Officials at Mozilla have decided to disable support for Web Sockets in future versions of Firefox because of concerns over the security of the the current version of the protocol.The group said that demonstrations of serious attacks against WebSockets have spurred the move.
Mozilla said that they plan to keep the WebSockets code in the Firefox 4 development tree, which is in beta right now, so that they have the ability to enable it again if the security concerns are cleared up in the future.
“We’ve decided to disable support for WebSockets in Firefox 4,
starting with beta 8 due to a protocol-level security issue. Beta 7
included support for the -76 version of the protocol, the same version
that’s included with Chrome and Safari,” Mozilla’s Christopher Blizzard wrote in a blog post explaining the decision. “Adam Barth recently demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. Once we have a version of the protocol that we feel is secure and
stable, we will include it in a release of Firefox, even a minor update
release. The code will remain in the tree to facilitate development,
but will only be activated when a developer sets a hidden preference in
Firefox.”
WebSockets is a technology that’s used for two-way communications over TCP in some situations. The Internet Engineering Task Force is considering it as a standard and a group of researchers recently did an experiment in which they were able to execute a cache-poisoning attack against a number of users by using a rich-media Web ad. The researchers, who include Eric Rescorla and Adam Barth, suggested that the IETF not use the Upgrade handshake in WebSockets and instead use the alternate Connect handshake.
“To demonstrate that these attacks work in practice and to estimate how many users are vulnerable to attack, we ran an experiment on the Internet using a rich-media advertisement. We found that for a $100, we were able to poison the cache of 8 users by using the Upgrade-based handshake. When the attacker is able to poison the proxy’s cache in this way, the attacker can exploit /every/ user of the cache, with potentially dangerous consequences. For example, the attacker can poison the proxy’s cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites,” Barth wrote in an email to an IETF mailing list. “Empirically speaking, the CONNECT-based handshake avoids the real-world attacks we have demonstrated against
Upgrade-based handshakes, requires no more round trips, success approximately as often, and complies with HTTP.”
Firefox 4 is not the only browser that supported WebSockets. Chrome 4 and Safari 5 also support the technology.