I have a WebSocket server written in javascript and send data to it from my CSharp application. Now how can I make sure that these are correct? I thought I could do something with hash values but I don't know how to do that. Does anyone have an idea or code example?
The first thing to understand is the types of WebSocket protocol/transports. WebSocket ws:// transport is basically unusable in terms of security as it uses HTTP. The wss:// protocol establishes a secure connection over TCP/HTTPS. The wss protocol, therefore, protects against man-in-the-middle attacks.
There is multiple methods to authenticate a user when setting up a WebSocket connection, and none are perfect. Since the standard WebSocket usage prevents additional headers from being set such as custom authentication headers, tried and true methods that would be used in a standard HTTPS request to verify the validity of a client can't be used.
The link here outlines some common methods to keep the client and server in sync while setting up a WebSocket connection, and still add some security so the server can keep track of what clients are opening WebSocket connections. There are a lot of workarounds listed for the server to safely receive sensitive, authentication data from the client.
Related
I am trying to open a websocket to a server with kerberos authentication, error during handshake occurs (error code : 400) ;
i saw it's not possible to send credentials through web socket and what i have to do is to set the username and password through web socket cookie and the server will read them.
So how can i set cookies for web socket ?
thank you,
It depends on the browser. You may implement handling cookies if they arrive with the initial HTTP request to initiate a WebSocket connection, but if you can't require your users to, say, use Safari, which sends cookies with WebSocket open requests, and not Chrome, which does not, you'll probably have to implement a mechanism for the client to send in the session identifier in-band.
One simple way to achieve this is for the client code to send in the session identifier as the first message in response to the open event, and the server code to interpret the first incoming message's content as the session cookie, to set up the appropriate privilege context (or perhaps close the connection if the cookie is unknown or otherwise grants no privileges to its bearer).
Alternatively, if your WebSocket protocol has some sort of structured message infrastructure, you may define a specific message type for passing a session cookie to the server, as well as a matching response type for the server to let the client know what it thinks of the cookie.
It may be tempting to pass the session cookie in an URI parameter, as in ws://example.com/service?SESSION=123456. This can be adequate in prototyping, but it is probably ill-advised in production, since session cookies should generally be treated as more sensitive than it is customary to treat the list of URIs requested from a web server. Passing session cookies in such a way can work in the short term, but may increase the risk of their accidental exposure via, say, careless analytics techniques. This concern could in some other context be alleviated by passing the sensitive identifier in the body of the request (for example, as a so-called POST parameter), but WebSocket open requests can not have a non-empty body.
You can set cookies for a webSocket connection the same way you set regular cookies, with document.cookie = xxxx. All webSocket connections start with an HTTP request (with an upgrade header on it) and the cookies for the domain you are connecting to will be sent with that initial HTTP request to open the webSocket.
So, as long as you are doing the webSocket connection to the same domain as your web page, then you can just set a cookie for that web page and it will be sent with the webSocket connection request. And, as with other cookies, you set a cookie using document.cookie as described here on MDN.
I have been trying to setup a server where users can send sign in using websockets, but I don't want to do this using ws. I want to be able turn on wss without having https. Sadly, there aren't any options to do this. And so the question is how would one do this on the client side without using https protocol.
Yes, this is possible. To do this, pass your websocket URL to the socket.io client directly, like this:
var socket = io('wss://example.com/');
Note that the reverse is not possible: while there's nothing to prevent HTTP pages from creating WSS connections, most browsers today block any WS connection from an HTTPS page to enforce the heightened security.
I would also caution that a websocket opened over WSS is still no more secure than the page it originated from. If you're using WSS for its security benefits, be advised that all that security could be for naught if an attacker overrides your page at the time that it's loaded (which HTTPS would prevent).
From the Websocket protocol specification:
A wss URI identifies a WebSocket server and resource name, and
indicates that traffic over that connection is to be protected via
TLS (including standard benefits of TLS such as data confidentiality
and integrity, and endpoint authentication).
Emphasis mine
Now you can understand the absurdity of your request: wss is https.
Of course the terminology is wrong (https is a different protocol than wss) but the bottom of the line is that both are simply the version of their respective TCP plain protocols (http and ws) over TLS.
So the answer is no.
As a matter of fact security is a complex thing.
Very experienced programmers refrain from inventing or exploring new ways and, based on the kind of question you asked, you don't appear to have much expertise this field.
So it's better to do things as best-practices say, it they say to use "https" use "https".
Starting studying security seriously (or hiring a contractor) is advised, inventing new ways to perform secure authentication is not, unless you have a PhD in abstract algebra and several years of experience in developing cryptographic schemes.
There is a debate raging in the office about a browsers ability to send handshake headers are part of establishing a websocket connection.
The websocket spec makes it clear that headers are possible. And, infact, in my non-browser client code I do set handshake headers and they are received without and issue.
The open debate is: Can a web browser using javascript insert headers are part of the handshake? The spec seems to indicate there is nothing against it but no one can find client side documentation that says how.
There is a lot of conflicting information. It's obviously possible because I am able to do it in Java without a problem. But for Javascript no one is seeing how. Is it a browser restriction?
To clarify how my question is different than others: Is the inability to do this a limitation of the default javascript libs? The web browser or the spec? It looks like it's a library limitation only
I am afraid that the WebSocket API in web browsers does not allow to set custom headers. Still, the browser sets cookies, if any.
The issue is that the standard API for creating a webSocket connection in a browser does not provide any mechanism for setting custom headers. So, it is a limitation of the webSocket browser API.
You can control the URL you send including query parameters and cookies are sent with the request so you have the ability to use the path, query parameters or cookies to send additional information with the connection request.
WebSocket WebSocket(
in DOMString url,
in optional DOMString protocols
);
I am trying to etablish a websocket connection to an ldap server. That I can simply send binary data to and receive binary data.
But it fails on the handshake whatever I do.
var socket = new WebSocket("ws://ads.de:PORT")
Yours sincerely
Skeec
Web sockets is a specific protocol, like HTTP, and it has "nothing" to do with a TCP/UPD socket.
You cannot connect with web-sockets to an LDAP-server, let alone connect to a different domain without receiving the appropriate CORS http-headers (and the browser supporting CORS).
You need to write a proxy WebSocket server application so that you can communicate with the LDAP-directory. You cannot do it in JavaScript (unless you want to use an ActiveX object, which will be incompatible with non-Microsoft browsers (and newer Microsoft browsers).
You better do it with plain-old AJAX with an asynchronous handler.
You don't need WebSockets for that, you're only wasting bandwidth.
Can Javascript be used to connect with a server with a protocol other than HTTP or FILE? Ideally, I would like to connect to an SMTP server using Javascript.
Not possible due to security constraints in the browser. Can be done in flash or java as far as I know. The upcoming WebSockets won't help you either.
Your best option is probably to call a script on your server which makes the socket connections to the final destination, i.e the SMTP server and then passes data back to the client over HTTP.
You do not have socket access with browser-integrated JavaScript, it would violate the sandbox security model. So no, no SMTP, or any other protocol. Even file:// should be rather difficult.
Server based JavaScript like node.js can do things like this.
Accessing e.g. SMTP via the browser is usually done through a proxy script that runs on the server and speaks HTTP to the client.