yet) have a tool to show WebSocket traffic, doesn't make it any more secure. 仅仅因为浏览器还没有显示WebSocket流量的工具，并不能使其变得更加安全。 You can always run a packet sniffer to monitor the traffic, for example. 例如，您始终可以运行数据包嗅探器以监视流量。

No, because there will be other ways beside the browser-build in tools to read your traffic. 不，因为除了浏览器内置工具以外，还有其他方法可以读取您的流量。

Have a try: Install and run Wireshark and you will be able to see all packets you send and receive via Websockets. 试试看：安装并运行Wireshark，您将能够查看通过Websocket发送和接收的所有数据包。

Depends on the application. 取决于应用程序。 If you are fully Ajax without reloading the document for data then I would think websockets would provide a better authentication for data requests then a cookie session in regards to connection hijack. 如果您完全是Ajax，而无需重新加载文档以获取数据，那么我认为websockets可以为数据请求提供更好的身份验证，然后就连接劫持而言提供cookie会话。 Given that you are using SSL of course. 假设您正在使用SSL。

Never rely on secrecy of algorithm cause it only gives you false sense of security. 永远不要依赖算法的保密性，因为它只会给您错误的安全感。 Wiki: Security by obscurity Wiki：默默无闻的安全性
Remember that browser is a program on my computer and I am the one who have a full control over what is send to you, not my browser. 请记住，浏览器是我计算机上的程序，而我是完全控制发送给您的内容的人，而不是我的浏览器。
I guess it's only matter of time (up to few months IMO) when developer tools such as Firebug will provide some fancy tool for browsing data send/received by WebSockets. 我猜想，Firebug等开发人员工具将提供一些精美的工具来浏览WebSocket发送/接收的数据只是时间问题（IMO最多需要几个月）。

WebSockets has both an unencrypted (ws://) and encrypted mode (wss://). WebSockets具有未加密（ws：//）和加密模式（wss：//）。 This is analogous to HTTP and HTTPS. 这类似于HTTP和HTTPS。 WebSockets protocol payload is simply UTF-8 encoded. WebSockets协议有效负载仅是UTF-8编码的。 From a network sniffing perspective there is no advantage to using WebSockets (use wss and HTTPS for everything at all sensitive). 从网络嗅探的角度来看，使用WebSockets没有优势（对所有敏感内容都使用wss和HTTPS）。 From the browser perspective there is no benefit to using WebSockets for security. 从浏览器的角度来看，使用WebSockets进行安全性没有任何好处。 Anything running in the browser can be examined (and modified) by a sufficiently knowledgeable user. 有足够知识的用户可以检查（和修改）浏览器中运行的所有内容。 The tools for examining HTTP/AJAX requests just happen to be better right now. 用于检查HTTP / AJAX请求的工具现在恰好更好。