Websockets are secure by design, they’re web sockets and have the same security as a typical HTTPs request. The wss
protocol is the https
equivalent for WebSockets, ws
being the http
equivalent. A WebSocket connection is initialized through a typicalHTTPs request where the server does something called a “protocol upgrade” which basically means that the server and client are agreeing to “upgrade” to the WebSocket protocol (because, ofc, they’re not the same thing as HTTPs).
There is no difference in security between the two, iirc they use the same encryption schemes, and they both are very similar, after all, they work in browsers and are designed to closely mesh with HTTPs.
In fact, though I wouldn’t really necessarily agree with this, you could likely make an argument that WebSockets are technically actually more secure since you’re not establishing new connections all the time, which means doing more handshakes, and that’s technically more possibilities for MITM attacks. But, that’s pretty much the whole reason a “secure” version of the http (and ws) protocol exists in the first place (to stop MITM attacks).
It’s more likely that the reason that WebSockets are not being utilized here is simply a technical limitation on Roblox’s end. A lot of older web software doesn’t support WebSockets, because, well, WebSockets are relatively newer. If I had to guess, it would take some special engineering to introduce WebSockets onto the platform.
However, I do sort of wish that MessagingService relied on WebSockets to begin with because it’s a pretty battle tested technology and I would imagine it would make a lot of aspects of MessagingService more streamlined to implement, such as being able to subscribe with the API here too.
Roblox is probably considering or has considered WebSockets, and given that the actual API docs mention subscribing to messages as if it’s a feature of the API, it’s probably something they want to do:
The Messaging Service API is the Open Cloud equivalent to the Lua MessagingService
, which supports live servers to send and subscribe to customized message channels called topics.
On a completely unrelated note, I’ve recently seen some arguments being made for adding some sort of WebAssembly support (partially or in full) for similar reasons. (One of the prerequisites to being able to do WebAssembly stuff in Roblox performantly would be some sort of limited jumping through scopes for example, which is something still being discussed on the luau repository)
WebAssembly is inherently secure, and extremely performant (after all, it’s meant to run in your browser, and browsers are probably one of the most security-focused pieces of technology you use, and are using right now to read this ). It would make it possible to somewhat utilize endless normally native languages on Roblox the same way they are on the web, and would introduce a huge number of possibilities.
Some cool consequences of this:
- Reading/writing the RBXM format in-game (Would be awesome for tools such as Rojo)
- Using other Rust and C programs
- Making custom luau VMs in Roblox (such as for a sandboxing tool, or making modified lua environments)
- JavaScript or TypeScript running at native speeds (such as with the WIP AssemblyScript project)
- Compression algorithms such as LZ4 (or the similar and potentially even more powerful zstd) and reading archive formats like zip files for storing lots of stuff compactly.
Having WebAssembly on Roblox (even transpiled or interpreted via luau such as with the Wasynth project, but especially with native or near native speeds) might excel Roblox forward quite a lot in its power as a game engine.
Really, I strongly believe browser tech is something Roblox can utilize and benefit from immensely in a lot of cases, and at the very least, it’s a great place for them to take inspiration from in some regard considering many applications are now becoming browser based (For example, Discord is based on Chromium, it uses a “headless” Chromium called Electron)