Security Flaws Force Firefox, Opera to Turn Off WebSockets
Firefox and Opera have both disabled support for HTML5 WebSockets in the latest builds of their respective browsers. The move comes on the heels of a protocol vulnerability that could leave thousands of sites harboring malicious code.
Unfortunately, flaws in the WebSockets protocol also make the current spec easy to exploit.
As Mozilla’s Hacks Blog notes, the exploit doesn’t just affect browsers implementing WebSockets, but also Flash and Java. As the blog post says, “to avoid a lot of malware showing up without being easily traceable, we need to fix the protocol.”
Details of the exploit can be found in Barth’s paper [PDF link] and a series of messages to the Internet Engineering Task Force mailing list. Fortunately there appears to be a solution, but it will require rewriting some of the WebSockets spec.
However, until that solution is implemented both Mozilla and Opera have disabled support for WebSockets. Mozilla expects other browser to follow suit, though so far Opera is the only other browser to disable support. WebSocket support isn’t just a feature in desktop browsers either, the recent Mobile Safari upgrade in iOS 4.2 added support for WebSockets.
So far neither Adobe, which makes the Flash Player plug-in, nor Oracle, which oversees Java, have addressed the issue.
If you’ve been experimenting with WebSockets, be aware that the as of Firefox 4 Beta 8 (due in the next few days), Mozilla will no longer support your code. Neither will Opera 11. We really don’t expect this to be a long-term issue, so if you want to continue testing apps based on the nascent protocol, you can re-enable the features by changing a hidden preference in Firefox and Opera.
Photo by Andy Butkaj/Flickr/CC