All geek questions in one place

Why are camouflaged in WebSockets?

I followed the MDN guide by writing a WebSocket server , the guide is pretty simple and easy to understand ...

However, after this tutorial, I came across a frame that sent WebSocket messages from the client:

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-------+-+-------------+-------------------------------+ |F|R|R|R| opcode|M| Payload len | Extended payload length | |I|S|S|S| (4) |A| (7) | (16/64) | |N|V|V|V| |S| | (if payload len==126/127) | | |1|2|3| |K| | | +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + | Extended payload length continued, if payload len == 127 | + - - - - - - - - - - - - - - - +-------------------------------+ | | Masking-key, if MASK set to 1 | +-------------------------------+-------------------------------+ | Masking-key (continued) | Payload Data | +-------------------------------- - - - - - - - - - - - - - - - + : Payload Data continued ... : + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Payload Data continued ... | +---------------------------------------------------------------+

After performing some functions in order to properly parse the data and the frame sent by the client, it made me wonder why the data is even masked to begin with. I mean, you do not need to mask the data sent from the server ...

If someone received the data for bad reasons, it would be relatively easy to expose it, because the masking key is included in the entire message. Or even if they do not have a key, the masking key in the frame is only 2 bytes long. Someone can easily expose the data, since the key is very small.

Another reason I wonder why the data is masked is that you can simply protect your WebSocket data better than masking it using WSS (WebSockets Secure) on TLS / SSL and through HTTPS.

Do I really not understand why WebSockets are masked? It seems like this just adds a pointless struggle to expose the data sent by the client when it does not add any security to begin with.

+5
source share
1 answer

Jfriend00 comments have excellent links to good info ...

I want to point out a few obvious ones to show that masking unencrypted connections on web sockets is a necessary requirement , and not just useful:

Proxies, routers and other intermediaries (for example, Internet providers) often read requests sent by the client and “fix” any problems, add headers and otherwise “optimize” (for example, respond to the cache) the consumption of network resources.

Some headers and request types (such as Connect ) are often routed to these brokers rather than to the destination server.

Since many of these devices are older and unaware of the Websockets protocol, transparent text that resembles an HTTP request can be edited.

Therefore, it is necessary that the clear text be “shifted” to unrecognized bytes in order to initiate a “pass” rather than a “processing”.

After this point, it was only about using disguise to make sure that hackers did not “cancel” this disguise to send malicious frames.

As for the wss requirement instead of disguise - I know that this was considered at the time of writing the standard ... but until the certificates are free, any web standard that requires SSL / TLS, usually a “rich person” than the Internet, will do it decision.

As for "why mask wss data?" “I'm not sure about that, but I suspect it is designed to allow the parser to be a connected agnostic and easier to write.” In clear text, unoiled frames represent a protocol error and result in a server initiated shutdown. The presence of the parser behaves the same regardless of the connection, it allows you to separate the parser from the raw I / O layer, making it agnostic and offering support for event-based programming.

+6
source

Source: https://habr.com/ru/post/1234161/

More articles:


All Articles