开发者

Are Websockets more secure for communication between web pages?

This might sound really naive but I would really find a descriptive answer helpful.

So, my question is this:

I can use Firebug to look at AJAX requests made from any website I visit. So, am I right in saying that I wouldn't be able to开发者_JS百科 examine the same communication between the client and the server if the website choses to use Websockets? In other words, does this make it more secure?


No. Not at all. Just because the browser does not (yet) have a tool to show WebSocket traffic, doesn't make it any more secure. You can always run a packet sniffer to monitor the traffic, for example.


No, because there will be other ways beside the browser-build in tools to read your traffic.

Have a try: Install and run Wireshark and you will be able to see all packets you send and receive via Websockets.


Depends on the application. If you are fully Ajax without reloading the document for data then I would think websockets would provide a better authentication for data requests then a cookie session in regards to connection hijack. Given that you are using SSL of course.


  1. Never rely on secrecy of algorithm cause it only gives you false sense of security. Wiki: Security by obscurity
  2. Remember that browser is a program on my computer and I am the one who have a full control over what is send to you, not my browser.
  3. I guess it's only matter of time (up to few months IMO) when developer tools such as Firebug will provide some fancy tool for browsing data send/received by WebSockets.


WebSockets has both an unencrypted (ws://) and encrypted mode (wss://). This is analogous to HTTP and HTTPS. WebSockets protocol payload is simply UTF-8 encoded. From a network sniffing perspective there is no advantage to using WebSockets (use wss and HTTPS for everything at all sensitive). From the browser perspective there is no benefit to using WebSockets for security. Anything running in the browser can be examined (and modified) by a sufficiently knowledgeable user. The tools for examining HTTP/AJAX requests just happen to be better right now.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