[ale] Web Socket Implementations

James Sumners james.sumners at gmail.com
Mon Mar 18 22:16:10 EDT 2013


On Mon, Mar 18, 2013 at 9:38 PM, Alex Carver <agcarver+ale at acarver.net> wrote:

> So when does the betting start on the timing of the first exploit of
> websockets that vacuums data of a user's hard drive and sends it to some
> remote location unknown whether by a black hat or by a sneaky company
> (Google, Facebook, etc.)?

A socket can only access the resources allowed by the browser:

"The WebSocket Protocol enables two-way communication between a client
   running untrusted code in a controlled environment to a remote host
   that has opted-in to communications from that code.  The security
   model used for this is the origin-based security model commonly used
   by web browsers.  The protocol consists of an opening handshake
   followed by basic message framing, layered over TCP.  The goal of
   this technology is to provide a mechanism for browser-based
   applications that need two-way communication with servers that does
   not rely on opening multiple HTTP connections (e.g., using
   XMLHttpRequest or <iframe>s and long polling)." --
http://datatracker.ietf.org/doc/rfc6455/?include_text=1

http://www.websocket.org/aboutwebsocket.html


-- 
James Sumners
http://james.roomfullofmirrors.com/

"All governments suffer a recurring problem: Power attracts
pathological personalities. It is not that power corrupts but that it
is magnetic to the corruptible. Such people have a tendency to become
drunk on violence, a condition to which they are quickly addicted."

Missionaria Protectiva, Text QIV (decto)
CH:D 59


More information about the Ale mailing list