tags:

views:

77

answers:

3
+2  Q: 

WebSockets... Are they unsafe?

I was working on HTML5 and I came across this site http://www.rumpetroll.com. It is a very very cool site, but then I noticed the relative ease with which people could crash the site because they could overload the sending message scheme... Also I saw a butt load of javascript injection hacks being done on it, by various users and that got me thinking?

Does inclusion of websockets really mess with the security structure of your website, by which I mean, do we need to be extra careful to avoid hacks and crashes? Please provide me with a reference article on the same or a good tutorial source for websockets... thanks :)

+1  A: 

As any technology implementation, security is up to you.

PHP Sessions aren't safe as you can imagine for example. Check out Chris Shiflett articles for explanation on those.

http://shiflett.org/articles

I recommend for these new Javascript technology some reading about Cross-Origin Resources Sharing, Cross-Document Messaging and Web Sockets for further understanding about implementations and security drawbacks.

A good point for start searching on those topics (and many others) is http://caniuse.com/.

Remember, any raw implementation is a hole in security. Security needs to be worked out always, for any feature you want to implement.

Dave  2010-10-11 14:02:19
A: 

Web sockets is a client-server side technology and as such depends on the server implementation as well as the browsers. You must always be extra careful to avoid hacks and crashes and with new technologies even more so. My advice is to follow good security guidelines and to design things that need protection secure from the ground up. I cannot provide you with more articles or tutorials than the web can. If you want in depth knowledge about a topic, buy a book, if there is no book written yet, you get the honor to be a pioneer in it :) Then you may write a book and get rich. Good luck!

avok00  2010-10-11 14:02:47
A: 

There is a decent WebSocket Tutorial that will teach you the basics, but really security and implementation is up to you. I do a lot of additional things backend to cover in case it's being abused that I don't mention because really it's off the topic of a basic tutorial.

Check for proper domains and restrict accordingly. Understand that you can't ever trust the client side. The necessity of having a good majority of the code available client side means you have to validate every message to ensure that it is really coming from your application.

Josh K  2010-10-12 16:15:26

related questions

Which resolution to target for a Mobile App?
iPhone app that access the Core Location framework over web
Displaying version of underlying software in footer of web app?
How Did You Decide Between WISA and LAMP?
What strategies have you employed to improve web application performance?
What skills do you need for proper UI/Interaction/Functional design in Web Apps?
Storing logged in user details
How do you unit test web apps hosted remotely?
Broken chart images in Crystal Reports in web application
Best Way to Begin Learning Web Application Design
JRuby / Rack deployment
How to affordably release a Web App
Best practices for managing and deploying large javascript apps
Building Standalone Applications in JavaScript
iPhone web applications, templates, frameworks?
How do you stress test a web application?
RSS feeds from Gallery2
Recommendation for straight-forward python frameworks
Graphing JavaScript Library
What to use for login ID?
What's your opinion on using UUIDs as database row identifiers, particularly in web apps?
Implementing an online ordering system for a restaurant/cafe.
Web App Beta
What Hosting Service is best for Django applications?
How to make subdomain user accounts in a webapp