Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security a Concern As HTML5 Advances

Soulskill posted about 4 years ago | from the new-armor-with-new-holes dept.

Security 234

Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."

cancel ×

234 comments

Sorry! There are no comments related to the filter you selected.

Those who complain about PDF w/scripts (2, Insightful)

Anonymous Coward | about 4 years ago | (#33613102)

should also complain about a hyperText markup language document with scripts

Re:Those who complain about PDF w/scripts (4, Interesting)

_Sprocket_ (42527) | about 4 years ago | (#33613254)

One of my favorite things about Flash is that it's easy to block and control. There's times when I want the functionality Flash is providing - but most times, I'd rather pretend that I don't have it installed. I was rather rudely reminded of this the other day when I installed Flash on my Android phone. I was all happy until I started browsing around. Until I get NoScript on my Android, Flash has been removed.

With this in mind, I'm wondering what level of control we might have over HTML5.

Re:Those who complain about PDF w/scripts (2, Insightful)

Luyseyal (3154) | about 4 years ago | (#33613328)

Hopefully something akin to: image.animation_mode = once

-l

Re:Those who complain about PDF w/scripts (4, Interesting)

_xeno_ (155264) | about 4 years ago | (#33614084)

That's not possible in the current spec. The browser has no idea that a canvas is even being used for animation, let alone when an animation has completed. Well, OK, a simple heuristic of "if this canvas is being repeatedly updated, it's an animation" is possible. But the problem is you still don't know when an animation has looped once.

The best thing that can be done is to refuse to update a canvas after it's been updated once.

So then people start removing and replacing the canvas element... Or use video instead... Or start using the audio APIs...

Really, a lot of the new APIs are really cool from a web developer "whiz-bang" point of view, but the HTML5 spec authors don't seem to give a damn about actually providing control to the user. Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

On the other hand, there's the thing where you can't full screen video in HTML5 because evil web page authors might some how trick people into typing their password into a video. Yet you can full screen Flash - they seem to have come up with a solution (the "press ESC to exit full screen" banner) so it's not like there's absolutely no way to protect users.

So who knows what the HTML5 developers are thinking, because the inability to full screen HTML5 video makes it a complete non-starter versus Flash video. Especially if you want to share HD video.

Re:Those who complain about PDF w/scripts (1)

Luyseyal (3154) | about 4 years ago | (#33614212)

If you can't do "once", I'd be happy with a flashblock by default of canvas, video, and audio tags.

-l

Re:Those who complain about PDF w/scripts (1)

natehoy (1608657) | about 4 years ago | (#33613332)

I'm sure NoScript will (if it isn't already) add detection of content types, and anything it considers "executable" in any form will need to get the whitelist treatment. There's already protection for a lot of things other than JavaScript.

Eventually, NoScript will probably have to have a whitelist for tags. <b> and <img> are OK by default, <video> might need whitelisting for a specific site, or you whitelist the whole site, or you whitelist the tag across all sites.

Re:Those who complain about PDF w/scripts (4, Informative)

AndrewNeo (979708) | about 4 years ago | (#33613490)

Er, why don't you just set plugins to only start when you tap them?

Re:Those who complain about PDF w/scripts (3, Insightful)

_Sprocket_ (42527) | about 4 years ago | (#33614044)

o.O

Let's see...

Browser... settings... Enable plug-ins... on demand.

Well, I'll be.

Re:Those who complain about PDF w/scripts (2, Informative)

GravityStar (1209738) | about 4 years ago | (#33613674)

The browser can be set to only load flash on request. That makes it functionally similar to flashblock with firefox.

security is built in the application, not platform (1, Troll)

Michael Kristopeit (1751814) | about 4 years ago | (#33613120)

if an idiot developer wants to make an application in an insecure way, the platform can not stop them.

Is a web browser an application or a platform? (1)

tepples (727027) | about 4 years ago | (#33613958)

if an idiot developer wants to make an application in an insecure way, the platform can not stop them.

I find your statement ambiguous. Did you mean that in the sense of the web browser as an application and a device's operating system as a platform? Or did you mean it in the case of a web app as an application and the web browser as a platform? The article, as I understand it, is about the latter sense.

Re:Is a web browser an application or a platform? (1)

Mike Kristopeit (1900306) | about 4 years ago | (#33614006)

i mean what i said. security is built in the application. if the platform implements something insecurely, then relying on that implementation is not building a secure application... it doesn't mean that a secure application can not be built on that platform.

