stackoom
  简体   繁体   中英

Web Socket Secure URL Encryption

 原文  2013-12-14 18:59:14       javascript/ ruby/ encryption/ websocket/ sinatra

Question

Is the URL itself encrypted as well when using wss:// ? For example, say you have a simple Sinatra web application that accepts web socket connections: 

class App < Sinatra::Base

  get "/ws/:api_key/room/:id" do |api_key, id|
    user = User.find_by(api_key: api_key)
    room = Room.find(id)

    if RoomAuthenticator.new(room).authorized?(user)
      request.websocket do |ws|
        ws.onopen { publish(room, "#{user.name} connected.") }
      end
    else
      401
    end
  end
end

Then from the client/browser, in JavaScript: 

new WebSocket("wss://" + window.location.host + "/ws/" + user.api_key + "/room/" + room.id);

Is the user.api_key in the URL encrypted or is it susceptible to attacks?

1 answers

solution1
 1 ACCPTED  

Yes, the URL will be encrypted. Secure web sockets use Transport Layer Security (just like HTTPS does) to tunnel all data over the secure connection. See section 4 of RFC 6455 :

If /secure/ is true, the client MUST perform a TLS handshake over the connection after opening the connection and before sending the handshake data. [...] all further communication on this channel MUST run through the encrypted tunnel.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is it secure to authenticate web socket connections using jwt? Dynamically get web socket URL How secure is JavaScript encryption Secure Javascript encryption library? Secure encryption key in javascript How can I use Nginx to do Secure Web Socket Connections? Socket.io Basic web socket connection with url? Secure login: public key encryption in PHP and Javascript How secure are socket variables in socket.io? javascript encryption with web requests
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM