WebSocket Authentication on VIDIO.COM Livestream Chat talks about its technology, authentication options in WebSocket including Cookie and JWT (JSON Web Token), and security concerns with regards to the technology being used.
Cookie Encrypt User ID Light Payload Signed User Payload No Need to Decrypt Signed User Payload No Need to Decrypt Shared User Cookie Encrypt User Payload No Additional Request Decrypt Rails’ Cookie Need Client-Side Request Need Client-Side Request Decrypt Rails’ Cookie Need Server-Side Request Long Request URL (1-2k) Long Cookie Length (1-2k) Huge Payload Shared Cookie JSON Web Token vs Balance need to be made, and we decide to use JSON Web Token over URL. Productivity is prefered over requests efficiency using shared cookie. Decision still can change if we found a better solution.
in RFC 7519, it is a mechanism of presenting claims between 2 parties, the claims are signed using an algorithm, and only the two of them knows the secret key. It consists of 3 parts { header }.{ payload }.{ signature } encoded in base64. The derivative of JSON Web Token are: JSON Web Signature, and JSON Web Encryption. We are using the earlier, because we have no need for encryption. A typical JWT token would like like as follows: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxMjM0NTY3OCJ9.ArJHWXBfkzeugVpshDEcHqsOIaqeR7CNH-SJCMZfZiw
VIDIO server using algorithm defined in the header, and CHAT server will verify against the shared secret. No data tampering is possible, therefore the payload is guaranteed to be authentic. The only liability is on the library being used. There are known issues in JWT libraries with symmetric keys and we are not using those libraries. { "typ": "jwt", "alg": "HS512" } . { ... } . { signature } Data Authenticity This is some of the header and signature of JWT.
occurs in the authentication process. Only publicly available information are put in the payload. Possibilities of data retainment in proxies and logs are also not a problem due to no sensitive information is put in the payload. { ... "user": { "id": 30132773, "username": "hendrauzia", "name": "Hendra Uzia", "avatar": "..." "verified": false } } Data Privacy This is some of the payload content of JWT.
Denial of Service Reflected Cross Site Scripting SSL Stripping Stored Cross Site Scripting Session Sidejacking HTTP Replay Attack Cross Site Request Forgery Timing Attack SSL Inspection The red boxes related directly with the authentication process, the grey boxes are risks that is out of the scope of this slide. Cookie Replay Attack
states that the Origin header is used to protect against unauthorized cross-origin use of a WebSocket server. ✔ Cross Origin Resource Sharing ✔ Cross Site Request Forgery