[Cryptography] WebSocket masking under TLS?

Alfie John alfie at alfie.wtf
Tue Nov 26 06:22:27 EST 2019

While reading the WebSocket Protocol RFC 6455, the bit on "masking" seemed a
bit smelly to me:


    5. Data Framing

    5.1. Overview

      In the WebSocket Protocol, data is transmitted using a sequence of frames.
      To avoid confusing network intermediaries (such as intercepting proxies)
      and for security reasons that are further discussed in Section 10.3, a
      client MUST mask all frames that it sends to the server (see Section 5.3
      for further details). (Note that masking is done whether or not the
      WebSocket Protocol is running over TLS.)

    5.3.  Client-to-Server Masking

      ...The masking key is a 32-bit value chosen at random by the client...
      ...The masking key needs to be unpredictable; thus, the masking key MUST
      be derived from a strong source of entropy...

      Octet i of the transformed data ("transformed-octet-i") is the XOR of
      octet i of the original data ("original-octet-i") with octet at index i
      modulo 4 of the masking key ("masking-key-octet-j"):

                        j = i MOD 4
      transformed-octet-i = original-octet-i XOR masking-key-octet-j


       <explanation on why masking prevents cache poisoning in plaintext HTTP>

Putting aside for now that the 32-bit-XOR mask would be susceptible to a
known-plaintext attack given that most WebSocket request payloads would start
with the same JSON structure, I'm curious as to what possible reasoning did they
have when still wanting to mask over TLS (again, from 5.1):

    "masking is done whether or not the WebSocket Protocol is running over TLS".

Alfie John

More information about the cryptography mailing list