Forgot your password?
typodupeerror
Security Software The Internet

Security a Concern As HTML5 Advances 234

Posted by Soulskill
from the new-armor-with-new-holes dept.
Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."
This discussion has been archived. No new comments can be posted.

Security a Concern As HTML5 Advances

Comments Filter:
  • by Anonymous Coward on Friday September 17, 2010 @01:47PM (#33613102)

    should also complain about a hyperText markup language document with scripts

  • by iONiUM (530420) on Friday September 17, 2010 @01:51PM (#33613146) Homepage Journal

    But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

    The entire disarray of this, and the mobile space, makes up upset.

  • Dancing balls? (Score:4, Insightful)

    by Anonymous Coward on Friday September 17, 2010 @01:52PM (#33613154)

    "Google Inc.'s recent 'dancing balls' logo experiment "

    If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

    The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.

  • by Anonymous Coward on Friday September 17, 2010 @01:55PM (#33613202)

    Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

  • by Alwin Henseler (640539) on Friday September 17, 2010 @02:02PM (#33613272) Homepage

    When HTML spec is extended that obviously increases the attack surface since popular browsers will have to support it. But in time it may replace a number of other technologies (Flash comes to mind), that -combined- may have a larger attack surface. And since displaying HTML is the core function of a browser, implementations are likely to be pretty solid compared to some add-ons.

    So you'd have to look forward, and compare [average setup now] with [average setup in XX years from now]. If that comparison turns out positive, HTML5 is a move in the right direction.

  • by Anonymous Coward on Friday September 17, 2010 @02:06PM (#33613302)

    stop using technology

  • by grapeape (137008) <mpope7@kc . r r . c om> on Friday September 17, 2010 @02:07PM (#33613320) Homepage

    How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

  • by Luyseyal (3154) <swaters AT luy DOT info> on Friday September 17, 2010 @02:08PM (#33613328) Homepage

    Hopefully something akin to: image.animation_mode = once

    -l

  • by religious freak (1005821) on Friday September 17, 2010 @02:11PM (#33613366)
    Articles like this are important then, aren't they? In reading this, it should give you some ammunition against those that want to upgrade for the wrong reasons.
  • by Anonymous Coward on Friday September 17, 2010 @02:24PM (#33613498)

    You've been open to launch pop up windows with javascript for a really long time. That had nothing to do with HTML5...

  • Fear, Fear, FEAR! (Score:3, Insightful)

    by Quiet_Desperation (858215) on Friday September 17, 2010 @02:29PM (#33613548)

    said Jeremiah Grossman of security firm WhiteHat.

    So you really need to buy their security solutions! NOW! Meanwhile, Goodyear tires said to really safe on the road (and to keep your CHILDREN! safe) you should get new tires every 5000 miles, and the Head & Shoulders folks claim washing your hair three times a day will avoid a stinky head. And the government said they taking blood and tissue samples at the airport will protect us from engineer^H^H^H^H^H^H terrorists ever more so.

  • The Modern Techie (Score:3, Insightful)

    by jellomizer (103300) on Friday September 17, 2010 @02:38PM (#33613648)

    The Modern Techie will now by definition reject all new technology no matter what advancements are in it. While adopting any new technology will have tradeoffs the modern will hold on to whatever tradeoff negative effect and call it a horrible plan. Any new tech is now a threat to their way of life and no longer a new interesting field to study...

    I think us techs have gotten too old.

  • Re:Dancing balls? (Score:5, Insightful)

    by TheRaven64 (641858) on Friday September 17, 2010 @02:38PM (#33613652) Journal
    Unlike Flash, HTML5 animations are not really modular. It's trivial to disable all Flash and individually enable the one Flash applet on the page that you actually want (if there is one). With HTML5, all of the animations in a page are run from the same JavaScript execution context. Unless the author split the scripts up into different source files, it's very hard for the browser to untangle them. With Flash, every script associated with a canvas is bundled with that canvas and run in a separate context.
  • by Zen-Mind (699854) on Friday September 17, 2010 @02:51PM (#33613796)
    Unfortunately, most people want feature over security. Many people don't even think about security for themselves and only complains when it bites them in the ass. "What do you mean I shouldn't write my PIN on my debit card? You should just have made your system more secure!"
  • Re:Dancing balls? (Score:2, Insightful)

