In association with heise online

09 December 2010, 12:43

WebSockets disabled in Firefox 4

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Firefox Logo Due to a vulnerability in the design of the WebSocket protocol, the Mozilla Foundation has decided to disable support for this protocol in the forthcoming Firefox 4 Beta 8 release. The vulnerability in the code for transparent proxies can potentially be exploited to poison the proxy cache and inject manipulated pages.

This could allow attackers to inject a specially crafted JavaScript for Google Analytics into the proxy's cache that will be returned to clients and executed in their browsers after every subsequent request. A group of researchers described the problem on the IETF mailing list in November. In their document, the researchers make suggestions on how to fix the vulnerability.

The Firefox developers only plan to re-enable WebSockets once a new and improved version of the protocol has been released. However, the pertaining code will remain a part of Firefox, and developers can use a hidden option to reactivate the technology for testing. The current version 76 of the protocol is already supported by Chrome and Safari. WebSockets allow permanent connections between clients and servers and enable servers to independently send data to a client. In conventional connections, a client prompts a server to send data via GET or POST.

The Opera developers have also decided to disable WebSockets for security reasons in version 11 of their browser.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1150369
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit