Web sockets are temporarily canceled

    Exactly a year ago, on December 9, 2009, Google Chrome developers excited the public by announcing the introduction of web socket support in future versions of Chrome. The fact that such a Web Sockets and it gives see. Almost one year old post Habré .

    Web sockets are really delicious.

    From the point of view of web standards, Web Sockets is a separate specification , taken out of the HTML5 specification in the spring of 2009 for further development within the WebApps WG working group. The document is currently in the Working Draft state.

    An interesting feature of web sockets is that it is not just an API in the browser: the mechanism for working web sockets is tied to the appropriate protocol -WebSocket Protocol , developed as part of the IETF , and requires appropriate support from the server. The current draft revision is 03 (October 17), before that there were 76 more revisions. There was an unpleasant story with the latter at the beginning of summer, when the new revision turned out to be  incompatible with the old .

    Support for web sockets was announced in Chrome and Safari, and, as I understand it, it should have been available in preliminary versions of Opera 10.70-11 and Firefox 4b. (Ok, it’s obvious that IE9 is not on this list, however, for the sake of justice: the developers have repeatedly stated that they are primarily introducing stable and well-established things that will not lead to backward incompatibilities in a few months.)

    The protocol, as well as the standard, is still being finalized. It’s actually good that it was taken out of HTML5, since it allows you to separately work out and stabilize independent pieces, and not mix up the markup and API for JavaScript web applications.

    What happened?


    In late November, Adam Barth published the results of a study of the reliability of the protocol used. It turned out that the protocol itself is subject to serious vulnerabilities:

    The Upgrade-based handshake is vulnerable to attack in network configurations involving transparent (or intercepting) proxies.

    We found that for a $ 100, we were able to poison the cache of 8 users by using the Upgrade-based handshake. When the attacker is able to poison the proxy's cache in this way, the attacker can exploit / every / user of the cache, with potentially dangerous consequences. For example, the attacker can poison the proxy's cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites .




    (In Russian, this means that in the case of using transparent (regular) proxies, it is possible to replace the cache of transmitted data so that users instead of real data will receive a version of the data from the attacker.)

    For more details see http: // www .adambarth.com / experimental / websocket.pdf

    Obviously, the protocol will be finalized and now there is quite a heated discussion on the mailing list.

    The open problem turned out to be quite serious for the developers of Firefox and Opera to announce that support for web sockets will be closed until future versions of their browsers are fixed . In Firefox, support will be closed starting with version FF4b8. Comment from Opera see here .

    What does this mean for developers?


    At the moment, and before resolving problems with the protocol, this is the reverse incompatibility of new versions. That is, with the release of browser updates, the current WebSocket solutions will simply stop working. The catch is that although the standard being developed and the corresponding protocol are only in draft form, from the point of view of implementation and support in browsers, it is not designated as experimental and most likely subject to change and at the same time is actively being promoted.

    However, I would like to hope that if you used web sockets, you did a feature support check and you had a branch in case the window.WebSocket property was missing.

    It is important to emphasize that this is not a browser issue, but rather the protocol used. And, by the way, the vulnerabilities in it also affect Java and Flash, so we are waiting for a reaction from Oracle and Adobe.

    ps For the sake of the day - a short video on quotes from blogs Google and Firefox.

    Also popular now: