Officials at Mozilla have decided to disable support for Web Sockets in future versions of Firefox because of concerns over the security of the the current version of the protocol.The group said that demonstrations of serious attacks against WebSockets have spurred the move.
Mozilla said that they plan to keep the WebSockets code in the Firefox 4 development tree, which is in beta right now, so that they have the ability to enable it again if the security concerns are cleared up in the future.
“We’ve decided to disable support for WebSockets in Firefox 4,
starting with beta 8 due to a protocol-level security issue. Beta 7
included support for the -76 version of the protocol, the same version
that’s included with Chrome and Safari,” Mozilla’s Christopher Blizzard wrote in a blog post explaining the decision. “Adam Barth recently demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. Once we have a version of the protocol that we feel is secure and
stable, we will include it in a release of Firefox, even a minor update
release. The code will remain in the tree to facilitate development,
but will only be activated when a developer sets a hidden preference in
WebSockets is a technology that’s used for two-way communications over TCP in some situations. The Internet Engineering Task Force is considering it as a standard and a group of researchers recently did an experiment in which they were able to execute a cache-poisoning attack against a number of users by using a rich-media Web ad. The researchers, who include Eric Rescorla and Adam Barth, suggested that the IETF not use the Upgrade handshake in WebSockets and instead use the alternate Connect handshake.
Upgrade-based handshakes, requires no more round trips, success approximately as often, and complies with HTTP.”
Firefox 4 is not the only browser that supported WebSockets. Chrome 4 and Safari 5 also support the technology.