The WebSockets protocol enables applications running inside web browsers to open up two way communications. The SIP over WebSockets protocol extends the SIP and adapts it to support WebSockets.
To overcome this, browser plug-ins could be installed to give specific applications a lower level access as long as they had the users consent to install additional software. This solution works but has the potential to introduce security flaws within the browser as well as provide an opportunity for malicious software to be installed on the user’s computer or mobile device. The solution to all of these problems is the WebSockets (WS) protocol [RFC6455].
Allowing an application access to lower-level sending and receiving of messages opens up some vulnerabilities that are taken care of by the protocol. For example, the application can craft messages in such a way that they can trick HTTP middle boxes into thinking that they are HTTP requests.
This vulnerability is handled by masking the data in the packet with a randomly generated array of bytes. The value of the mask is sent to the peer so that they can unmask the packet. This prevents an application from knowing what the byte stream will look like when it gets to the network and thus prevent it from manipulating the data to produce undesired results.
SIP over WebSockets Protocol
The WebSocket protocol defines an additional HTTP header to be used during the opening handshake. the Sec-WebSocket-Protocol header field is used to specify a WebSocket sub-protocol to be used on top of the WebSocket layer. These protocols can be proprietary or based on a standard. One such standard is SIP over WebSockets [RFC 7118].
The SIP over WebSockets protocol takes the original SIP protocol [RFC 3261] and makes a few modifications to adapt it to WebSockets environments. The major changes from the original SIP specification are the addition of cookie based authentication facilitated by the web browser, and the removal of the requirement for middle boxes to add the received parameter to the Via header field. This requirement was removed because it could reveal sensitive information about the internal HTTP proxies, servers, load balancers, etc. of networks transporting SIP over WebSockets.