W3C home > Mailing lists > Public > public-autowebplatform@w3.org > February 2017

AW: Web socket vs REST security

From: Bartsch, Patrick, Dr. (I/EE-511) <patrick.bartsch@audi.de>
Date: Thu, 16 Feb 2017 20:17:48 +0000
To: Dave Raggett <dsr@w3.org>, "public-autowebplatform@w3.org" <public-autowebplatform@w3.org>
Message-ID: <C867514CE59A3E4A8B5944D3341FAFD4138210FD@AUDIINSX0398.audi.vwg>
We will definetly usw HTTPS in the car for security ans privacy reasons.

Can you elaborate a little more on SSEs? Can they be used for larger payloads? Will multiple SSE connections share the same TCP ? Can you 'unsubscribe' client side? How will errors be transmitted, will they be sent as payload or can a SSE send natural http response codes instead? Do SSEs have an advantage over we socket in terms of adoption cross platform, in browsers, apps and just plain c libraries?

Thanks alot for your input

Best regards

Dr. Patrick Bartsch

- sent from my mobile -
________________________________
Von: Dave Raggett<mailto:dsr@w3.org>
Gesendet: 16.02.2017 20:45
An: public-autowebplatform@w3.org<mailto:public-autowebplatform@w3.org>
Betreff: Re: Web socket vs REST security


On 15 Feb 2017, at 14:02, Ted Guild <ted@w3.org<mailto:ted@w3.org>> wrote:

I agree there are two attack surfaces from two protocols. HTTP2s socket capabilities (which I am not convinced yet serves our needs) would bring the number of protocols down to one.

My work on web of things demos has shown that Server-Sent events over HTTP is more robust than Web Sockets when it comes to recovering after a dropped connection. It is also easy to extend a simple HTTP server to support server-sent events.  This makes for a one way stream of messages from the server to client, and you would use a regular HTTP PUT, POST or PATCH  for pushing data from the client to the server.

Something I have yet to explore is client sourced events over HTTP using a long lived connection, and exploiting the HTTP 100 continue response. This could use the same chunked encoding as for server sent events. This is a possibility when you have a data stream from client to server, and may be interesting for connecting from a device inside a firewall to stream telemetry to a server in the cloud.

Within the car, I guess there is still a case for using HTTPS, but perhaps not that strong given that attackers could have direct access to the cars components.

This shows that the discussion should be broader than just Web Sockets vs REST.

Cheers,

Dave Raggett <dsr@w3.org<mailto:dsr@w3.org>> http://www.w3.org/People/Raggett
W3C lead for the Web of things
Received on Thursday, 16 February 2017 20:18:25 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 February 2017 20:18:25 UTC