Tuesday, 3 April 2012
Simply put, WebSocket (RFC6455) is Raw Socket over HTTP (Web). It allows real-time (e.g. push) and bidirectional communication between the web client and the web application. Consider if you want to write a stock ticker application, instead of periodically polls the server for updates, you can use WebSocket to create an (almost) raw socket to the server and do whatever you want. WebSocket runs over HTTP, therefore, access control rules on existing firewalls will simply work without any modifications. And as of this writing, 3 out of 4 browsers installed on my laptop support WebSocket already (the only exception is IE).
WebSocket doesn't prescribe any particular way to handle authentication, you can authenticate using Session cookie when your first initiate your WebSocket over HTTP, or you can authenticate right after the WebSocket is established (similar to how you handle authentication in FTP). WebSocket supports cross domain communications by mandating the ORIGIN header (but is only available if the client is a browser). Web applications should check the ORIGIN header and refuse the connection if it is originated from an untrusted 3rd party website.
In 2010, Huang et al. reported a vulnerability that can trick a vulnerable proxy server to incorrectly redirect WebSocket connections from a Java Applet or a Flash to arbitrary host (IP hijacking) and hence allowing unauthorized cross domain connections, or can poison the proxy server cache (Cache Poisoning). After that, WebSocket adopted Huang's recommendation and requires XOR on packet payloads with a random key to avoid proxy servers that don't understand WebSocket to incorrectly pick up counterfeit HTTP requests embedded in the raw socket.
The current WebSocket protocol represents a low-level communication channel only, the protocol merely defines how to switch an existing HTTP connection into a low level socket connection without much other add-on features. Furthermore, the protocol itself is not stable and server side API is not standardized yet (Java will support WebSocket in Servlet 3.1). However, with the growing demand on real-time and bidirectional communications in Web 2.0 era, I can foresee many frameworks will build around it and make it a more secure and useable protocol in the future.
WebSocket Echo Demo http://websocket.org/echo.html (requires a WebSocket compliant browser)