[microcolonel]

> firewalls that block WebSockets

How does that work? How can a firewall tell that a TLS connection is a WebSocket and not just an HTTP session with a server experiencing high load?

Added: just saw this gem[0] from a few days ago, does anyone have some idea why McAfee suggests to their customers that WebSockets are a potential security risk on a web client network? I have literally no idea how they would be more risky than ordinary HTTP...

[0]: https://kc.mcafee.com/corporate/index?page=content&id=KB8405...

[acdha]

If the firewall has access to the traffic stream — say local “security” tool or a corporate managed environment — it can block the Upgrade header which attempts to turn the HTTP connection into a WebSocket. That's the kind of thing which doesn't affect a huge percentage of users but at Google's scale it's still a large number of people.

Re:McAfee, I wouldn't agree with the logic but I've heard people worry about data being tunneled out through new protocols which are harder to filter or used to establish some kind of a persistent control channel. In almost all cases this has high impact with little benefit unless you're filtering all other traffic strictly enough that malware can't use other common circumvention techniques.

[falcolas]

Based on our experience, it is not about actual risk, but perceived risk. As for how they are blocked, it’s done by an intercepting proxy that doesn’t allow encrypted connections through it.

[matt_oriordan]

Agreed, and what firewalls block long polling, which is in itself significantly better?