WS on HTTP vs WSS on HTTPS

security http https websocket

I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

"I know wss works on both http and https" Huh?

Maybe I should have said "I have read that" instead of "I know"?

What David meant is that the information you've read, "wss works on both http and https", is wrong. See my answer.

So, if the connection is http the WebSocket must be "ws" and if the connection is https the WebSocket must be "wss"?

Community

"wss works on both http and https" ??? This is a strange phrase.

wss is secure only because it means "WebSocket protocol over https". WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just "WebSocket protocol over http" and "WebSocket protocol over https". See also this answer.

As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase "if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure" in the answer by oberstet.

Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don't avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.

A HTML page loaded by a browser over HTTP (not HTTPS) which contains JavaScript can open both a non.secure (ws) as well as secure (wss). A HTML page that loads over HTTPS can only open a wss connection (not a ws connection). You don't have to believe me: just try it.

What you stated will only work if the web server also listens on https.

Most of the answers are confusing, and make it sound as if wss was possible from http connection, like there was wss-specific tls establishment over plain tcp/ws connection.

oberstet

Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not?

Yes.

Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server?

Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure, but an attacker might modify the HTML/JavaScript while being sent from the Web server to browser. A HTTP connection isn't protected against man-in-the-middle sniffing or modification.

Ah plain TCP connection (non-TLS) is suspect to t and man-in-the-middle attacks.

Do you have a reference for your first answer?

RFC6455 specifies that wss runs secure. The hosting env (browser or else) does not matter. You can also look at wire dumps to confirm browser beh.

A non-TLS connection is subject to a variety of attacks that a TLS connection is not. So, NO a non-TLS connection is NOT just as secure as TLS connection.

Seems like there is a lot of confusion here;) Point is, with browsers, there are 2 connections involved: a) the one to fetch the HTML and JS files via HTTP or HTTPS and b) the actual WebSocket connection, which only starts as a HTTP or HTTPS connection. Now you can have a) done via HTTP, while b) is done via HTTPS upgraded to WSS. But you can NOT have a) via HTTPS, and then b) via HTTP not being upgraded to WSS, but using plain WS. This is explicitly forbidden for browser WebSocket clients (and browsers enforce it). Non-browser WebSocket clients don't even have a)

sequoiar

if HTTPS is not deployed, try sws - secure websocket on plain http without https

https://github.com/InstantWebP2P/sws

WS on HTTP vs WSS on HTTPS

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Links

Contact US