The Return of the TCP Sockets

published: October 7th, 2008

Here is a common problem. You have to write an web-based email, im, ssh, xmmp, SMB, etc. client which must connect to a server other then the originating one. What do you do then? Hint: You cannot use Java!

Well, due to the fact the the browser has no idea how to spawn a tcp socket, you are stuck in the proxy-land. Typically you will write an application that will do a lot of transcoding and state management. You need to come up with your own messaging protocol to speak to the backend, and the backend needs to be programmed to respond back in the same way. As you can guess, this is a difficult problem which requires a lot of work.

Lucky for developers, there’s a way to quickly employ the power of tcp sockets without the need to deal with all the complexity. There are a few projects that already do that but the most interesting one is js.io, a JavaScript Network Library.

I am not planning to get into any details of how the technology works. It is based on push-back AJAX and you if you want to learn more just Google it.

Anyway, undoubtedly this is a very exciting, new technology. And like any other new technology it will be full of bugs and it will take some time to understand it completely. However, due to its sexiness, I can see how it may soon become part of the standard AJAX stack of technologies.

Perhaps you can already see the problem. Perhaps you can even think how this can be exploited. Perhaps you are thinking right now that Wireshark does not have TCP over AJAX over TCP dissector. Well, at least this is what I am thinking. But no matter what you and I think soon we may have to rediscover all TCP vulnerabilities of the past.

» more | » comments rss | posted by pdp | syndication and integration ( )

Comments

Michael Carter responds:

Check out http://cometdaily.com/2008/07/.....e-browser/ for more information about this technology and the security implications.

Respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.