WS on HTTP vs WSS on HTTPS

Question

I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

Maybe I should have said "I have read that" instead of "I know"? — Isaac, Nov 07 '14 at 14:10
What David meant is that the information you've read, _"wss works on both http and https"_, is wrong. See my answer. — Takahiko Kawasaki, Jan 01 '16 at 07:06
So, if the connection is http the WebSocket must be "ws" and if the connection is https the WebSocket must be "wss"? — DiegoSahagun, Nov 04 '16 at 23:12

score 130 · Answer 1 · edited Oct 07 '21 at 07:34

130

"wss works on both http and https" ??? This is a strange phrase.

wss is secure only because it means "WebSocket protocol over https". WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just "WebSocket protocol over http" and "WebSocket protocol over https". See also this answer.

As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase "if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure" in the answer by oberstet.

Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don't avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.

edited Oct 07 '21 at 07:34

Community

1
1

answered Jan 01 '16 at 07:02

Takahiko Kawasaki

18,118
9
62
105

13

A HTML page loaded by a browser over HTTP (not HTTPS) which contains JavaScript can open both a non.secure (ws) as well as secure (wss). A HTML page that loads over HTTPS can only open a wss connection (not a ws connection). You don't have to believe me: just try it. – oberstet Oct 15 '17 at 08:29
1

What you stated will only work if the web server also listens on https. – Matthias Aug 23 '18 at 09:01
Most of the answers are confusing, and make it sound as if wss was possible from http connection, like there was wss-specific tls establishment over plain tcp/ws connection. – Pavel P Feb 04 '19 at 08:05
WebSocket doesn't go over HTTPS, it goes over TLS. See https://www.rfc-editor.org/rfc/rfc6455#section-4.2.2, where [RFC5246] refers to TLS. ws->wss is similar to http->https, **SSL/TLS/security** adds the S. Only the initial request before the upgrade is HTTPS. – Ben Butterworth Feb 03 '23 at 22:11

score 60 · Accepted Answer · answered Nov 06 '14 at 23:53

60

Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not?

Yes.

Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server?

Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure, but an attacker might modify the HTML/JavaScript while being sent from the Web server to browser. A HTTP connection isn't protected against man-in-the-middle sniffing or modification.

answered Nov 06 '14 at 23:53

oberstet

21,353
10
64
97

5

Ah plain TCP connection (non-TLS) is suspect to t and man-in-the-middle attacks. – oberstet Nov 20 '15 at 15:58
1

Do you have a reference for your first answer? – GoZoner Dec 03 '15 at 16:45
1

RFC6455 specifies that wss runs secure. The hosting env (browser or else) does not matter. You can also look at wire dumps to confirm browser beh. – oberstet Dec 08 '15 at 18:52
2

A non-TLS connection is subject to a variety of attacks that a TLS connection is not. So, NO a non-TLS connection is NOT just as secure as TLS connection. – jfriend00 Aug 25 '17 at 20:39
1

This answer contain misleading information. [Takahiko Kawasaki's answer](https://stackoverflow.com/a/34554243/5373629) should be marked as the correct one. Specifically, `wss` operates ONLY over HTTPS, as read on the [RFC 6455, Section 11.1.2](https://tools.ietf.org/html/rfc6455#section-11.1.2): `A |wss| URI [...] indicates that traffic over that connection is to be protected via TLS.` – Alvaro Gutierrez Perez Oct 04 '17 at 07:35
I kinda agree with @AlvaroGutierrezPerez but to be fair you CAN open a wss in your html through just HTTP. Though like stated and to elaborate upon: an attacker can still modify your HTML to only open a ws connection (to be able to monitor/attack the websocket as well) over HTTP. – hewiefreeman Nov 18 '17 at 22:05
3

Seems like there is a lot of confusion here;) Point is, with browsers, there are 2 connections involved: a) the one to fetch the HTML and JS files via HTTP or HTTPS and b) the actual WebSocket connection, which only _starts_ as a HTTP or HTTPS connection. Now you can have a) done via HTTP, while b) is done via HTTPS upgraded to WSS. But you can NOT have a) via HTTPS, and then b) via HTTP not being upgraded to WSS, but using plain WS. This is explicitly forbidden for _browser_ WebSocket clients (and browsers enforce it). Non-browser WebSocket clients don't even have a) – oberstet Dec 29 '17 at 14:15
The answer seems to me a bit confusing. `wss` over `http` (not `https`) is very unusual idea. I think the answer can be improved if this moment clarified a bit more. – shitpoet Jan 28 '22 at 22:43
1

@shitpoet I am considering http + wss right now. My case is that we ship routers, that must have a domain name in LAN, for example be accessible via http://open.wrt - we can't have https here, because we can issue only self-signed SSL cert for local domain name which will cause warning in all browsers if used. But on page loaded the real data must be transferred over another wss connection for security purposes. The only issue I face now is that wss connection fails. Maybe I have not set it up correctly... – rightaway717 Aug 17 '22 at 05:59

WS on HTTP vs WSS on HTTPS

2 Answers2

Linked