Is the Hubot web socket connection to Slack secure? - websocket

I am setting up hubot with a slack adapter for an enterprise and would like to know if the socket connection between Hubot and Slack is secure.
If not, how can it be secured?

Its hard to say in general whether a product would be regards as "secure" for your enterprise. It all depends on the security requirements specific to your business. e.g. a defense contractor might have much higher security requirements than a retailer.
To answer your question I would therefore suggest to research the security specifics of this product and then compare them with the security requirements of your enterprise.
Here is an overview about the security architecture to get you started:
Hubot uses Slack's RTM API which uses WebSockets as main
communication protocol
To start a connection you need to call either the rtm.start or
rtm.connect endpoint, which is secured by HTTPS. Both endpoints require you to
provide authentication via a Oauth 2.0 token.
Those endpoint return a custom URL for your WebSocket session
All WebSocket communication uses the secure WSS protocol, which applies TLS to secure the connection

I have raised a ticket with Slack support team and they confirmed that connection is WSS and uses TLS 1.2 which makes it secure for enterprise. Thanks!

Related

Websocket API authenticated with mTLS in AWS Api Gateway

Does anyone know if it is possible to have a Websocket Api Gateway support mTLS authentication? According to the documentation it is not supported (https://aws.amazon.com/blogs/compute/evaluating-access-control-methods-to-secure-amazon-api-gateway-apis/). Does anyone know if there is a feature request for this or there is a workaround? We've debated using a lambda authorizer on the $connect route on the websocket API to authenticate client certificates manually, but it seems like an artificial implementation for mTLS since we're performing the client authentication after the TLS handshake. Not sure if this is our best option or if there is something better. Thanks.

Blazor Server: Protect information in transit with HTTPS: Are WebSockets not secure enough?

Blazor Server development is great! One of my concerns is with the security of data being sent through SignalR/WebSockets.
From my understanding the communication between client and server is:
Action is taken by user e.g. clicks button
Javascript innovates the WebSocket communication with my server
Server responds with data that I've returned
Javascript changes the page (DOM)
From Chrome developer tools I can see this happening on the websocket i.e. wss://localhost/_blazor?id=XXXXXXXXXXXXXX. As the websocket is wss:// I thought communication was secure and ensured integrity and confidentiality e.g. man-in-the-middle attacks etc
So why has Microsoft advised to "Always user HTTPS" in their Blazor Server Threat Migration documentation?
Protect information in transit with HTTPS
Blazor Server uses SignalR for communication between the client and
the server. Blazor Server normally uses the transport that SignalR
negotiates, which is typically WebSockets.
Blazor Server doesn't ensure the integrity and confidentiality of the
data sent between the server and the client. Always use HTTPS.
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/threat-mitigation?view=aspnetcore-6.0#protect-information-in-transit-with-https
Thank you to Brennan for answering my question in the comments.
So why has Microsoft advised to "Always user HTTPS" in their Blazor Server Threat Migration documentation?
The warning is just general text. The two statements on the documentation are independent of each other.
The below explains the mechanism Blazor Server typically uses for communication between client and server i.e. WebSockets
Protect information in transit with HTTPS
Blazor Server uses SignalR for communication between the client and the server. Blazor Server normally uses the transport that SignalR negotiates, which is typically WebSockets.
The below states you should always use a secure protocol when communicating between client and server i.e. HTTPS
Blazor Server doesn't ensure the integrity and confidentiality of the data sent between the server and the client. Always use HTTPS.
I assumed Microsoft was referring to using standard API (HTTP/2) endpoints to ensure integrity and confidentiality. As Brennan pointed out - WebSockets is an extension of HTTP/1.1, and thus can use HTTPS.
Hopefully, this helps people in the future.

Gateway API - Apache APISIX with Secured Websockets

I am trying to add an API Gateway to a client-server system, which communicates through WebSockets.
The Server is an audio recognition engine that sits in a remote machine, and clients are connecting to it through WebSockets ('wss://...'), sending audio files and receiving their text translate representation.
My main goal is to add a free open-source API Gateway in the middle in order to authenticate\authorize\rate limit\etc (Tried Kong\Tyk\krakenD, but they are not free).
After searching the web, I focused on Apache APISIX gateway.
As a test, I managed to connect the APISIX to a client-server which communicates by http/https and it worked fine.
Moreover, I managed to connect the client with the server on regular websocket connection (ws://) and the data transactions were successful, but no matter what I do I cant connect to the secured connection. Are there any special configurations I should edit in the dashboard?
I'm wondering if anyone knows from experience if it's possible to use
the secured WebSockets with Apache APISIX and if yes, how exactly it should be done - because the docs are missing any informative info\examples, or if there are better solutions known to my problem.
The only WebSocket reference in APISIX dashboard -
What you should do is create an SSL object (you can find it in the sidebar on the left side). See https://apisix.apache.org/docs/apisix/admin-api/#ssl to learn the APISIX SSL object.
You can see an example at https://apisix.apache.org/docs/apisix/certificate
The SSL object provides the required TLS Certificate and Private Key so that this key pair can be used in a TLS handshake according to the TLS SNI sent from clients. After that, your client established a secured connection with APISIX, and now you can send the WebSocket traffic securely.

Does bot connector service support Mutual TLS verification?

I want to know whether bot connector service(Microsoft botframework) supports Mutual TLS or not? I want to verify the source of the events coming from bot connector service. I am not able to find any documentation which clearly specifies about mTLS support.
All communications between the bot and the Bot Connector service utilize SSL/TLS for authentication. SSL/TLS connections adhere to the x.509v3 certificate protocol for identifying all HTTPS services (see Authentication with the Bot Connector API).
You can read more about the Azure Bot Service's Data Protection protocol by reading this doc, Encrypt sensitive information in transit.
Additionally, What data is encrypted? can provide additional insight.

Proxy SMTP server with instructions receiving from API

The task is to build SMTP proxy gateway which will send all letters to API for some checks and dependently of API answer will send letter to destination server or will return error message to client.
Please look at this picture
IMAP will be organized in same way, all letters will be sent to API for virus checking etc. and only letters with successfull API response will be received to mailbox.
Want to ask and advice which software will be better to use for this purpose. Dovecot/Postfix? But how to integrate it with AMQP API? Maybe better will be to organize it through nginx proxy? Or python Twisted framework?
Will be grateful for any help.
If you're looking for a COTS software solution, Forum Sentry API Security Gateway software version can act both as an SMTP proxy or an AMQP proxy.
http://www.forumsys.com/forum-sentry-secure-amqp-proxy/
[I work for Forum Systems]

Resources