Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WS on HTTP vs WSS on HTTPS

Tags:

http

security

https

websocket

I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

like image 403
Isaac Avatar asked Nov 06 '14 23:11

Isaac

People also ask

What is difference between WSS and WS?

The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection. At this point, the network connection remains open and can be used to send WebSocket messages in either direction.

Does WebSocket use HTTP or HTTPS?

Almost all the real-time applications like (trading, monitoring, notification) services use WebSocket to receive the data on a single communication channel. Simple RESTful application uses HTTP protocol which is stateless. All the frequently updated applications used WebSocket because it is faster than HTTP Connection.

Should I use WebSockets instead of HTTP?

WebSockets allow for a higher amount of efficiency compared to REST because they do not require the HTTP request/response overhead for each message sent and received. When a client wants ongoing updates about the state of the resource, WebSockets are generally a good fit.

Can HTTP connect to WSS?

"ws protocol" and "wss protocol" are strange words. "WebSocket protocol" is the right word. WebSocket protocol can be used over both plain HTTP connections ( http ) and secure HTTP connections ( https ). Note that communication between a WebSocket client and a WebSocket server starts as a normal HTTP protocol.

1 Answers

"wss works on both http and https" ??? This is a strange phrase.

wss is secure only because it means "WebSocket protocol over https". WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just "WebSocket protocol over http" and "WebSocket protocol over https". See also this answer.

As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase "if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure" in the answer by oberstet.

Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don't avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.

like image 140
Takahiko Kawasaki Avatar answered Oct 22 '22 23:10

Takahiko Kawasaki
Sign in to Comment

Related questions

Node.js Express Framework Security Issues [closed]
Single Sign-On in Microservice Architecture
Does it make sense to store JWT in a database? [closed]
How can I hash passwords in postgresql?
How to Secure Android Shared Preferences?
Removing the password from a VBA project
What reasons are there NOT to use OpenID?
What's wrong with XOR encryption?
PHP: Is mysql_real_escape_string sufficient for cleaning user input?
Setting cookie in iframe - different Domain
What security problems could come from exposing phpinfo() to end users?
How can I throttle user login attempts in PHP
How can I compute a SHA-2 (ideally SHA 256 or SHA 512) hash in iOS?
How to achieve a Safe (!) authentication system in an angularjs app?
Lock-down iPhone/iPod/iPad so it can only run one app
Glassfish DeploymentException: Error in linking security policy for
How safe is it to host sensitive data on repository sites like github, bitbucket, etc.? [duplicate]
How to set cookie secure flag using javascript
curl - Is data encrypted when using the --insecure option?
Full Secure Image Upload Script

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!