This repository has been archived by the owner on Apr 24, 2023. It is now read-only.
Warn, or callout in connection error, when using insecure websockets #360
Labels
effort/hours
Estimated to take one or several hours
exp/intermediate
Prior experience is likely helpful
good first issue
Good issue for new contributors
help wanted
Seeking public contribution on this issue
P2
Medium: Good to have, but can wait until someone steps up
js-libp2p-webrtc-star and js-libp2p-websockets both support either ws/ or wss/ multiaddrs (WebSockets, or SSL WebSockets). Many of the examples, such as libp2p-in-the-browser or peer-and-content-discovery, use vanilla WebSockets, not Secure WebSockets, and this is appropriate, since these examples are likely tested using web servers on localhost and it is difficult to set up SSL on localhost.
However, insecure WebSockets is unpredictable. Leaving aside the question of whether insecure websockets "should" be used, attempting to use insecure WebSockets in a browser may sometimes fail just because it is insecure, for example:
These failures can be based on unpredictable local state (browser, HSTS state). If a user encounters one of these failures, they are unlikely to easily figure out on their own why the failure occurred: The change is something sort of nonobvious (change "/ws" in the listening list to "/wss") and making it work requires something the examples don't include (setting up SSL, libp2p has a out-of-the-box docker for a nginx proxy to do this but it isn't part of the examples directory). This is demonstrably a support issue for libp2p (searching google for the error messtingges I get when hitting insecure websockets problems I find many cases, including on https://discuss.libp2p.io/, where a libp2p core dev is having to explain that setting up SSL is needed).
A suggestion: When sending in /ws multiaddrs for
listen
orbootstrap
in a browser, do one of the following:Since this case will mostly only come up in test/example projects, console noise is probably acceptable. If console noise is a concern, there could be a Libp2p.create() flag to disable insecure-websockets warnings.
Note: Maybe a similar issue should be filed on js-libp2p-websockets, I don't know.
The text was updated successfully, but these errors were encountered: