Will HTML5 be Secure Enough?

Posted by Jean-Jacques Dubray on Aug 24, 2010

Sections

Architecture & Design,

Development,

Enterprise Architecture

Topics

Web 2.0 ,

Architecture ,

Silverlight ,

Security

Tags

Flash ,

HTML 5

The current HTML specification is nearly a decade old and, without the shadow of a doubt, for the better and the worse, it has revolutionized software architecture and engineering. As the industry is getting ready to modernize one of its key assets, Joab Jackson from IDG News wrote last week an article summarizing the currently knows security issues of HTML5.

HTML5 is [...] often used to describe a collection of loosely interrelated set of standards that, taken together, can be use to build full-fledged web applications. They offer capabilities such as page formatting, offline data storage, image rendition and other aspects. (Though not a W3C spec, JavaScript is also frequently lumped in these standards, so widely used it is in building Web applications).

Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation.  There is a lot of attack surface we need to think about,

Ian Hickson, the specification editor explains:

HTML5 is about “extending the language to better support Web applications [...] This puts HTML in direct competition with other technologies [...], in particular Flash and Silverlight.

The specification itself seems to be take great care in proactively preventing attacks, for instance:

User agents should not provide a public API to cause videos to be shown full-screen. A script, combined with a carefully crafted video file, could trick the user into thinking a system-modal dialog had been shown, and prompt the user for a password. There is also the danger of "mere" annoyance, with pages launching full-screen videos when links are clicked or pages navigated. Instead, user-agent-specific interface features may be provided to easily allow the user to obtain a full-screen playback mode. 

Lavakumar Kuppan, a security researcher explains:

"HTML5 brings a lot of features and power to the Web. You can do so much more [malicious work] with plain HTML5 and JavaScript now than it was ever possible before," .

In particular, Joab details Application Cache attacks: 

The thing with caches is that they can be poisoned very easily the moment you connect to an unsecured network, like open Wi-Fi. By poisoning a cached JavaScript file of Facebook or Twitter an attacker can eventually take control of your account.

By poisoning or creating a malicious Application Cache, the victim’s credentials to all HTTPS-only websites can be stolen by an attacker.

Kevin Johnson, a penetration tester with security consulting firm Secure Ideas explains:

With HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user's browser to do harm of some sort.

"For years security has focused on vulnerabilities--buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them," Johnson said. But in HTML5's case, it is often the features themselves "that can be used to attack to us," he said.

"These feature sets are scary," he said. "If I can find a flaw in your Web application, and inject HTML5 code, I can modify your site and hide things I don't want you to see."

Mozilla is already working on a new plug-in technology to augment HTML5 applications, JetPack:

JetPack [aims at keeping] tighter control of what actions a plug-in could execute. "If we have complete control of the [application programming interface], we're able to say 'This add-on is requesting access to Paypal.com, would you allow it?'" Stamm said. 

JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.

Not everybody sees the light at the end of the specification process:

"The enterprise has to start evaluating whether it is worth these features to roll out the new browsers," Johnson said. "This is one of the few times you may hear 'You know, maybe [Internet Explorer] 6 was better.'"

Is HTML5 an adequate response to Native (Mobile) Applications? Or is it too little too late? will its programming model be too weak to compete efficiently? Should the W3C have worked on a full fledged Web-based programming model instead of ensuring compatibility with legacy technologies? Can the thin client concept remain attractive? or is the center of gravity of the Web moving to services? Will security issues kill the technology in the eye of the consumer? The world has changed quite a bit over the last decade: User Experience, Security and Business Models resonate with success in a consumer driven market where "Good enough" does not cut it any longer. What's your take on it?

1. Back to top

   Misinformed?

   by Martin Probst

   > "These feature sets are scary," he said. "If I can find a flaw in your Web application,
   > and inject HTML5 code, I can modify your site and hide things I don't want you to see."
   
   That is different from before HTML5 exactly how?
   
   Same for the issue with cache poisoning via unsecured networks and HTML5 offline apps, this does not change the status quo in any way. Either those quotes are out of context, or the speakers are to be not that much of an expert.

   Reply

2. Back to top

   Re: Misinformed?

   by Subbu Allamaraju

   I can't agree more. Cache poisoning has nothing to with HTML5.

   Reply

• Older >