Websocket Support Disabled in Opera and Firefox Browsers
According to the reports from WebMonkey published on December 10, 2010, Opera and Mozilla have deactivated HTML5 WebSockets support within their individual Web-browsers of the latest versions as vulnerability has been found in the protocol that could be exploited in attacks.
The discoverers of the vulnerability -David Huang, Adam Barth, Collin Jackson, Eric Rescorla and Eric Chen, security researchers have documented the issue in writing that was published during November-end 2010. SoftPedia reported this on December 10, 2010.
According to claims made, the attacks occur due to transparent proxies, which fail to correctly comprehend semantics pertaining to WebSocket handshakes capable of up-gradation, as also due to the handling of the last bytes like they were authentic HTTP requests.
Writes Christian Heilmann, Developer Evangelist at Mozilla, the security problem is serious for WebSocket, while it isn't specific to Web-browsers. According to him, the flaws in the protocol impacts Flash and Java solutions too and to ward off plenty of malicious programs that are untraceable it's important that the protocol be patched. SoftPedia reported this.
Incidentally, Adam Barth shows that if the protocol is severely attacked, caches could be corrupted that reside within the zone connecting the Web-browser with the Net. This implies that an ordinary Google Analytics script can be substituted with malicious software inside a cache. WebMonkey published this.
Discloses Heilmann that owing to the said security issue, Mozilla decided towards releasing the latest Firefox version 4 Beta 8 devoid of WebSocket support. However, Director of Web-Platform at Mozilla announced that WebSocket feature wouldn't be wholly removed from the latest Firefox rather it'd be made available to merely those wanting to experiment with it through a concealed configuration.
Besides, according to Heilmann, developers of other browsers will probably take after Opera's and Mozilla's decision and deactivate their own WebSocket supports till a solution is found.
» SPAMfighter News - 21-12-2010