3

I am trying to write a client in JavaScript that sends websockets to a node.js/ws server. After a lot of reading I understand that it usefull or even required by RFC to mask all the data that it is sent to the server from client, but I don't understand how to do it.

I have found a few articles like this one:

http://www.htmlgoodies.com/html5/tutorials/making-html5-websockets-work.html

but I couldn't find any starting point or even a function to mask the data. And I really don't understand the concept of masking very well. A library / function would be helpful. I'm struggling with this problem for a while and nothing... If I mask the data that it is sent, I need to 'unmask' on the server side? Do you have any ideas?

Heretic Monkey
  • 11,687
  • 7
  • 53
  • 122
John
  • 155
  • 2
  • 15
  • 2
    Maybe this post helps you: https://stackoverflow.com/questions/33250207/why-are-websockets-masked – enno.void May 31 '17 at 20:59
  • I already read that article, but it doesn't help. buuut, i found this: https://softwareengineering.stackexchange.com/a/318798 and I will be using SSL. So the question is: if my server is ssl and the client non ssl, i still need masking? – John May 31 '17 at 21:06
  • 1
    if you are sending your websocket traffic over https ... which you should be doing ... then I see no benefit of working to hide data content ... those links assume you are on http which you should not be the case here in 2017 – Scott Stensland May 31 '17 at 21:21
  • 1
    This question has some good answers on what masking is for: https://stackoverflow.com/q/14174184/215552; also, MDN has some information here: https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#Reading_and_Unmasking_the_Data – Heretic Monkey May 31 '17 at 21:22
  • @ScottStensland thanks for your answer. so i understand that i still need to mask data if I send websockets from a non-ssl website to a ssl server, right? – John May 31 '17 at 21:35
  • @MikeMcCaughan thanks for your great answer! that seems to be an unmasking alghorithm. So i understand that the key is always dynamic. Do you have any info for masking the data? or simply reverse the unmasking algorithm? what should be the first key when i send data from the client? or the key should be static on the client side and generated like a CSRF token? there should be any minimum maximum lenght? – John May 31 '17 at 21:40

1 Answers1

2

If you're trying to make a webSocket connection from browser Javascript to a server and then send data over that webSocket connection, you will just use the built in webSocket support into the browser. You will just call socket.send() and the underlying webSocket support will do all the webSocket protocol info for you (including masking).

If you're trying to make a webSocket connection from node.js to some other server, then you would be best served just getting one of the many webSocket libraries for node.js on NPM and using one of those. Those libraries will then do all the webSocket protocol info for you (including masking).

If you're trying to accept an incoming webSocket connection on your own nodejs server, then you would similarly use one of the several webSocket server libraries for node.js and that library would handle all masking for you.

You can only connect a webSocket client to a webSocket server since both ends must use the webSocket connection scheme and then support the webSocket protocol, data framing and security schemes. Unless you're doing this for academic reasons or trying to implement webSockets on a platform that has no generic support for them, it would be rare to implement your own webSocket library. There are variations in the protocol (due to the evolution of the specification and it's a lot of work to properly support and test everything that a full implementation would do).

so i understand that i still need to mask data if I send websockets from a non-ssl website to a ssl server, right?

You appear to be a bit confused. A connection between two endpoints is either SSL or not. You can't have one end of the connection using SSL and the other end not using SSL. A webSocket connection (both ends) can either be run normally or using SSL. The webSocket specification requires that the client mask all data, but that will be done for you automatically by whatever webSocket client library you are using. That is not something you, as a client using the webSocket library, should have to concern yourself with.

A non-SSL webpage (a page that was loaded over regular http not using SSL) could make an SSL webSocket connection to some webSocket server that also supports SSL.

jfriend00
  • 683,504
  • 96
  • 985
  • 979