stackoom
  简体   繁体   中英

Are Websockets more secure for communication between web pages?

 原文  2010-12-19 16:17:39       ajax/ security/ websocket

Question

This might sound really naive but I would really find a descriptive answer helpful.

So, my question is this:

I can use Firebug to look at AJAX requests made from any website I visit. So, am I right in saying that I wouldn't be able to examine the same communication between the client and the server if the website choses to use Websockets? In other words, does this make it more secure?

5 answers

solution1
 1  2010-12-19 16:21:28

No. Not at all. Just because the browser does not (yet) have a tool to show WebSocket traffic, doesn't make it any more secure. You can always run a packet sniffer to monitor the traffic, for example.

solution2
 1  2010-12-19 16:24:27

No, because there will be other ways beside the browser-build in tools to read your traffic.

Have a try: Install and run Wireshark and you will be able to see all packets you send and receive via Websockets.

solution3
 1  2012-03-21 03:52:51

Depends on the application. If you are fully Ajax without reloading the document for data then I would think websockets would provide a better authentication for data requests then a cookie session in regards to connection hijack. Given that you are using SSL of course.

solution4
 0  2010-12-19 16:33:52

  1. Never rely on secrecy of algorithm cause it only gives you false sense of security. Wiki: Security by obscurity
  2. Remember that browser is a program on my computer and I am the one who have a full control over what is send to you, not my browser.
  3. I guess it's only matter of time (up to few months IMO) when developer tools such as Firebug will provide some fancy tool for browsing data send/received by WebSockets.

solution5
 0  2010-12-24 00:27:32

WebSockets has both an unencrypted (ws://) and encrypted mode (wss://). This is analogous to HTTP and HTTPS. WebSockets protocol payload is simply UTF-8 encoded. From a network sniffing perspective there is no advantage to using WebSockets (use wss and HTTPS for everything at all sensitive). From the browser perspective there is no benefit to using WebSockets for security. Anything running in the browser can be examined (and modified) by a sufficiently knowledgeable user. The tools for examining HTTP/AJAX requests just happen to be better right now.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure communication in a web-service using PhoneGap Communication between two clients of web application Communication between web page and php script triggered from this web page Two-way communication between web application and desktop application Best Practise for passing variables between web pages with KnockoutJS/Jquery Pass data between two web pages on the same machine with no postback Do websockets allow for p2p (browser to browser) communication? Secure web API with token Communication between websites communication between express + angularJS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM