javascript 保护 Websocket
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6969316/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Securing Websockets
提问by fancy
Right now our application is designed to facilitate all communication via websockets after the initial load.
现在我们的应用程序旨在促进初始加载后通过 websockets 的所有通信。
We are trying to figure out a solution to safely pass sensitive data via this transport.
我们正试图找出一种解决方案,通过这种传输方式安全地传递敏感数据。
So far we are thinking about a few things:
到目前为止,我们正在考虑一些事情:
- Authentication of the websocket transport by passing back a unique hash stored in a session cookie delivered via SSL on initial load.
Client-side encryption using something like a javascript bcrypt implementation to encrypt everything before it is transported.
Just passing all sensitive data with a normal post via SSL even though we dont want to.
- 通过传回存储在初始加载时通过 SSL 传递的会话 cookie 中的唯一哈希来验证 websocket 传输。
客户端加密使用类似 javascript bcrypt 实现的东西在传输之前加密所有内容。
即使我们不想,也只是通过 SSL 通过普通帖子传递所有敏感数据。
Something like number 1 would be the best outcome but we are unaware if websokets are vulnerable to things like man in the middle attacks even after authentication.
像数字 1 这样的东西将是最好的结果,但我们不知道 webskets 是否容易受到中间人攻击之类的东西,即使在身份验证之后也是如此。
Any help sussing out possible security downfalls, or any other ideas on how to achieve true security over websockets would be greatly appreciated!
任何关于可能的安全问题的帮助,或关于如何通过 websockets 实现真正安全的任何其他想法,将不胜感激!
回答by kanaka
Connecting to a wss://WebSocket URL rather than ws://will use the browser's standard TLS/SSL encryption to connect to the server. It's equivalent to HTTPS vs HTTP. If you trust your browser's SSL/TLS implementation then you can trust WebSocket wss://connections since they use the same engine. You will need to have a signed SSL certificate configured with your websocket server, but that's pretty much required anyways.
连接到wss://WebSocket URL 而不是ws://将使用浏览器的标准 TLS/SSL 加密连接到服务器。它相当于 HTTPS 与 HTTP。如果您信任浏览器的 SSL/TLS 实现,那么您可以信任 WebSocketwss://连接,因为它们使用相同的引擎。您需要为您的 websocket 服务器配置一个签名的 SSL 证书,但这无论如何都是必需的。
回答by Entrabiter
Securing(encrypting using SSL/TLS) is very import for your data. But you should consider authentication as well. Anyone with ws capable device that know your endpoint for your server will be able to get data if it doesn't require authentication first.
See http://simplyautomationized.blogspot.com/2015/09/5-ways-to-secure-websocket-rpi.htmlIncludes a 3-way handshake method (CHAP) which requires both client and server to have a "pre-shared secret".
Other ways are detailed on the post.
保护(使用 SSL/TLS 加密)对您的数据非常重要。但是您也应该考虑身份验证。如果数据不需要首先进行身份验证,那么任何拥有 ws 功能设备并且知道您的服务器端点的人都将能够获取数据。请参阅http://simplyautomationized.blogspot.com/2015/09/5-ways-to-secure-websocket-rpi.html包括 3 次握手方法 (CHAP),它要求客户端和服务器都具有“预共享秘密”。
其他方法在帖子中有详细说明。
Cheers
干杯
回答by oberstet
With regard to cookies, it might be worth considering, that (currently), the WebSockets protocol spec does not requirea browser to provide all, or even any of the cookies that were set by the web server originally serving the JavaScript you use to open a WebSockets connection to that server.
关于 cookie,可能值得考虑的是,(目前)WebSockets 协议规范不要求浏览器提供所有,甚至是由最初为您打开的 JavaScript 提供服务的 Web 服务器设置的任何 cookie到该服务器的 WebSockets 连接。
See herefor a description of how Firefox behaves (from a FF developer).
有关Firefox 行为的描述(来自 FF 开发人员),请参见此处。
