On 6 March 2018 at 10:55, Michael Jonker michael@openpoint.ie wrote:
- Am I perpetrating a security anti-pattern by holding the connection open
indeterminately?
Unless I'm missing something: no more so leaving a modern web application tab (Facebook, gmail) open indefinitely.
Which is to say, WebSockets, Facebook, and Gmail all turn you (the client) into a server. An attacker (which may be the web server you are connected to or which may be an outside party sending messages to you through the server) can choose when and how large a message you will receive. This capability is what makes it particularly difficult to defend against Guard Discovery attacks in Hidden Services, and when you invert the model (where you are the server) it will enable Guard Discovery attacks on you the client.
I say this to try to be accurate. I don't say it to discourage you or suggest you shouldn't do this - I think you should. I think it's fantastic that you're working on providing a responsive web experience over a hidden service and I hope to see an awesome deployment or blog post about it in the future.
-tom