Socket.io: no authentication no party🎉🎊🎈

My objection to latest tutorial from YouTube about socket.io, python and javascript.

There might be something I’m missing but passing a username under an insecure channel is equivalent to a simple data input not a real world authentication. Thank you very much for clarifying this matter, but if ws protocol doesn’t provide headers for authentication imho it’s much better staying with the classic web services under https. At this point I fail to see the motivation for socket.io: implementing a web service is more secure, simple as well and offers the same features, doesn’t it?

You can follow the discussion on YouTube. My fears are described for example under the paragraph No authentication during the handshake process from https://www.neuralegion.com/blog/websocket-security-top-vulnerabilities/

See the need of counterchecking the ticket against an IP, just an example, but it scares me because I don’t think it is practical.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s