No platform is 100% secure (1)

tepples (727027) | about 4 years ago | (#33614322)

if the platform implements something insecurely, then relying on that implementation is not building a secure application... it doesn't mean that a secure application can not be built on that platform.

As far as I know, formal verification [wikipedia.org] of the security of a computer program as large as a platform is nowhere near prime time. This means you can't be sure that any platform implements every necessary feature 100% securely, and relying on any implementation is not building a secure application, unless perhaps your application requires so few platform features that it would work in HTML 1.0.

Re:security is built in the application, not platf (1)

Khuffie (818093) | about 4 years ago | (#33614314)

You misread the summary; the article is not about an idiot developer building an insecure application that compromises the developer's server's security. It's about malicious developers building seemingly benign websites that compromise a user's home computer

Re:security is built in the application, not platf (0, Flamebait)

Mike Kristopeit (1900306) | about 4 years ago | (#33614456)

... which is not specifically relevant in any way to HTML5 or any other specific platform... you missed my entire point, and then suggested i didn't understand the basis of my own argument. you're an idiot.

security is built in the application just as malice is built in the application. the platform is irrelevant.

Re:security is built in the application, not platf (1)

istartedi (132515) | about 4 years ago | (#33614430)

I disagree. For example:

1. System has ability to delete your files.
2. System loads file from the Internet. File from the Internet contains instructions.
3. System is designed to accept delete() instructions from users, but not from files downloaded from the Internet.

My idea for quite some time is that in the long run, all file formats become programming languages. A web page should have always been regarded as an application that is sandboxed by the browser, even before we started building apps with them.

I don't know about the rest of you (4, Insightful)

iONiUM (530420) | about 4 years ago | (#33613146)

But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

The entire disarray of this, and the mobile space, makes up upset.

Re:I don't know about the rest of you (5, Insightful)

Anonymous Coward | about 4 years ago | (#33613202)

Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

Re:I don't know about the rest of you (4, Insightful)

religious freak (1005821) | about 4 years ago | (#33613366)

Articles like this are important then, aren't they? In reading this, it should give you some ammunition against those that want to upgrade for the wrong reasons.

Re:I don't know about the rest of you (1)

iONiUM (530420) | about 4 years ago | (#33613470)

Oh ya, you're quite right about that. My rant was on the topic of HTML5, not the article :)

Re:I don't know about the rest of you (0)

Anonymous Coward | about 4 years ago | (#33613476)

HTML5 is usable right now for any website. Also, where can I find more high level execs running around going crazy over HTML standards? Sounds like my kind of exec.

Re:I don't know about the rest of you (2, Informative)

WankersRevenge (452399) | about 4 years ago | (#33613822)

Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented [html5readiness.com] and just maybe, impress your boss.

Four seconds for that page to respond (4, Insightful)

tepples (727027) | about 4 years ago | (#33613992)

Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented [html5readiness.com] and just maybe, impress your boss.

The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation [webpagesthatsuck.com] , but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.

Re:I don't know about the rest of you (0)

Anonymous Coward | about 4 years ago | (#33614072)

If my boss is using IE7 on XP he's not going to be impressed one bit about that site.

Re:I don't know about the rest of you (1)

CannonballHead (842625) | about 4 years ago | (#33614110)

Implementing stuff before the spec is finalized. That just seems weird. :P :)

Reference implementation (1)

tepples (727027) | about 4 years ago | (#33614216)

Implementing stuff before the spec is finalized. That just seems weird. :P :)

A proper spec isn't finalized until a reference implementation is ready. One of the reasons that some of the HTML 4.01 features never entered wide use is that absolutely nothing supported them correctly for years after HTML 4.01 became a W3C Recommendation. Take the <col> and <colgroup> elements for example; those still aren't consistent even in browsers that do support them.

Re:I don't know about the rest of you (1)

squallbsr (826163) | about 4 years ago | (#33613930)

Being unable to use HTML5 for enterprise applications only applies to those enterprises that are using Microsoft Windows without alternative browsers...

Re:I don't know about the rest of you (1)

moderatorrater (1095745) | about 4 years ago | (#33614240)

At least this is a new kind of article, though, rather than the same old "HTML5 will replace Flash, Java, CPUs and give everyone blowjobs!" article that they usually have. And this is a serious concern, too: HTML already has an attack surface as big as all outdoors. I'm not saying that HTML is useless or should be replaced or anything, but security should be designed in from the beginning and the HTML5 spec is no exception.

Re:I don't know about the rest of you (1)

dmomo (256005) | about 4 years ago | (#33614368)

I can't really complain about an open technology gaining momentum. So if it's those pointed haired bosses pushing for it, who cares if they fully get it.

Is a spec for this sort of thing ever really complete? Parts of it often are, and the early adopters taking advantage of those parts are the only reason this stuff moves forward. In fact, by using the technology early, you are helping to determine which features are most important and which ones need to be rethought.

We need people taking advantage of HTML5 now in order show those pointy haired bosses what it does / can do. This will drive demand and serve as a catalyst for solidifying or refining the spec, no?

As for the "usable for any serious enterprise application" part. You could be right. Depends on the application, I suppose. If the supporting pieces are done right, the choice of front end technology becomes less important. But I would be skeptical of any manager pushing for HTML5 simply because "it's the future". I haven't run in to a situation like this to be honest. Most competent managers would be more likely to say "well, sounds flashy, but what does it get me?". It's more often that these managers are BLOCKING the use of such things.

Some open minded managers do want to be on top of these things and rightly so. They want to make sure that their tech toolkit is up to date. This doesn't mean they are going to put all of their eggs in that basket. I would be grateful for the opportunity to embrace new challenges.

Dancing balls? (4, Insightful)

Anonymous Coward | about 4 years ago | (#33613154)

"Google Inc.'s recent 'dancing balls' logo experiment "

If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.

Re:Dancing balls? (-1, Troll)

Anonymous Coward | about 4 years ago | (#33613260)

Get a modern machine and you wont have any issues. Alternatively, you can shut the hell up and not use any html5 enabled websites.

Re:Dancing balls? (3, Interesting)

Anonymous Coward | about 4 years ago | (#33613372)

He has a point though, I personally love most of the new HTML5 features, but if every site starts piling on canvas animations, videos and audio it'll be annoying as hell.

I'd like to see this stuff become optional (on a browser basis and not site-by-site), perhaps don't start playing (or loading) a video/audio/canvas element until the user explicitly clicks play (with an option to pre-load but not autoplay for those with no bandwidth limits but who still don't want annoying unwanted video/sounds).

Unfortunately most browsers seem to struggle with the idea that I don't want Flash by default (and the browser creators are the most vocal enemies of Flash) so I definitely can't see this happening.

Re:Dancing balls? (1)

zombieChan51 (1862028) | about 4 years ago | (#33613416)

Indeed, can you imagine what some bad web developer might add to their website. I could see a lot of web sites getting a lof of crap bogging down your browser as it tries to render the site. But I think some browsers give you the option on what to load and what not to load.

Re:Dancing balls? (2, Funny)

symes (835608) | about 4 years ago | (#33613544)

It's Geocities all over again!

Re:Dancing balls? (4, Insightful)

TheRaven64 (641858) | about 4 years ago | (#33613652)

Unlike Flash, HTML5 animations are not really modular. It's trivial to disable all Flash and individually enable the one Flash applet on the page that you actually want (if there is one). With HTML5, all of the animations in a page are run from the same JavaScript execution context. Unless the author split the scripts up into different source files, it's very hard for the browser to untangle them. With Flash, every script associated with a canvas is bundled with that canvas and run in a separate context.

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33614354)

...except when a Flash page behaves the same way. See Pandora for example: it's one big applet in the center that consolidates 6 different features. As for animations, I think we'll see CanvasBlock extensions for HTML5, not BlockStuffUsingCanvas. And the browser could make it easy to right-click-disable specific canvas instances.

Most sites aren't in an SWF (1)

tepples (727027) | about 4 years ago | (#33614414)

.except when a Flash page behaves the same way. See Pandora for example: it's one big applet

Typically, only media players (such as Pandora) and corporate brochureware (such as Pop-Tarts.com) act that way. Other sites have accessibility concerns [wikipedia.org] that preclude putting the whole site in an SWF.

Re:Dancing balls? (1)

Runaway1956 (1322357) | about 4 years ago | (#33613818)

Myspace, all over the web! Imagine it! I'm ready to emmigrate. Is there a flight to the moon soon?

Re:Dancing balls? (1)

ihatejobs (1765190) | about 4 years ago | (#33613658)

Yea because you know, websites don't currently load up on inane bullshit that bogs down your browser.

Look, they are just giving us a new easier to use and more efficient way of doing things. First it was random flash garbage, now it will be HTML5 garbage. You can't blame the spec because of what people choose to do with it. For every site that loads up with so much crap that it destroys your browser there will be several that are beautifully done.

Re:Dancing balls? (1)

Runaway1956 (1322357) | about 4 years ago | (#33613842)

"Can anyone tell me why 99% of /. users are total assclowns?" I, for one, don't clown around.

Re:Dancing balls? (4, Funny)

Anonymous Coward | about 4 years ago | (#33613362)

Time to retire the C64 and cradle modem bro

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33613486)

Amiga 500, here I come!

Re:Dancing balls? (3, Interesting)

ihatejobs (1765190) | about 4 years ago | (#33613380)

So wait, you are claiming one tiny little webapp on the Google homepage was killing your machine?

You might want to consider upgrading your machine... I had no issues when the danging balls were on the homepage and my machine is 3 years old. I quite liked it actually.

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33614218)

"So wait, you are claiming one tiny little webapp on the Google homepage was killing your machine?"

That's exactly what I'm saying.

"You might want to consider upgrading your machine."

To what? It's a quad core machine with 8GB of RAM. The fact that I noticed *that* machine bog down is why I was so underwhelmed with the bouncing balls.

Like I said, if that's what HTML 5 is bringing me, I'm not impressed.

Re:Dancing balls? (1)

armanox (826486) | about 4 years ago | (#33614332)

Check your machine? My old laptop (1.7GHz Celeron M, 1.5GB RAM, WinXP, ca 2006) saw no issues. Wish I could say the same for my 10 year old Mac.

Re:Dancing balls? (1)

Sancho (17056) | about 4 years ago | (#33614388)

Heck, my netbook didn't slow to a crawl. The animation was slow, but the rest of the machine was fine.

Re:Dancing balls? (2, Interesting)

ByteSlicer (735276) | about 4 years ago | (#33614288)

I have a fairly recent machine, and that buckyball thing bogged my cpu too.
I googled around that day and found lots of people complaining. Aparently for Chrome it wasn't a problem, but Firefox users were hosed.
You'd think they would test it for multiple browsers at Google, before pushing it to one of the most used pages of the web...

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33614328)

You say upgrade but what's wrong with having a "lightweight" browsing experience without all the crap that's forced on people?

That is why Google became so successful in search and why Adblock Plus and NoScript (in addition to the extra security) are so popular.

Re:Dancing balls? (1)

tepples (727027) | about 4 years ago | (#33614358)

You might want to consider upgrading your machine

Do you know of an affordable 10" laptop PC with noticeably better performance on such a webapp?

Re:Dancing balls? (1)

m50d (797211) | about 4 years ago | (#33613384)

I think it's time to accept that the web is now irrevocably an applications platform (sad, I remember the day when we would laugh at anyone calling themselves a "website programmer", but that's how it goes). For actual content I'm going back to gopher. Anyone know a good tech news site?

Re:Dancing balls? (1)

ihatejobs (1765190) | about 4 years ago | (#33613594)

Well Slash... oh, you said news site... Pahaha, good luck finding one of those!

Re:Dancing balls? (2, Funny)

symes (835608) | about 4 years ago | (#33613388)

I have to agree with your sentiment - I often feel that my hardware is playing catchup. Fortunately, I have just discovered a browser [wikipedia.org] that seems to cope well with all these new fancy gimmicks.

Re:Dancing balls? (2, Funny)

forkfail (228161) | about 4 years ago | (#33614004)

Maybe not so much.

From the HTML 5 spec:

16.2.7.1 Dancning balls shall be supported.

16.2.7.1.1 Non-graphical browsers shall support curses like, text based dancing balls.

16.2.7.1.2 Any browser unable to display dancing balls shall be immediately redirected to MySpace.

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33613394)

I would say that the dancing balls logo was not a sing or sign of what's coming with HTML5, SINCE IT DIDN'T USE ANY HTML5. People just saw something cool, had heard of HTML5, and assumed that something cool and new from Google had to be HTML5.

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33613698)

that wasn't even html5, it was all just a bunch of colored divs with border-radius and z-index...and javascript to do the logic. nothing html5 about it. html5 will actually make that perform better, along with the new browsers that are coming out with better javascript engines and hardware acceleration.

Re:Dancing balls? (1, Insightful)

Runaway1956 (1322357) | about 4 years ago | (#33613800)

I'll echo the comment about getting a more modern machine. My 6 year old Opteron had no problems with dancing balls. I paused a second, looking for dancing boobs, but the computer didn't even blink. FFS, get a modern computer - today they run in multiple GIGAhertz. Ditch that 133 mhz machine. And, add some frigging MEMORY!! Yeah, there really is a use for more than 640k of memory. And, finally, upgrade to a real operating system and a real browser. Dump Windows 95 and IE4. FFS, get with the times!

Re:Dancing balls? (0)

Anonymous Coward | about 4 years ago | (#33614040)

"I'll echo the comment about getting a more modern machine."

Umm, dude ... seriously? I was running it on a quad core, 2+ GHz machine with 8GB of bloody RAM on it. I keep about 5 browser windows open, with varying amounts of tabs, spread across four virtual desktops.

In my case, that meant I had about 6 google windows open -- the CPU was pegged at 25% and the machine was definitely lagging. Even with only one single instance of it open, the CPU stayed at around 25%. I had to make sure I didn't have anything sitting on google, because it just chewed CPU to run the damned animation. Mozilla was taking 25% of the CPU according to task manager -- it was using more damned CPU than VMWare running two machines.

I don't install Flash because I don't want to see things spinning and flashing -- if HTML 5 is going to add the ability for any random moron to embed an animation that I can't turn off, I don't bloody want it, because it's going to be used for really annoying things.

"And, finally, upgrade to a real operating system and a real browser. Dump Windows 95 and IE4. FFS, get with the times!"

Oh, come on ... shut your fucking pie hole. You don't know what you're talking about. Why do so many people on Slashdot think that everyone else is an idiot? I've been in the software industry for 15 years -- I think I know how to identify if my beefy machine is being dragged down by my friggin web browser. You sound like some wet behind the ears little shit who thinks he knows everything.

Re:Dancing balls? (1)

lostmongoose (1094523) | about 4 years ago | (#33614266)

Post that under your real user name, then. Until then *you* stfu. Any machine that got bogged down by that animation needs some serious tuneup work done. There's a 1.8ghz Skt754 Sempron here w/2GB ram running Vista that didn't get bogged down by it. So you're either full of shit or haven't bothered cleaning out the cruft in your comp in some time.

Re:Dancing balls? (1)

mcgrew (92797) | about 4 years ago | (#33614176)

If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

HUH??? What are you running, IE3 in Windows 95 on a 386? It didn't slow my netbook (running windows 7 at the time with FireFox) down a bit, and I only paid $300 for the computer.

I think you either need a new computer, or get rid of a shitload of viruses.

New strategies? (2, Interesting)

AliasMarlowe (1042386) | about 4 years ago | (#33613192)

web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks.

MS will Embrace and Extend, but not Extinguish the potential for security holes.
Apple will probably do much the same, but might do the enhanced functionality bit also.
The BSD and *nix variants will only take on the functionality, most foolishly (using MBA "forced-upgrade-income" definition).

I'm more worried about advertisements (4, Interesting)

Aoet_325 (1396661) | about 4 years ago | (#33613220)

While I'm sure some of the new functionality will be exploited, I expect most of the abuse will be from folks who want to push ads and track users.

Re:I'm more worried about advertisements (3, Interesting)

straponego (521991) | about 4 years ago | (#33613294)

Look at that Arcade Fire demo, The Wilderness Downtown, for proof of concept of HTML5's browser-jacking and popup capabilities. When the marketing scum and other criminal types latch onto that... ugh.

Re:I'm more worried about advertisements (1, Insightful)

Anonymous Coward | about 4 years ago | (#33613498)

You've been open to launch pop up windows with javascript for a really long time. That had nothing to do with HTML5...

'dancing balls' logo experiment (0)

Anonymous Coward | about 4 years ago | (#33613224)

Where can we find this 'dancing balls' logo experiment? Link please. I did a search but came up with nothing.

Not HTML5 (5, Informative)

Anonymous Coward | about 4 years ago | (#33613270)

Google's "dancing balls" wasn't HTML5, it was divs, javascript and CSS border radius.

Optimize for the common case (3, Insightful)

Alwin Henseler (640539) | about 4 years ago | (#33613272)

When HTML spec is extended that obviously increases the attack surface since popular browsers will have to support it. But in time it may replace a number of other technologies (Flash comes to mind), that -combined- may have a larger attack surface. And since displaying HTML is the core function of a browser, implementations are likely to be pretty solid compared to some add-ons.

So you'd have to look forward, and compare [average setup now] with [average setup in XX years from now]. If that comparison turns out positive, HTML5 is a move in the right direction.

stop using technology (1, Insightful)

Anonymous Coward | about 4 years ago | (#33613302)

stop using technology

More features == More potential security holes (1)

Zen-Mind (699854) | about 4 years ago | (#33613310)

Wow, who would have thought of that? Yes I do understand that security is an issue hard to cope with, but with that mentality we could also just stop progress because it might have risks ...

Re:More features == More potential security holes (3, Interesting)

grayn0de (1301165) | about 4 years ago | (#33613618)

That's not it at all...

