Due to security vulnerabilities on the protocol WebSocket, Mozilla and Opera Software have decided to disable its support in Firefox 4 and Opera 11.
Often associated with HTML5, even if it is the subject of separate specifications, technology WebSocket allows communication between full-duplex mode a script on a Web server page. WebSocket communication between browsers and Web servers opens the door to new applications in real time.
Implementing WebSocket be found in Google Chrome browsers (since version 4), 5 and Safari including its mobile version in IOS, as well as Firefox 4 and Opera 11 which are both under development. Mozilla and Opera Software , however, recently taken the decision to disable this support in their respective browsers.
This choice is motivated by the discovery of vulnerabilities security affecting WebSocket protocol, more specifically at the handshake (handshake) performed during an exchange between a request and an HTTP response. Qualified serious attacks against the protocol have indeed been a demonstration by security researchers.
Via a technique of cache poisoning between the browser and the Internet, for example it is possible for an attacker to inject malware file instead of a JavaScript file like Google Analytics. Mozilla believes it is a serious threat to Internet and WebSocket, and makes it clear that it is not specific to a problem with the browser.
Pending a release considered stable and secure protocol, its support is no longer relevant in Firefox 4 and Opera 11. In the present state of things, solutions WebSocket will not function when the final versions of browsers will be proposed. The code remains to facilitate integrated developments, but its activation requires the developer to activate a hidden preference in the browser.
Note that the attack also affects an implementation of Java or Flash WebSocket. For the moment, apart from Mozilla and Opera Software, no other publisher has announced its intention to disable support WebSocket. Apple has a developer suggested that the issue is debated.
