There’s a lot of fud out there around WebSocket security that can only be tackled by learning about those concerns and how they can be addressed. Here are a few snippets from our Delivering Security Over Native Full-duplex Web Connections paper with this very objective in mind:
Security within the WebSocket standard is simple and certain, as long as the WebSocket solution you use implements it, since it’s not enabled by default. The WebSocket standard takes care of core security by providing for unencrypted and encrypted transport, and by defining WebSocket as a frame within which all existing security protocols can operate. However, because WebSocket is a standard and not a development environment, the inherent security features are somewhat limited.
Often, security features have been limited at a high cost – one that obstructs the creation of robust, full duplex web applications. Developers are often faced with the difficult design and coding challenges, trying to figure out how to work within or around limitations without frustrating their users with awkward and time consuming processes.
The WebSocket standard is sufficient to secure traffic (if its security features are used). It supports whatever security is in place. But securing the flow is only part of the real security challenges you face. That traffic has to be able to seamlessly traverse proxies and firewalls. Issues of authentication delay and obstruct the web experience.