August 02, 2012

Trouble for HTML5: WebSockets Found to be a Security Risk

The HTML5 concept has been alternately hailed as the wave of the future and a tool whose use is limited at best in the short term. Many looked at the concept of WebSockets, an API which allowed for two-way communication, to be a great way to improve TCP connectivity. But as is so often the case with new and powerful tools, there’s a potential here for misuse that’s leaving a lot of security professionals nervous, as expressed by Qualys (NewsAlert) engineers Sergey Shekyan and Vaagn Toukharian during last week’s Black Hat conference in Las Vegas.

This issue with WebSockets, according to Shekyan and Toukharian, is one of user capacity. If WebSockets isn’t instituted correctly–specifically, if the server isn’t configured to not try and open a new connection before the previous connection is accepted– the use of WebSockets could lead to Denial of Service (DoS) attacks on systems using their own tools against them.

Further, Toukharian addressed the concept of WebSockets itself, saying that it didn’t "make sense to use in applications that don’t need bi-directional communications or a fast response time", and that the way certain websites use WebSockets may well be putting them at greater risk. Some parts of WebKit–the power behind popular browsers Chrome and Safari–pose a particular risk as WebKit doesn’t implement the specification that only one WebSocket should be connected at a time. It stands to reason that, should WebKit be updated to include that, much of the risk would be removed.

Worse, neither IDS nor firewall technology, according to Toukharian, can see just what is being delivered via WebSocket, so the chances of it being used as a delivery vector for malware are substantial. When he addressed this point with firewall vendors, he was told that WebSockets weren’t considered a major attack vector, so making the update was unnecessary.

While it’s easy to say that the WebSockets technology is sufficiently new so its overall security risk is minimal, any security risk is a risk that should likely be addressed, and quickly. Keeping security holes like these patched is the best way to ensure a long-lived computer system with minimal problems, and given how many people around the world depend on their hardware in one way or another, its protection should be top-of-mind for all of them. Referring to WebSockets as not a "major attack vector" is one thing–it likely isn’t–but should that matter? If there’s a leak in the boat, you don’t just say that it’s not big enough to worry about; you fix it before it gets bigger.

A little advance vigilance will likely save a lot of headaches later, and as such–much as Toukharian said himself–hopefully firewall and IPS vendors will make the necessary changes and help protect systems from the potential problems posed by WebSockets.

Want to learn more about HTML5? Then be sure to attend HTML5 Summit- a DEVCON5 Event, collocated with ITEXPO West 2012 taking place Oct. 2-5, in Austin, TX. HTML5 has the potential to revolutionize user interfaces, challenge the status quo and change the future of both desktop and mobile web experiences. Join fellow web developers, designers, and architects, as well as technology leaders and business strategists who will gather in Austin to learn strategies and tactics to implement and execute HTML5. For more information on registering for the HTML5 Summit click here.

Stay in touch with everything happening at HTML Summit. Follow us on Twitter.

Edited by Rachel Ramsey


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More