Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebSockets: add opt-in delegation of encryption to TLS #625

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
+38 −4
Open

WebSockets: add opt-in delegation of encryption to TLS #625

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
17c7ccc
docs: add WebSockets spec
achingbrain Aug 13, 2024
b680589
docs: fix WebSockets double encryption
achingbrain Aug 13, 2024
3c3a3a9
docs: add common name to handshake and mention security
achingbrain Sep 2, 2024
d9402f6
chore: language
achingbrain Sep 2, 2024
08a0665
chore: add reference to rfc 5705
achingbrain Sep 4, 2024
f7837dc
chore: add section about completing the handshake
achingbrain Sep 4, 2024
76ca6ec
Merge branch 'master' into docs/fix-websockets-double-encryption
achingbrain Oct 23, 2024
cc8b242
chore: update noise revision
achingbrain Oct 23, 2024
7c2f77f
chore: undo toc edit
achingbrain Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: add reference to rfc 5705
@achingbrain
achingbrain committed Sep 4, 2024
commit 08a0665dbed7d5f1651eec59f34b7eaf6b0ef4e5
2 changes: 2 additions & 0 deletions websockets/README.md
View file
Original file line number Diff line number Diff line change
@@ -82,6 +82,8 @@ Protection against man-in-the-middle (MITM) type attacks is through Web [PKI](ht

This authentication scheme is also not secure in cases where you do not own your domain name or the certificate. If someone else can get a valid certificate for your domain, you may be vulnerable to a MITM attack.

Another solution would be to use Keying Material Exporters [RFC 5705](https://www.rfc-editor.org/info/rfc5705) which would remove the need to add data to the noise handshake, however whether this would be exposed as part of browser APIs is unclear at this point.

## Addressing

A WebSocket address contains `/ws`, `/tls/ws` or `/wss` and runs over TCP. If a TCP port is omitted, a secure WebSocket (e.g. `/tls/ws` or `/wss` is assumed to run on TCP port 443), an insecure WebSocket is assumed to run on TCP port 80 similar to HTTP addresses.