The point that security researchers have been trying (for years) to get across to developers and companies alike is that ALL software/protocols/standards/whatever should be developed with security in mind from the beginning. Granted, even with secure coding practices and rigorous application security testing, there will always be some vulnerability that gets overlooked by the developer or discovered by an attacker. The thing is that most companies tend to put functionality and features far above security, which is IMHO a completely ass backward way of doing things when it comes to technology in general.

Re:More features == More potential security holes (2, Insightful)

Zen-Mind (699854) | about 4 years ago | (#33613796)

Unfortunately, most people want feature over security. Many people don't even think about security for themselves and only complains when it bites them in the ass. "What do you mean I shouldn't write my PIN on my debit card? You should just have made your system more secure!"

As opposed to what? (4, Insightful)

grapeape (137008) | about 4 years ago | (#33613320)

How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

Re:As opposed to what? (1, Funny)

Anonymous Coward | about 4 years ago | (#33613374)

And even if you stay off the internet, you can still get herpes.

Re:As opposed to what? (0)

Anonymous Coward | about 4 years ago | (#33613516)

I was dedicated to remaining secure by staying off the internet and computers altogether until somebody broke into my house and stole my filing cabinet.

Re:As opposed to what? (0)

Anonymous Coward | about 4 years ago | (#33613568)

In fact I'd say it's at least 10x as likely because you might actually be having sex.

Re:As opposed to what? (3, Interesting)

Anonymous Coward | about 4 years ago | (#33613736)

How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

Actually this is a very very important point. You can't compare the potential security risk betwenn HTML5 and HTML4. You have to compare it with HTML4 plus all the plugins it can potentially replace (like, say, Flash).

My biggest concern, as others have pointed out, are using things like canvas elements over top of content to display ads and whatnot. But then, really, it will just be like the new features of any previous HTML/Javascript spec. There will be a lot of annoyances and some features used in really bad ways (blink tag, anyone?) but then things will calm down and use it in practical ways. Browsers and browser plugins will get smarter about ad blocking features with the newer technologies and methods and we'll all be better for the useful things that HTML5 does provide.

There's a REASON that "web developers" get excited when talking about the future of HTML5 and how things are being developed and supported. If you don't understand why, then you probably weren't doing web stuff in the days of the IE and Netscape fighting it out or the long drawn out HTML4/Early CSS specs that were useless because MS was so slow in bothering to update IE. Sure we still have some divides (video tag, for example) but nothing as bad as it was. ANd sure, MS is a bit slower than the rest with IE8 and IE9 but these releases and evolving support of actual specs are LIGHTNING fast for MS compared to before...

Well the problem (1)

Sycraft-fu (314770) | about 4 years ago | (#33613884)

Is that the more core to the spec it is, the less you can do to mitigate it. With Flash there's a simple solution: Block it. You can use a plugin like Flashblock that allows you to run it only as needed, you can set it to only run on some sites, or you can shut it off entirely. It is easy to restrict access to it when ti isn't needed and thus increase security.

When the features are in HTML itself... Well then what do you do?

Re:Well the problem (0)

Anonymous Coward | about 4 years ago | (#33614340)

div block with ad block

dancing balls (1)

martas (1439879) | about 4 years ago | (#33613350)

i didn't see them! is there a link where that still exists, or perhaps a video?

Re:dancing balls (1)

CannonballHead (842625) | about 4 years ago | (#33614170)

I couldn't find a permanent google link, but here's a youtube video. :)

FUD (4, Interesting)

Art3x (973401) | about 4 years ago | (#33613354)

The article points out no specific flaws. It just says that HTML is growing, therefore the chance of a hole (the "attack surface") also is growing.

Choose your poison. The same can be said about writing an app for an operating system. "Windows/Mac OS/Linux has an enormous amount of functionality. Therefore I'm concerned that there could be a lot of vulnerabilities."

Yes.

But the growth of the browser will not simply add to the overall size of the computer. Because of a big browser, you may have a smaller operating system. This is the idea behind Chrome OS.

It is not a perfectly equal replacement. If the browser grows 15 MB, that does not mean the operating system will shrink 15 MB. But one thing that is better about putting a feature in the browser is that more eyes are on it. There will be a lot more users who try to write a program in JavaScript than against even the Windows, even the iPhone, API. HTML 5 will bring about a lot more software developers and a lot more software development.

Run in Sandbox, erase after session. (0)

Anonymous Coward | about 4 years ago | (#33613406)

Seriously, sandboxing is in almost every browser by default now, you wouldn't even need to run external ones.

