We are happy to share with you our WebSockets proof-of-concept, which demonstrates the potential of enabling WebSockets on the IC through a dedicated gateway.
To facilitate WebSocket connections between frontends and canisters on the IC, we use a gateway. This gateway provides a standard WebSocket endpoint for frontends and handles the communication with the canister. It establishes WebSocket connections with canisters through update calls and uses polling to obtain the latest messages and deliver them to the client.
We invite you to explore the code on GitHub, available at GitHub - dfinity/ic-websocket-poc. This repository can serve as a starting point for developers interested in leveraging WebSockets on the IC. However, please note that this proof-of-concept requires further improvements to enhance security and stability (e.g. using SSL and enhancing error handling) and is not usable in production.
We encourage you to give it a try and let us know what you think!
Regarding security, what is the vision there? E.g. will the websockets support certified data, equivalent to certified queries? I.e. will a developer be able to take data, sign it as for certified queries, then post it and have it validated by the service worker? The crypto part is definitely possible to do oneself; does it make sense to include such functionality out of the box to make it easy for developers to write secure code first time?
The proof-of-concept already makes use of certification and signatures so that the gateway is trustless. Messages from the canister (together with a timestamp and a sequence number) are certified. Likewise messages from the client are signed using the key the client registered in the first update call.
The WebSocket Gateway can now be considered trustless as it cannot tamper, reorder or block the messages without being detected by both the client and the canister. We’re waiting for the vetKeys to become generally available to integrate them into our libraries and make sure the Gateway can’t even read the messages.
Nice tutorial, ping-pong is the hello world of network stack code, awesome! Imho, what matters isn’t that it’s available for multiple of languages, but instead it’s rock solid in just one language. There are definitely a couple of use cases w/o a sensitive message payload, and there are workarounds for encrypting a message payload before vetKeys goes GA. Great work @massimoalbarello & @ilbert, w(h)en production-ready ?
What specific measures are being considered to enhance the security and stability of the WebSocket connections in this proof-of-concept, particularly regarding SSL implementation and error handling improvements?
TLS/SSL is enabled on the production gateway at wss://gateway.icws.io. More in general, the IC WebSocket Gateway supports adding a TLS certificate.
If you self-host the gateway, you can use the --tls-certificate-pem-path and --tls-certificate-key-pem-path flags to configure the gateway to use your TLS certificate. Refer to the Arguments available section of the README for more details.
At the moment, the gateway is relaying the messages to the canister, mostly in a fire-and-forget way. We chose to do so in order to keep it simple and fast, and to keep the protocol as close as possible to the native WebSocket’s one.
Are you experiencing some issues with the current implementation?
I invite you to take a look at the following thread, which is the most updated and contains the changelogs of the releases that we have done in the past months:
Messages from the canister (together with a timestamp and a sequence number) are certified. Likewise messages from the client are signed using the key the client registered in the first update call.
solid in just one language. There are definitely a couple of use cases w/o a sensitive message payload, and there are workarounds for encrypting a message payload before vetKeys goes GA. Great work 
?