[ale] Web Socket Implementations
James Sumners
james.sumners at gmail.com
Mon Mar 18 22:16:10 EDT 2013
On Mon, Mar 18, 2013 at 9:38 PM, Alex Carver <agcarver+ale at acarver.net> wrote:
> So when does the betting start on the timing of the first exploit of
> websockets that vacuums data of a user's hard drive and sends it to some
> remote location unknown whether by a black hat or by a sneaky company
> (Google, Facebook, etc.)?
A socket can only access the resources allowed by the browser:
"The WebSocket Protocol enables two-way communication between a client
running untrusted code in a controlled environment to a remote host
that has opted-in to communications from that code. The security
model used for this is the origin-based security model commonly used
by web browsers. The protocol consists of an opening handshake
followed by basic message framing, layered over TCP. The goal of
this technology is to provide a mechanism for browser-based
applications that need two-way communication with servers that does
not rely on opening multiple HTTP connections (e.g., using
XMLHttpRequest or <iframe>s and long polling)." --
http://datatracker.ietf.org/doc/rfc6455/?include_text=1
http://www.websocket.org/aboutwebsocket.html
--
James Sumners
http://james.roomfullofmirrors.com/
"All governments suffer a recurring problem: Power attracts
pathological personalities. It is not that power corrupts but that it
is magnetic to the corruptible. Such people have a tendency to become
drunk on violence, a condition to which they are quickly addicted."
Missionaria Protectiva, Text QIV (decto)
CH:D 59
More information about the Ale
mailing list