Re: Web socket vs REST security

> On 15 Feb 2017, at 14:02, Ted Guild <ted@w3.org <mailto:ted@w3.org>> wrote:
> 
> I agree there are two attack surfaces from two protocols. HTTP2’s socket capabilities (which I am not convinced yet serves our needs) would bring the number of protocols down to one.

My work on web of things demos has shown that Server-Sent events over HTTP is more robust than Web Sockets when it comes to recovering after a dropped connection. It is also easy to extend a simple HTTP server to support server-sent events.  This makes for a one way stream of messages from the server to client, and you would use a regular HTTP PUT, POST or PATCH  for pushing data from the client to the server.

Something I have yet to explore is client sourced events over HTTP using a long lived connection, and exploiting the HTTP 100 continue response. This could use the same chunked encoding as for server sent events. This is a possibility when you have a data stream from client to server, and may be interesting for connecting from a device inside a firewall to stream telemetry to a server in the cloud.

Within the car, I guess there is still a case for using HTTPS, but perhaps not that strong given that attackers could have direct access to the car’s components.

This shows that the discussion should be broader than just Web Sockets vs REST.

Cheers,

Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
W3C lead for the Web of things

Received on Thursday, 16 February 2017 19:44:45 UTC