14 DAY TRIAL // Mozilla and Opera developers plan to disable WebSocket support in Firefox 4 and Opera 11 because the protocol has been proven vulnerable to attacks.
The security issue was discovered by researchers Adam Barth, David Huang, Eric Chen, Eric Rescorla and Collin Jackson, and was documented in a paper released at the end of November.
The attacks are the result of transparent proxies not properly understanding the semantics of the Upgrade-based WebSocket handshakes and treating the final bytes as valid HTTP requests.
“This is a serious threat to the Internet and Websocket and not a browser specific issue. The protocol vulnerabilities also affect Java and Flash solutions,” writes Mozilla Developer Evangelist Christian Heilmann on the Mozilla Hacks blog.
“In a web environment that could for example mean that a widely used JavaScript file – like Google analytics – could be replaced on a cache you go through with a malware file,” he explains.
Heilmann reveals that because of this security problem, a decision was taken to ship the upcoming Firefox 4 Beta 8 without WebSocket support by default.
The upcoming change was also announced by Mozilla’s Director of Web Platform, Christopher Blizzard, while Anne van Kesteren from Opera Software noted that WebSocket support will only be offered as an option in Opera 11.
This is also the approach Mozilla is taking. The developer won’t completely remove WebSocket functionality from the upcoming version of its brower, but it will make it available only for people interested in testing it out via a hidden setting.
Google Chrome has support for WebSockets since version 4 and the technology is also implemented in Safari 5. However, Heilmann thinks that other browser developers will follow in Mozilla's and Opera's decision to disable it until the problems are fixed.
“Mozilla is still excited about what WebSocket offers and we’re working hard with the IETF on a new WebSocket protocol,” he notes.