Securing WebSockets in Elixir
At Casper, we’re always evaluating emerging technologies to use in new projects and systems as they arise. We recently completed a project to streamline real-time communication with our customers, complementing our award winning Customer Experience team. The project required high availability and the ability to process many concurrent messages. We came to the decision that Elixir was a solid candidate due to it’s fault-tolerance, concurrency, and stability from the Erlang VM.
Real-time message delivery is a powerful feature Elixir gives us in the form of Phoenix, and specifically Phoenix Channels. Channels allow for senders and receivers to communicate with each other in real-time with the help of a layered system consisting of socket handlers, routing, pub-sub, messages, and transport adapters. These layers combine to form a rich system that is a breeze to work with.
The default Transport Adapter in Phoenix uses the WebSocket protocol. WebSockets are a bi-directional, persistent connection from a client (browser, iPhone, watch) to a server.
When using Phoenix Channels it is important to secure your WebSocket connection just as you would any other API or browser endpoint. By not securing your WebSockets, you are opening yourself up to the possibility for a man-in-the-middle attack, which could intercept private data and communications between users of your application.
Are Your Channels Leaking Secure Data?
You can test the security of your WebSockets with any penetration testing tool. I will quickly show you how this is accomplished using Burp Suite. The example I will use is for a browser client. The first thing you will need to do is configure your browser to allow Burp Suite to intercept http and https traffic. Read this tutorial from Burp Suite to configure your system.
Make sure to select “Intercept is off” in the Intercept tab and navigate to your website while proxying the traffic through Burp Suite. In Burp Suite, go to the Proxy -> WebSockets tab. If you are in an unauthenticated state and see activity in this tab, you are looking at an unsecure connection.
Authenticating Your Phoenix Channels
There are a few ways you can secure your channels. Phoenix provides a module called Phoenix.Token to help with authentication out of the box. You see how this works including a Channels example here. The second is to use the widely popular Guardian hex package. Guardian is an authentication framework for Elixir. This is what you are going to use to secure your WebSockets:
Install the library in mix.exs.
Next, within the UserSocket module generated with your Phoenix project, just add the Guardian.Phoenix.Socket module.
By including this module you have access to the connect() function which looks like this:
With this you will need to send your jwt token as a parameter called guardian_token. There is one more step you need to take to ensure your UserSocket is performing properly. You will want to override the default connect() function that was generated with the file to return always return :error. This way you can pattern match any authentication attempt that does not include the guardian_token parameter and simply return the error atom.
Next, you need to make sure your front-end client has access to your authenticated users’ token. This can be achieved in a number of ways. A simple and effective option is to add the token in a meta tag to the DOM.
Finally, you will want to write some javascript for authenticating and connecting to a socket as well as subscribing to a channel.
By following these steps, you are ensuring that nobody can connect to the Socket connection without proper authentication. It is important to secure all areas of your application from exploitation and WebSockets are often easily overlooked. If you are interested in talking more about security, Elixir, or working with other technologies, reach out! We are always looking for awesome engineers to join the Casper team.