But if you want to be safe from pretty much every useful attack out there, just run the damn thing in a sandbox / virtual OS.

Thanks Apple (-1, Troll)

MogNuts (97512) | about 4 years ago | (#33613502)

Thanks Apple.

All because you wanted to be greedy and only let media be delivered through you, instead of other websites being able to deliver it.

So instead of being able to use adblock, to block malware and only view video when we chose, we're screwed. We have no recourse.

I saw this coming a mile away the second Apple fanboys began defending Apple's position.

Re:Thanks Apple (1)

MogNuts (97512) | about 4 years ago | (#33613528)

Pardon me, I meant flashblock

Re:Thanks Apple (0)

Anonymous Coward | about 4 years ago | (#33613702)

Pardon me, I meant flashblock

Stop drinking the Apple-hate koolaid.

Something like NoScript or an add-in could emulate Flashblock for video/audio in HTML5. And that's assuming the browser developers don't add that directly into the browser settings.

Audio/visual info playing only when clicked is not a hard problem to solve.

Re:Thanks Apple (0)

Anonymous Coward | about 4 years ago | (#33613914)

Thanks Apple.

All because you wanted to be greedy and only let media be delivered through you, instead of other websites being able to deliver it.

So instead of being able to use adblock, to block malware and only view video when we chose, we're screwed. We have no recourse.

I saw this coming a mile away the second Apple fanboys began defending Apple's position.

So your basic premise is:

1. Apple wants to control all media everywhere
2. Apple supposedly creates HTML 5, a standard that it doesn't control
3. Apple somehow gets Google and a bunch of other organizations it doesn't control to implement the standard that it doesn't control. You know, because Google and the rest want to help Apple control everything
4. ???
5. Profit (for Apple, obviously, and maybe Google, and...Microsoft?)
6. This is all Apple's fault.

Fear, Fear, FEAR! (2, Insightful)

Quiet_Desperation (858215) | about 4 years ago | (#33613548)

said Jeremiah Grossman of security firm WhiteHat.

So you really need to buy their security solutions! NOW! Meanwhile, Goodyear tires said to really safe on the road (and to keep your CHILDREN! safe) you should get new tires every 5000 miles, and the Head & Shoulders folks claim washing your hair three times a day will avoid a stinky head. And the government said they taking blood and tissue samples at the airport will protect us from engineer^H^H^H^H^H^H terrorists ever more so.

Isn't this natural evolution? (1)

achyuta (1236050) | about 4 years ago | (#33613598)

It's true that the HTML5 spec is huge on functionality but they've put in some very simple Unix type philosophies to achieve security.

The suggestion should not be to decrease HTML5 functionality - the web can't stand still on that - but to increase focus on and mitigate security threats through more policies in the HTML5 spec.

The increased functionality also allows developers to do away with some crazy workarounds (read security loop holes) to get some generally expected experiences on their web page.

Plus, as it has been pointed out earlier, the surface area for Flash and other plugins will also come down. So while the net surface area for attacks increase, the implementations are going to be a lot more secure by design.

And of course :) .. (1)

achyuta (1236050) | about 4 years ago | (#33613622)

.. isn't an increase in functionality and thus the addressable attack area natural evolution of any technology ?

The Modern Techie (2, Insightful)

jellomizer (103300) | about 4 years ago | (#33613648)

The Modern Techie will now by definition reject all new technology no matter what advancements are in it. While adopting any new technology will have tradeoffs the modern will hold on to whatever tradeoff negative effect and call it a horrible plan. Any new tech is now a threat to their way of life and no longer a new interesting field to study...

I think us techs have gotten too old.

I'll take the heat and stay in the kitchen (1)

gsgriffin (1195771) | about 4 years ago | (#33613738)

For myself, having to use jQuery and always be mindful of the variation in scripting code for each browser is the headache neverending. I want to see more HTML5 (and then 6) integrate more of the features and functions users are coming to enjoy and demand. Then, we only have to worry and complain about the browsers not implimenting the standards...like always.

Coming soon, CERT® Advisories for HTML (1, Funny)

Anonymous Coward | about 4 years ago | (#33613826)

CERT® Advisory CA-2012-01 HTML5 Vulnerability ... we recommend disabling HTML until the fix is installed.

Another member of the Tautology Club... (1)

Angst Badger (8636) | about 4 years ago | (#33613872)

Shock! The attack surface is proportional to the amount of functionality offered! Ergo, we can build more secure applications by eliminating functionality!

I have a lot of respect for the security community, but sometimes they confuse the newsworthy with the merely obvious.

