tisdag 7 december 2010

WebSockets får stryk, stängs av i FF och Safari?

Det har uppstått problem med HTML5 WebSockets vilket har fått Mozilla och Apple att droppa det tills vidare, åtminstone i default-inställningarna för Firefox och Safari.

Mozilla: "Combining the impact of the risk with the fact that the protocol is going to evolve and invalidate any shipped implementation anyhow, we intend to disable by default our Websockets implementation for Firefox 4.0 via a new configuration item."
http://www.ietf.org/mail-archive/web/hybi/current/msg04986.html

Apple: "Given the security issues identified by the paper from Adam and company, we would even consider disabling WebSocket entirely in future releases until there is a more robust handshake."
http://www.ietf.org/mail-archive/web/hybi/current/msg04782.html

Problemen beskrivs i artikeln "Transparent Proxies: Threat or Menace?"
Sammanfattning: Browsers limit how web sites can access the network. Historically, the web platform has limited web sites to HTTP, but HTTP is inefficient for a number of applications—including chat and multiplayer games—for which raw socket access is more appropriate. Java, Flash Player, and HTML5 provide socket APIs to web sites, but we discover and experimentally verify attacks that exploit the interaction between these APIs and transparent proxies. Our attacks poison the proxy’s cache, causing all clients of the proxy to receive malicious content supplied by the attacker. We then propose a revised version of the HTML5 WebSocket handshake that resists these (and other) attacks.
http://www.adambarth.com/experimental/websocket.pdf

Inga kommentarer: