Firefox 4 and Opera Dropping Websockets

By | December 9, 2010


Firefox 4 and Opera Dropping WebsocketsFrom useful to dangerous.

It looks like Websockets aren’t so great after all (at least in the short term). According to Mozilla and Opera posts, both companies will be disabling support for such technology until serious security flaws are fixed.

Mozilla said that Firefox 4 Beta 8 will be the very first release to do so, while Opera has not yet commented on version specifics.

Recently, Adam Barth has shared a security study findings that raised a red flag for the current state of Websockets protocol.

Here’s an excerpt from the .pdf file

For example, the attacker can poison the proxy’s cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites.

However, Mozilla is already working with IETF on a new protocol, so it’s just a matter of time before everything is fixed.


About (Author Profile)


Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.

Comments (8)

Trackback URL | Comments RSS Feed

  1. RamaSubbu SK says:
    December 9, 2010 at 2:54 am

    Very good!!

  2. nobody says:
    December 9, 2010 at 3:08 am

    it is a bad news.. websockets are GREAT way to ease pressure on sites like facebook/tweeter or gmail/gmaps (and in return – on entire network as these eat resoures like crazy)

    overhead on creating/removing connections is so great with current http, that websockets are simply needed.

    too bad that somebody f.. up the specs :(

    • everybody says:
      December 9, 2010 at 3:33 am

      “websockets are GREAT way to ease pressure on sites like facebook/tweeter or gmail/gmaps”

      Isn’t it quite opposite?

      • nobody says:
        December 9, 2010 at 3:51 am

        nope. it keeps connection persistent on both sides, and thus there is no need for re-negotiating it each and every time a page/user wants to send something.

        install yourself firebug or any other dev tool that can show you ENTIRE http request and see how much of it is information itself and how much is tech info on connection specs, cookies, etags etc. websockets completely eliminate this overhead and because pages really need (mostly) one connection per user, there is little risk to oversaturate server backend.

        it is on server side to keep the risk low, because doubling persistent connection count is MUCH worse for server side, than for user so risk of slowing down and slopy coding is rather low (stupid coding mistakes will crash serverside instantly)

  3. Somebody says:
    December 9, 2010 at 5:28 am

    Opera have said that they will disable it by default and hide it behind a preference so they are not actually dropping it completely.

  4. everybody says:
    December 10, 2010 at 4:48 am

    Already disabled in latest Opera snapshot:
    http://my.opera.com/desktopteam/blog/2010/12/10/friday-morning-improvements

  5. Andylee says:
    December 10, 2010 at 5:46 pm

    and as it seems, there will be opera 11 before Firefox 4 … oh what the heck are they doing at mozilla headquarters?

«
»