websockets authentication security

Game Development Asked by franmcod on August 3, 2020

Im doing a online game havingclient, js html5, and server, nodejs with websockets.
I’ve read some blogs about websockets security, and its limitations, but no real implementation or example.

Could JWT tokens in the messages sent to the server, be a good option? Meaning when the clients connect to the server, it gets a token and passes it around on every message? And use wss instead of ws.

Thanks in advance!

2 Answers

WSS means Websocket over TLS. So when you force the use of WSS instead of WS, you already solved most problems. Just make sure that

  1. The server certificate is valid and signed by a root CA
  2. The client authenticates with their username and password every time they initiated a new websocket connection (TLS on the web usually only authenticates the server, not the client).

The TLS protocol already provides you with encrypted channels which are encrypted with an unique encryption key for each connection. That means passing a token with each message is not required because the protocol itself already takes care of telling the connections apart. If implemented correctly it should not be possible for a man-in-the-middle attacker or eavesdropper to take over the connection of a different client.

However, TLS on the web usually only authenticates the server (client-sided certificates do exist, but are rarely used because they are difficult to set up for the end-user of the client). So after building the TLS connection you need to make sure that the client is who they pretend to be. The usual way to do that is by authenticating them via username&password.

Answered by Philipp on August 3, 2020

Simple answer: No, it would not. Even if you would use Diffie Hellman key exchange on elliptic curves along with AES encryption, it would not.

Why: There can be the man in the middle attack, where someone will get in the middle of client and server, and read all data, and just forward them. Like this, you CAN bypass even Diffie Hellman key exchange.

That is way why SSL is here, since once you have SSL cert, then no one can really decrypt the communication, and your server is identified by the cert (so I can no create a fake server, as I would not have the certificate).

Also question: What do you want to secure? Make sure that other client does not send you a message as someone else? If so, then socket connection has a unique ID, therefore, you as the server can identify who sent you the message. (as far as I know)

Answered by Jan Glaser on August 3, 2020

Add your own answers!

Related Questions

Best way to save game data in Unity

1  Asked on February 28, 2021 by tair-galili


Unity – Sprite vertices in 3D world

1  Asked on February 24, 2021 by muckington


How to represent a modular FSM for AI using ECS?

2  Asked on February 22, 2021 by christian-ivicevic


get access to Transform of a Clone in Unity

1  Asked on February 21, 2021 by amin007


Box2d on authoritative server for Unity client

0  Asked on February 19, 2021 by antonio-agustin


How to Send Voice over Unity Networking – UNET

1  Asked on February 12, 2021 by muhammad-faizan-khan


Mathf.Clamp not Working Properly

1  Asked on February 3, 2021 by shubhendra-chaddha


SetTrigger Only Works In Start and Not OnTriggerEnter

1  Asked on February 3, 2021 by kit-k


How do I detect image clicks in Dark GDK?

1  Asked on February 2, 2021 by bobman


FIx color banding in unity

0  Asked on February 1, 2021


OnMouseOver not registering collisions

3  Asked on January 29, 2021 by hyperific


Call native code from Unity iOS build error

1  Asked on January 29, 2021 by atlantis


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP