

Good resources for learning HTML5 Websockets - krat0sprakhar
http://stackoverflow.com/questions/4262543/what-are-good-resources-for-learning-html-5-websockets

======
Tichy
Wasn't there some fundamental design flaw (security problem) with Websockets?
Not sure if it is a good idea to invest time into learning them.

Edit: thanks for the downvote. Here is a link:
<https://bugzilla.mozilla.org/show_bug.cgi?id=616733> (Mozilla disables
Websockets in Firefox 4 due to design flaw)

~~~
asymptotic
I'm sorry you were downvoted. However, at the end of the bug information
there's a link to Mozilla's official documentation on WebSockets:

<https://developer.mozilla.org/en/WebSockets>

There is a large, clear warning at the top:

"Warning: Among other things, a key reason WebSockets is currently disabled by
default is the discovery of a security issue in the protocol's design. Using
WebSockets in a production environment is not recommended at this time."

Mozilla's warning is based on the research report by Google into the WebSocket
protocol. Here is the thread that started this off:

[http://www.ietf.org/mail-
archive/web/hybi/current/msg04744.h...](http://www.ietf.org/mail-
archive/web/hybi/current/msg04744.html)

"The Upgrade-based handshake is vulnerable to attack in network configurations
involving transparent (or intercepting) proxies. The core issue is that some
number of transparent proxies do not understand the HTTP Upgrade mechanism and
therefore don't understand that the remaining bytes sent by the attacker on
the socket are not HTTP."

Thank you for pointing this out!

