Tuesday, October 06, 2015
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Twitter 'Moments'To Highlight Best Tweets
Hololens, New Lumia Smartphones, Band, Surface Pro 4 and Surface Book Shined At Microsoft's Windows 10 Devices Event
Sharp Showcases Ultra HD Blu-ray Recorder, 8K TV at CEATEC 2015
EU Court Says EU-US Data Transfer Pact Is Invalid
New Roku 4 Streaming Player Supports 4K Resolution
Sharp Showcases RoboHon Mobile Robot At Ceatec
Skyworks to Buy PMC-Sierra for $2 Billion in Cash
Sony Semiconductor Solutions Corporation Established
Active Discussions
How to back up a PS2 DL game
Copy a protected DVD?
roxio issues with xp pro
How to burn a backup copy of The Frozen Throne
Help make DVDInfoPro better with dvdinfomantis!!!
Copied dvd's say blank in computer only
menu making
Optiarc AD-7260S review
 Home > News > General Computing > Mozilla...
Last 7 Days News : SU MO TU WE TH FR SA All News

Friday, December 10, 2010
Mozilla and Opera Disable Web Sockets In Their Browsers Due To Vulnerabilities in the Protocol

Mozilla and Opera put their Web Socket plans on hold this week after a recently demonstrated attack against the protocol.

The Web Sockets technology, a W3C Specification, opens up a live communication link between a browser and a server. The currently available "working draft" specifications defines an API that enables Web pages to use the Web Sockets protocol for two-way communication with a remote host. The rotocol is an important part of plans to make the Web a home for more dynamic, interactive sites.

Google's Chrome 4+ has been the first to implement it in a "final RTW build" at the end of 2009, followed by Apple's Safari 5.0.2. Instead Firefox was planning to support them in the version 4beta and Opera in version 11, but they never went in production. Microsoft's IE doesn?t implement this spec in current build.

Mozilla and Opera put their Web Socket plans on hold, at least for now, after Adam Barth demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet.

"We?ve decided to disable support for WebSockets in Firefox 4, starting with beta 8 due to a protocol-level security issue. Beta 7 included support for the -76 version of the protocol, the same version that?s included with Chrome and Safari, " Christopher Blizzard, an open Source Evangelist working for the Mozilla Corporation, wrote on his blog.

"Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox, even a minor update release," he addded.

"To be clear, we?re still excited about what WebSockets offers and we?re working hard with the IETF on a new WebSocket protocol."

Anne van Kesteren of Opera Software also announced Opera's response to the report.

"Adam Barth reported on vulnerabilities with the current WebSocket protocol handshake. Reportedly you can poison the cache of transparant/intercepting proxies affecting all users of that proxy. So rather than e.g. http://www.google-analytics.com/ga.js you would get a JavaScript file from an attacker. This attack affects Flash and Java as well, but we have higher standards for browsers. This means that until the new WebSocket protocol handshake is sorted out by the IETF it will be behind a preference in Opera," she wrote at her blog.

Apple also appears to be concerned too, while Microsoft was more cautious about Web Sockets support even before the security problem arose.

"Rushing the implementation of a specific feature and call it "done deal" is dangerous and in some circumstance can bring to unpleasant results," Sardo said.

However Google, who will natively support the Web Spckets protocol in the Chrome browser, sees things differently. Web Sockets editor Ian Fette said in a statement to CNET:

"We are not hiding it behind a flag at the current point in time. We released the details of the research to help guide the working group towards what we believe will be a more secure version of the Web Sockets protocol, and are hoping that the group will reach consensus in the next few weeks. We already have detailed a proposal for a more secure version, and are addressing various concerns that have been raised by others in the standards community.

"It's important to note that the research paper Adam Barth published does not demonstrate a working attack against the actual Web Socket implementation, but rather against one part [of] the protocol taken in isolation. There are other parts of the protocol that would make an actual attack more complicated in practice. We believe there will be consensus on a new version of the protocol, and implementation in Chrome of that new version, before someone is able to actually demonstrate an attack against the full Web Socket protocol as currently shipping in Chrome."

Kaleidescape Introduces First Blu-ray Movie Server        All News        WikiLeaks Employee To Launch Rival Website OpenLeaks
Hardware Failure Hit Amazon Websites     General Computing News      WikiLeaks Employee To Launch Rival Website OpenLeaks

Get RSS feed Easy Print E-Mail this Message

Related News
MediaTek Invests In Ecosystem To Drive IoT Strategy
Mozilla Gets $3.2 million To Advance Gigabit Cities
Report Reveals the Web's Shadiest Neighborhoods
IBM and ARM Collaborate to Accelerate Delivery of Internet of Things
Samsung IoT Device Will Take Care Of Your Sleep
Mozilla Webmaker Lets You Build Web Content
Mozilla Tests New Private Browsing and Add-ons Features
Samsung Opens IoT Development Platform
Acer Focuses On Enerprise IoT With New Platform
Toshiba Partners with Microsoft to Deliver New Internet of Things Solutions
Atmel Showcases System Solution for Wearables at Computex 2015
ARM Announces New Cortex-M Design For IoT Chips

Most Popular News
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2015 - All rights reserved -
Privacy policy - Contact Us .