Will HTML5 be Secure Enough?

| by Jean-Jacques Dubray Follow 3 Followers on Aug 24, 2010. Estimated reading time: 3 minutes |

The current HTML specification is nearly a decade old and, without the shadow of a doubt, for the better and the worse, it has revolutionized software architecture and engineering. As the industry is getting ready to modernize one of its key assets, Joab Jackson from IDG News wrote last week an article summarizing the currently knows security issues of HTML5.

HTML5 is [...] often used to describe a collection of loosely interrelated set of standards that, taken together, can be use to build full-fledged web applications. They offer capabilities such as page formattingoffline data storageimage rendition and other aspects. (Though not a W3C spec, JavaScript is also frequently lumped in these standards, so widely used it is in building Web applications).

Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation.  There is a lot of attack surface we need to think about,

Ian Hickson, the specification editor explains:

HTML5 is about “extending the language to better support Web applications [...] This puts HTML in direct competition with other technologies [...], in particular Flash and Silverlight.

The specification itself seems to be take great care in proactively preventing attacks, for instance:

User agents should not provide a public API to cause videos to be shown full-screen. A script, combined with a carefully crafted video file, could trick the user into thinking a system-modal dialog had been shown, and prompt the user for a password. There is also the danger of "mere" annoyance, with pages launching full-screen videos when links are clicked or pages navigated. Instead, user-agent-specific interface features may be provided to easily allow the user to obtain a full-screen playback mode. 

Lavakumar Kuppan, a security researcher explains:

"HTML5 brings a lot of features and power to the Web. You can do so much more [malicious work] with plain HTML5 and JavaScript now than it was ever possible before," .

In particular, Joab details Application Cache attacks: 

The thing with caches is that they can be poisoned very easily the moment you connect to an unsecured network, like open Wi-Fi. By poisoning a cached JavaScript file of Facebook or Twitter an attacker can eventually take control of your account.

By poisoning or creating a malicious Application Cache, the victim’s credentials to all HTTPS-only websites can be stolen by an attacker.

Kevin Johnson, a penetration tester with security consulting firm Secure Ideas explains:

With HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user's browser to do harm of some sort.

"For years security has focused on vulnerabilities--buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them," Johnson said. But in HTML5's case, it is often the features themselves "that can be used to attack to us," he said.

"These feature sets are scary," he said. "If I can find a flaw in your Web application, and inject HTML5 code, I can modify your site and hide things I don't want you to see."

Mozilla is already working on a new plug-in technology to augment HTML5 applications, JetPack:

JetPack [aims at keeping] tighter control of what actions a plug-in could execute. "If we have complete control of the [application programming interface], we're able to say 'This add-on is requesting access to, would you allow it?'" Stamm said. 

JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.

Not everybody sees the light at the end of the specification process:

"The enterprise has to start evaluating whether it is worth these features to roll out the new browsers," Johnson said. "This is one of the few times you may hear 'You know, maybe [Internet Explorer] 6 was better.'"

Is HTML5 an adequate response to Native (Mobile) Applications? Or is it too little too late? will its programming model be too weak to compete efficiently? Should the W3C have worked on a full fledged Web-based programming model instead of ensuring compatibility with legacy technologies? Can the thin client concept remain attractive? or is the center of gravity of the Web moving to services? Will security issues kill the technology in the eye of the consumer? The world has changed quite a bit over the last decade: User Experience, Security and Business Models resonate with success in a consumer driven market where "Good enough" does not cut it any longer. What's your take on it?

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Misinformed? by Martin Probst

> "These feature sets are scary," he said. "If I can find a flaw in your Web application,
> and inject HTML5 code, I can modify your site and hide things I don't want you to see."

That is different from before HTML5 exactly how?

Same for the issue with cache poisoning via unsecured networks and HTML5 offline apps, this does not change the status quo in any way. Either those quotes are out of context, or the speakers are to be not that much of an expert.

Re: Misinformed? by Subbu Allamaraju

I can't agree more. Cache poisoning has nothing to with HTML5.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you