File Under: Browsers, HTML5

Security Flaws Force Firefox, Opera to Turn Off WebSockets

Firefox and Opera have both disabled support for HTML5 WebSockets in the latest builds of their respective browsers. The move comes on the heels of a protocol vulnerability that could leave thousands of sites harboring malicious code.

New in HTML5, the WebSocket protocol enables a key mechanism found in modern web apps, allowing servers to independently send data to a client browser without the need for page refreshes or complex JavaScript. The most immediate use for WebSockets are apps that rely on full-duplex communication channels, like web-based chat tools and other real-time sharing apps.

Unfortunately, flaws in the WebSockets protocol also make the current spec easy to exploit.

The vulnerability was discovered by Adam Barth, who has demonstrated that a serious attack against the protocol could poison caches that sit in between the browser and the internet. That means, for example, a common JavaScript file like a Google Analytics script, could be replaced on a cache with a malware file.

As Mozilla’s Hacks Blog notes, the exploit doesn’t just affect browsers implementing WebSockets, but also Flash and Java. As the blog post says, “to avoid a lot of malware showing up without being easily traceable, we need to fix the protocol.”

Details of the exploit can be found in Barth’s paper [PDF link] and a series of messages to the Internet Engineering Task Force mailing list. Fortunately there appears to be a solution, but it will require rewriting some of the WebSockets spec.

However, until that solution is implemented both Mozilla and Opera have disabled support for WebSockets. Mozilla expects other browser to follow suit, though so far Opera is the only other browser to disable support. WebSocket support isn’t just a feature in desktop browsers either, the recent Mobile Safari upgrade in iOS 4.2 added support for WebSockets.

So far neither Adobe, which makes the Flash Player plug-in, nor Oracle, which oversees Java, have addressed the issue.

If you’ve been experimenting with WebSockets, be aware that the as of Firefox 4 Beta 8 (due in the next few days), Mozilla will no longer support your code. Neither will Opera 11. We really don’t expect this to be a long-term issue, so if you want to continue testing apps based on the nascent protocol, you can re-enable the features by changing a hidden preference in Firefox and Opera.

Photo by Andy Butkaj/Flickr/CC

See Also: