Im doing a online game havingclient, js html5, and server, nodejs with websockets.
I’ve read some blogs about websockets security, and its limitations, but no real implementation or example.
Could JWT tokens in the messages sent to the server, be a good option? Meaning when the clients connect to the server, it gets a token and passes it around on every message? And use wss instead of ws.
Thanks in advance!
WSS means Websocket over TLS. So when you force the use of WSS instead of WS, you already solved most problems. Just make sure that
The TLS protocol already provides you with encrypted channels which are encrypted with an unique encryption key for each connection. That means passing a token with each message is not required because the protocol itself already takes care of telling the connections apart. If implemented correctly it should not be possible for a man-in-the-middle attacker or eavesdropper to take over the connection of a different client.
However, TLS on the web usually only authenticates the server (client-sided certificates do exist, but are rarely used because they are difficult to set up for the end-user of the client). So after building the TLS connection you need to make sure that the client is who they pretend to be. The usual way to do that is by authenticating them via username&password.
Answered by Philipp on August 3, 2020
Simple answer: No, it would not. Even if you would use Diffie Hellman key exchange on elliptic curves along with AES encryption, it would not.
Why: There can be the man in the middle attack, where someone will get in the middle of client and server, and read all data, and just forward them. Like this, you CAN bypass even Diffie Hellman key exchange.
That is way why SSL is here, since once you have SSL cert, then no one can really decrypt the communication, and your server is identified by the cert (so I can no create a fake server, as I would not have the certificate).
Also question: What do you want to secure? Make sure that other client does not send you a message as someone else? If so, then socket connection has a unique ID, therefore, you as the server can identify who sent you the message. (as far as I know)
Answered by Jan Glaser on August 3, 2020
0 Asked on March 5, 2021 by jinxy
1 Asked on March 2, 2021 by pocketonion
0 Asked on February 27, 2021 by pale_rider
1 Asked on February 22, 2021 by yookakim
2 Asked on February 22, 2021 by christian-ivicevic
0 Asked on February 19, 2021 by antonio-agustin
1 Asked on February 12, 2021 by muhammad-faizan-khan
1 Asked on February 12, 2021 by json-brody
1 Asked on February 4, 2021 by user3150201
1 Asked on February 3, 2021 by kit-k
0 Asked on January 29, 2021
1 Asked on January 24, 2021 by herewego
Get help from others!