57
votes

I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

3
"I know wss works on both http and https" Huh?David Schwartz
Maybe I should have said "I have read that" instead of "I know"?Isaac
What David meant is that the information you've read, "wss works on both http and https", is wrong. See my answer.Takahiko Kawasaki
So, if the connection is http the WebSocket must be "ws" and if the connection is https the WebSocket must be "wss"?DiegoSahagun

3 Answers

52
votes

Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not?

Yes.

Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server?

Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure, but an attacker might modify the HTML/JavaScript while being sent from the Web server to browser. A HTTP connection isn't protected against man-in-the-middle sniffing or modification.

103
votes

"wss works on both http and https" ??? This is a strange phrase.

wss is secure only because it means "WebSocket protocol over https". WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just "WebSocket protocol over http" and "WebSocket protocol over https". See also this answer.

As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase "if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure" in the answer by oberstet.

Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don't avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.

0
votes

if HTTPS is not deployed, try sws - secure websocket on plain http without https

https://github.com/InstantWebP2P/sws