about websocket's mask field
about websocket protocal ,you can read the detail from
here,http://tools.ietf.org/html/rfc6455#section-5.3
in the mask section ,it said:
The masking key is a 32-bit value chosen at random by the client.
When preparing a masked frame, the client MUST pick a fresh masking
key from the set of allowed 32-bit values. The masking key needs to
be unpredictable; thus, the masking key MUST be derived from a strong
source of entropy, and the masking key for a given frame MUST NOT
make it simple for a server/proxy to predict the masking key for a
subsequent frame. The unpredictability of the masking key is
essential to prevent authors of malicious applications from selecting the
bytes that appear on the wire. RFC 4086 [RFC4086] discusses what entails a
suitable source of entropy for security-sensitive
applications.
i don't get why must the mask key be unpredictable ,not to mention is the
mask really be necessary here?since you send it every time ,the sniffer
can get it and easily decrypt it.the only useful thing i could think is
it's made the playload data unreadable for human in the first place,and
take more time for server to handle a receive
No comments:
Post a Comment