Login via websocket - is this safe?

Question

On webpage (with https)

1. Client connects to server with websocket (secure wss over TSL)
2. Server send 'ready-for-user-and-password'-message
3. User enters info and Client sends it
4. Server validates and as long as websocket is connected, knows who the recipient is

EDIT: I am considering the above instead of using a post method.

Answer 1

It can be safe against some attacks but as usual, there are ways to break into the site and we have to evaluate security holistically

DB passwords

It is not clear from the description but plausible that the setup you've described stores user passwords in plain text.

Best practice in that respect is to calculate password's hash sum with salt and keep that in the database, so if attacker manages to get a db dump, they will need a lot of time to guess a password based on that.

Rate limiting

You should limit unsuccessful login attempts so the attacker won't be able to easily pick a password by bruteforce.

Logging

Another thing which can be problematic here is logging: you need to make sure the credentials don't end up on application log files (I've seen that with credit card numbers).

Similar concern is retaining the sensitive info for too long after verification has ended which makes them more vulnerable (to e.g. forcing a heap dump in Java and picking them from that file)

SSL secret material

If you don't pay enough attention to reducing the access to ssl private key, somebody can play a man-in-the-middle attack.

Depending on the ciphersuites your app server supports, previously recorded communications can be vulnerable to decryption if an attacker steals the key. The concept of resistance to that is called forward secrecy. You can validate if you properly tuned your web app here.

Your cert authority (or any other else) can issue a certificate for your website to somebody else allowing the attacker to misrepresent you (see Mozilla and WoSign, Additional Domain Errors).

CORS

You should also set the Content-Security-Policy so that it will be trickier to force the browser code to send this auth info to other servers.

Social Engineering

Attacker can trick your user into launching some code in the web tools console - you can try opening a web console e.g. on Facebook and see what they've done against that.

New stuff

Vulnerabilities get discovered each day, some of them are published on bulletins, you should follow those for your stack (e.g. OpenSSL) and patch / upgrade where appropriate.