Firefox 4 and Opera Dropping Websockets
From useful to dangerous.
It looks like Websockets aren’t so great after all (at least in the short term). According to Mozilla and Opera posts, both companies will be disabling support for such technology until serious security flaws are fixed.
Mozilla said that Firefox 4 Beta 8 will be the very first release to do so, while Opera has not yet commented on version specifics.
Recently, Adam Barth has shared a security study findings that raised a red flag for the current state of Websockets protocol.
Here’s an excerpt from the .pdf file
For example, the attacker can poison the proxy’s cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites.
However, Mozilla is already working with IETF on a new protocol, so it’s just a matter of time before everything is fixed.
About (Author Profile)
Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.
Very good!!
it is a bad news.. websockets are GREAT way to ease pressure on sites like facebook/tweeter or gmail/gmaps (and in return – on entire network as these eat resoures like crazy)
overhead on creating/removing connections is so great with current http, that websockets are simply needed.
too bad that somebody f.. up the specs :(
“websockets are GREAT way to ease pressure on sites like facebook/tweeter or gmail/gmaps”
Isn’t it quite opposite?
nope. it keeps connection persistent on both sides, and thus there is no need for re-negotiating it each and every time a page/user wants to send something.
install yourself firebug or any other dev tool that can show you ENTIRE http request and see how much of it is information itself and how much is tech info on connection specs, cookies, etags etc. websockets completely eliminate this overhead and because pages really need (mostly) one connection per user, there is little risk to oversaturate server backend.
it is on server side to keep the risk low, because doubling persistent connection count is MUCH worse for server side, than for user so risk of slowing down and slopy coding is rather low (stupid coding mistakes will crash serverside instantly)
Opera have said that they will disable it by default and hide it behind a preference so they are not actually dropping it completely.
Firefox is doing the same thing it seems.
Already disabled in latest Opera snapshot:
http://my.opera.com/desktopteam/blog/2010/12/10/friday-morning-improvements
and as it seems, there will be opera 11 before Firefox 4 … oh what the heck are they doing at mozilla headquarters?