Right now our application is designed to facilitate all communication via websockets after the initial load.
We are trying to figure out a solution to safely pass sensitive data via this transport.
So far we are thinking about a few things:
- Authentication of the websocket transport by passing back a unique
hash stored in a session cookie delivered via SSL on initial load. -
Client-side encryption using something like a javascript bcrypt
implementation to encrypt everything before it is transported. -
Just passing all sensitive data with a normal post via SSL even
though we dont want to.
Something like number 1 would be the best outcome but we are unaware if websokets are vulnerable to things like man in the middle attacks even after authentication.
Any help sussing out possible security downfalls, or any other ideas on how to achieve true security over websockets would be greatly appreciated!
Connecting to a
wss://WebSocket URL rather thanws://will use the browser’s standard TLS/SSL encryption to connect to the server. It’s equivalent to HTTPS vs HTTP. If you trust your browser’s SSL/TLS implementation then you can trust WebSocketwss://connections since they use the same engine. You will need to have a signed SSL certificate configured with your websocket server, but that’s pretty much required anyways.