Is masking really necessary when sending from Websocket client

Question

The current Websocket RFC requires that websocket clients mask all data within frames when sending (but server is not required to). The reason the protocol was designed this way is to prevent frame data from being altered by malicious services between the client and server (proxies, etc). However, the masking key is still known to such services (it is sent on a per frame basis at the beginning of each frame)

Am I wrong to assume that such services can still use the key to unmask, alter, and than re-mask the contents before passing the frame to the next point? If I'm not wrong, how does this fix the supposed vulnerability?

Answer 1

Section 10.3 of the RFC explains exactly why masking is required. It's a very specific response to a specific hacking technique. The problem it is trying to address is described in a 2010 paper called Talking to Yourself for Fun and Profit by some of the sharpest Internet transport security folks.

Client-to-Server masking is used by the Websocket protocol to prevent proxies from unwittingly treating WebSockets data as a cacheable HTTP request. You can argue whether that's pandering to stupid proxies (and I think it is), but that's the reason.

Answer 2

Masking is useless with wss:// aka WebSockets over SSL/TLS. Since it is recommended to use SSL/TLS whenever possible, you can reasonable conclude that masking covers a marginal use case.