A huge risk in HTML5 (3, Interesting)

Dracos (107777) | about 4 years ago | (#33613874)

Let me start out by reminding everyone that when Netscape came up with Cookies, everyone thought they were fine. Now, thanks to 1 pixel images and other tracking methods, cookies are the key to online companies aggregating bits of "anonymous" data into an identifiable profile of a person. Does Google know only as much about you as you would like? In fact, they know far more about you than you would expect, even if you don't use GMail.

The single biggest shot across the bow to privacy in HTML5 is the ping attribute [w3.org] . It may seem innocuous at first glance, but according to MozillaZine [mozillazine.org] , it sends an HTTP POST request to each url. Why not GET instead?

This will allow Google, Alexa, FaceBook, or any "partner" to track users, if a site implements ping, easier than ever before. Some say trackers will migrate away from redirect URLs, but I say they will do both, if only to sop up every last piece of data they can.

I can see ping being used as a stealth DDOS attack, if enough malicious links can be distributed. Some content provider web API gets hacked, thousands of sites load up links (via AJAX) that ping slashdot.org, and Slashdot goes down. Will ping implementations be smart enough to reduce the list of URLs down to unique values? How many times does ping="slashdot.org slashdot.org/foo slashdot.org/comments.pl slashdot.org/article.pl" actually hit the poor, unsuspecting server? There's no apparent limit to how many URLs can be stuffed into a single ping, either.

I'm sure the black hats will think of other ways to exploit this. I agree that tools are neither evil nor good, but this is ripe for unintended consequences.

Re:A huge risk in HTML5 (3, Insightful)

kc8jhs (746030) | about 4 years ago | (#33614164)

It looks like that option was included with the intention the browsers implementing the feature would have a method to disable it's usage. I'm guessing if it gets crazy then major players will ship with it disabled, or maybe include some sort of same domain policy for pings (ping domain has to match referrer or href). I'm not too scared, and this would work much better than JS versions of the same thing.

Re:A huge risk in HTML5 (2, Interesting)

BitZtream (692029) | about 4 years ago | (#33614330)

The single biggest shot across the bow to privacy in HTML5 is the ping attribute [w3.org]. It may seem innocuous at first glance, but according to MozillaZine [mozillazine.org], it sends an HTTP POST request to each url. Why not GET instead?

Why does it matter if its a GET or POST? I mean, why would you want GET? More chances that the URL will contain sensitive data that gets logged in more places. My webservers log GETs with all their encoded data by default, but the only thing I know about posts in the log is that they were posts and I know nothing about whats in them. My browser did, and so did the proxy that brought that post into the actual web servers, so its not like they can 'hide' information in there that you 'cant' see.

From the link you gave:

The a and area elements have a new attribute called ping that specifies a space-separated list of URLs which have to be pinged when the hyperlink is followed. Currently user tracking is mostly done through redirects. This attribute allows the user agent to inform users which URLs are going to be pinged as well as giving privacy-conscious users a way to turn it off.

Emphasis mine. You can bet it will default to prompt initially in most browsers. Makes it fairly easy to control. Much has been learned since cookies came out, and the ping attribute is an attempt to use that experience.

You're worried about how it can be abused and completely ignore that its really simple for a browser to not allow anything you mentioned to happen. You could already do a DDOS with hidden iframes that would accomplish the same thing for instance.

Its no worse thank cookies, is just as controllable as cookies in every way, and is designed to fill a specific roll that is already filled using a bunch of kludges.

let crockford fix it (0)

Anonymous Coward | about 4 years ago | (#33613896)

let Doug Crockford lead a new draft committee. he seems to be competent to do it right.

How can HTML4 be vulnerable? (5, Insightful)

Jugalator (259273) | about 4 years ago | (#33614056)

It doesn't even contain any code, being a markup language? It's not even Turing complete.

[italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]

*shrug*

Browsers should be strictly sandboxed! (2, Interesting)

cowdung (702933) | about 4 years ago | (#33614296)

Browsers, IM tools, Skype, and other such tools should ALWAYS run under very restrictive permission levels. I don't need my browser writing anywhere on my computer except for maybe one folder (usually). I don't need it changing the registry. I don't need it to be able to unsandboxed execute code.

So keep it isolated using permissions. That is the the last line of defense against malicious sites.

That would solve a great number of problems.

Favor what? (1)

egnop (531002) | about 4 years ago | (#33614468)

I don't get it, are we all that paranoid,

Naturally we favor functional above secure

oh wait, security experts.

Fuck them

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?