How are passwords sent for websocket's authentication in CF10?

Question

On the doc Specifying WebSocket authentication details, it did not mention how are passwords being sent from client's authenticate() JS func to server's onWSAuthenticate. Are they being sent through a secure channel? or in plain text?

Side question: what tool / browser / browser's plugin can one use to sniff through websocket's traffic?

Thank you.

Answer 1

username/password sent through authenticate() function is in clear-text. You can actually see that in cfwebsocket.js (its minified so search for authenticate). On server if the call is for authentication, it would invoke onWSAuthenticate() in application.cfc passing whatever username or password given to the function. So the logic of encryption/decryption/validation lies with the developer.

Any TCP monitor can be used for sniffing websocket's traffic like wireshark , TCPMon etc

Answer 2

Mostly just answering to further my own understanding of how this works. From the websocket.org site:

The tunnel is established by issuing an HTTP CONNECT statement to the proxy server, which requests for the proxy server to open a TCP/IP connection to a specific host and port. Once the tunnel is set up, communication can flow unimpeded through the proxy. Since HTTP/S works in a similar fashion, secure WebSockets over SSL can leverage the same HTTP CONNECT technique.

So, if this is what you're asking, it appears that just like with http/https, it's up to the developer to implement SSL encryption, which makes sense.

Sagar Ganatra also has a blog entry on the basics of Websocket Authentication with CF.