Monday, December 13, 2010

WebSockets disabled in Firefox 4

HTML5 will be one of the hottest topics this year (and may continue for next 2 years). One of the features is called WebSocket. WebSocket is a technology providing for bi-directional, full-duplex communications channels, over a single Transmission Control Protocol (TCP) socket. It is designed to be implemented in web browsers and web servers but it can be used by any client or server application.

Due to a desgin vulnerability in WebSocket protocol, Mozilla Foundation has disabled it in the forthcoming Firefox 4 Beta 8 release. The vulnerability, in the code for transparent proxies, can potentially be exploited to poison the proxy cache and inject manipulated pages.

A group of researchers described the problem on the IETF mailing list in November. In their POC, it could allow attackers to inject a specially crafted JavaScript for Google Analytics into the proxy's cache that will be returned to clients and executed in their browsers after every subsequent request.

In conventional connections, a client prompts a server to send data via GET or POST. WebSockets allow permanent connections between clients and servers and enable servers to independently send data to a client.

Currently, WebSocket (ver. 76) is already supported by Chrome and Safari.