wouldn't you have to resort to proxies with certificate authorities forced on users in order to block websockets?