
Securing WebSocket with Plain HTTP Without HTTPS - sequoiar68
https://github.com/InstantWebP2P/sws
======
sequoiar68
We design a cryptographic protocol to setup Secure Websocket(alias SWS) over
plain HTTP site between http client and http server, which includes Nacl-based
Certificates Exchanges and Crypto-Keys Distribution.

~~~
viraptor
What's the reason to do that?

~~~
sequoiar68
provide nessary security in plain http site

~~~
viraptor
I don't get the threat model. You're trying to protect the websocket against
possible mitm, but you're doing it using client script downloaded without
security over a similar route that you have to also assume is mitm'ed. So
basically all the attacker need to do is replace your script with some
alternative copy that either exposes the keys or mirrors the whole steam to
the attacker endpoint.

Am I missing anything?

~~~
Piskvorrr
Various other security holes. But indeed, this by itself is insecure enough.
[https://www.nccgroup.trust/us/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/us/about-us/newsroom-and-
events/blog/2011/august/javascript-cryptography-considered-harmful/)