    by Runaway1956 (1322357) on Friday September 17, 2010 @02:52PM (#33613800) Homepage Journal
    I'll echo the comment about getting a more modern machine. My 6 year old Opteron had no problems with dancing balls. I paused a second, looking for dancing boobs, but the computer didn't even blink. FFS, get a modern computer - today they run in multiple GIGAhertz. Ditch that 133 mhz machine. And, add some frigging MEMORY!! Yeah, there really is a use for more than 640k of memory. And, finally, upgrade to a real operating system and a real browser. Dump Windows 95 and IE4. FFS, get with the times!
  • by tepples (727027) <tepples&gmail,com> on Friday September 17, 2010 @03:13PM (#33613992) Homepage Journal

    Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented [html5readiness.com] and just maybe, impress your boss.

    The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation [webpagesthatsuck.com], but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.

  • by _Sprocket_ (42527) on Friday September 17, 2010 @03:17PM (#33614044)

    o.O

    Let's see...

    Browser... settings... Enable plug-ins... on demand.

    Well, I'll be.

  • by Jugalator (259273) on Friday September 17, 2010 @03:19PM (#33614056) Journal

    It doesn't even contain any code, being a markup language? It's not even Turing complete.

    [italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]

    *shrug*

  • by kc8jhs (746030) on Friday September 17, 2010 @03:28PM (#33614164)

    It looks like that option was included with the intention the browsers implementing the feature would have a method to disable it's usage. I'm guessing if it gets crazy then major players will ship with it disabled, or maybe include some sort of same domain policy for pings (ping domain has to match referrer or href). I'm not too scared, and this would work much better than JS versions of the same thing.

  • My concern (Score:3, Insightful)

    by nine-times (778537) <nine.times@gmail.com> on Friday September 17, 2010 @03:55PM (#33614478) Homepage

    I'm not an expert of any kind, but my general concern with the web has been growing as static documents have become applications. It's the same reason I don't like the idea of javascript in PDFs. I like the idea of a static document that doesn't do anything, but is merely viewable. Yes, yes, I know that it's possible for malformed documents to trigger exploits in the document viewer, but that seems like it should be more rare and easy to protect against.

    At you upgrade HTML to make web applications more and more powerful, it seems likely to me (from a non-expert standpoint) that you're increasing the variety of security concerns we need to worry about. There's a part of me that wishes we had two different things: a web browser that allowed for safe passive viewing of relatively static content, and an application that supported an application framework similar to current web applications.

    Ok, I'm ready for people to yell at me for being stupid now.

  • by Anonymous Coward on Friday September 17, 2010 @05:55PM (#33615734)

    Well then it just doesn't work in your case. In my career, I couldn't give a shot about "enterprise" apps. HTML 5 is making websites faster and better for some of my consumers, that is all

  • by Penguinisto (415985) on Friday September 17, 2010 @07:07PM (#33616216) Journal

    Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

    There is a cure for that attitude - for the same reason that Facebook pretty much wiped MySpace off the map, or the way Google turned Yahoo! into a has-been: Keep it clean and user-friendly, keep the ads un-intrusive, or face instant death in the face of superior (cleaner, less intrusive) products.

  • by _xeno_ (155264) on Friday September 17, 2010 @10:28PM (#33617192) Homepage Journal

    You've never dealt with actual users, have you?

    Go ahead. Explain to someone that in order to watch a video full screen they will need to either:

    1. Context-click the video and choose the "Full Screen" option, assuming there is one. This only works when using the browser's built-in video controls, I think.

    2. Click on the "expand" button to expand the video to take up the entire tab, and then use your browser's Full Screen feature, which is probably F11 except when it's something else. Or if you're using Safari, you're screwed.

    Users want a nice little Full Screen button they can click on and be done with. Even if there's a work around, they're not going to be happy.

    Besides, it's yet another reason to just stick with Flash: it provides this support already. So why use something else, especially when you need to encode twice to support all browsers?

    Ultimately, it's a useless restriction. Sure, make it a white-list only feature, but why the hell forbid it entirely?

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...