Menu
I am currently developing a browser-based multiplayer game which is using WebSockets. My highest priorities are low latency and compatibility with a wide range of plattforms and network setups.
But I am doing password authentication. I also have a chat function and I consider the privacy of my players to be important. So I thought that I could maybe improve security and privacy by switching to websockets over TLS. My questions are:
Or would it maybe be wiser for my use-case to implement encryption on the application level?
326
WSS will work in significantly broader network environments than WS due to proxies and other intermediaries not understanding or actively blocking WebSocket.
Regarding additional latency introduced by TLS, I'd expect it to be insignificant compared to the latency you get from WAN connections anyway (which is roughly 10-250ms RTT).
Regarding bandwidth, since TLS uses symmetric ciphers for the payload encryption I'd expect no overhead.
TLS obviously consumes CPU cycles, but given todays CPU power, it's often not an issue.
Implementing own encryption does not make sense .. unless you care about end-to-end privacy .. but then you won't be able to do anything on the server-side (besides dispatching to other clients) anyway.
In short: go with WSS.
I have written a blog post about WebSocket overhead (incl. comparison with TLS vs non-TLS): http://tavendo.com/blog/post/dissecting-websocket-overhead/
196
I did a performance study a few years ago that showed SSL over the Internet was only 3 times slower than plaintext. I would expect the gap to have narrowed since then due to hardware speed improvements.
I would certainly not recommend you implement your own encryption when SSL already exists. You have no reason to believe it will be any faster than SSL and you will almost certainly introduce security flaws that are not present in SSL.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
