CODEWITHSUNDEEP
ajaxsecuritywebsocket
Yasmin Hanifa
Yasmin Hanifa

Reputation: 35

Are Websockets more secure for communication between web pages?

This might sound really naive but I would really find a descriptive answer helpful.

So, my question is this:

I can use Firebug to look at AJAX requests made from any website I visit. So, am I right in saying that I wouldn't be able to examine the same communication between the client and the server if the website choses to use Websockets? In other words, does this make it more secure?

Upvotes: 0

Views: 332

Answers (5)

Blake
Blake

Reputation: 11

Depends on the application. If you are fully Ajax without reloading the document for data then I would think websockets would provide a better authentication for data requests then a cookie session in regards to connection hijack. Given that you are using SSL of course.

Upvotes: 1

kanaka
kanaka

Reputation: 73147

WebSockets has both an unencrypted (ws://) and encrypted mode (wss://). This is analogous to HTTP and HTTPS. WebSockets protocol payload is simply UTF-8 encoded. From a network sniffing perspective there is no advantage to using WebSockets (use wss and HTTPS for everything at all sensitive). From the browser perspective there is no benefit to using WebSockets for security. Anything running in the browser can be examined (and modified) by a sufficiently knowledgeable user. The tools for examining HTTP/AJAX requests just happen to be better right now.

Upvotes: 0

Crozin
Crozin

Reputation: 44376

  1. Never rely on secrecy of algorithm cause it only gives you false sense of security. Wiki: Security by obscurity
  2. Remember that browser is a program on my computer and I am the one who have a full control over what is send to you, not my browser.
  3. I guess it's only matter of time (up to few months IMO) when developer tools such as Firebug will provide some fancy tool for browsing data send/received by WebSockets.

Upvotes: 0

marekventur
marekventur

Reputation: 1995

No, because there will be other ways beside the browser-build in tools to read your traffic.

Have a try: Install and run Wireshark and you will be able to see all packets you send and receive via Websockets.

Upvotes: 1

Will Hartung
Will Hartung

Reputation: 118691

No. Not at all. Just because the browser does not (yet) have a tool to show WebSocket traffic, doesn't make it any more secure. You can always run a packet sniffer to monitor the traffic, for example.

Upvotes: 1

Related Questions