Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Security Risks of HTML5 Development

samzenpus posted about a year ago | from the protect-ya-neck dept.

Programming 275

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

cancel ×

275 comments

Javascript (2, Insightful)

Anonymous Coward | about a year ago | (#44090359)

Where remote code execution is by design.

User "slashdot.org" (2)

tepples (727027) | about a year ago | (#44091503)

JavaScript: Where each web site has its own user account.

Web browsers are designed to handle the privilege separation in JavaScript the way operating systems handle user accounts. Each origin has its own account, and origins can't access resources associated with a different origin unless the owner of the different origin has opted into sharing the resource (CORS). Ideally, browser publishers treat violations of origin separation as seriously as OS publishers treat violations of user separation.

Nothing new (5, Insightful)

Urd.Yggdrasil (1127899) | about a year ago | (#44090361)

Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.

Re:Nothing new (5, Insightful)

digitalchinky (650880) | about a year ago | (#44090375)

You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

Re:Nothing new (0)

Anonymous Coward | about a year ago | (#44090441)

This. And now it's finally becoming apparent for talented web developers to demand the true value of their services.

Re:Nothing new (0, Insightful)

Anonymous Coward | about a year ago | (#44090453)

Except the developers aren't only hurting themselves, they're hurting users? Think before you comment much..?

Re:Nothing new (4, Insightful)

Calydor (739835) | about a year ago | (#44090535)

What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?

Re:Nothing new (1)

thaylin (555395) | about a year ago | (#44090785)

Because the person mentioned the contractor is getting what he paid for, not his customers.

Re:Nothing new (1)

AC-x (735297) | about a year ago | (#44091289)

But poor website security does affect its users as well as the site owner...

Re:Nothing new (1)

Grishnakh (216268) | about a year ago | (#44091131)

Because the people who hire web developers are not the ones who are hurt when the web developers' products fail; the users (visitors to the website) are the ones who suffer. The customers are not the same as the users.

The customers (web site owners) aren't going to care when they hire a crappy developer and his code results in someone's credit-card info getting released, or identity being stolen; the website operator isn't hurt by these things, so they don't care. There's no disincentive to hiring crappy developers.

Re:Nothing new (2)

jbolden (176878) | about a year ago | (#44090667)

Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

Re:Nothing new (2)

Registered Coward v2 (447531) | about a year ago | (#44090861)

Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

Nononono (-1)

Anonymous Coward | about a year ago | (#44090385)

As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with.

Correction: It's more ammunition to shoot the average web user in the foot with.

Thought up by people who refuse to learn from their earlier gaffes for the benefit of a body of people that is known for not knowing any better and not wanting to know any better either.

In that sense HTML5 is no more than the latest bit of evolution of something that started gaining widespread traction in 1993.

Re:Nothing new (3, Insightful)

Cenan (1892902) | about a year ago | (#44090409)

I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.

Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.

then stop hijacking phrases from other industries (5, Funny)

Anonymous Coward | about a year ago | (#44090541)

developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.

engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong

programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.

Re:then stop hijacking phrases from other industri (1)

Cenan (1892902) | about a year ago | (#44090659)

Pining for the olden days is no solution. I think what we need is to recognize that creating and deploying software has consequences, and a such we need a developer license, similar to how being a surgeon or a lawyer requires a license. And we need to enforce it with hard jail time / labor camp, when yet another douchebag leaks half a million rows of user data because he copy-pastaed from Stack Exchange.

Re:then stop hijacking phrases from other industri (2)

magic maverick (2615475) | about a year ago | (#44091121)

Labor camp, or any other similar phrases, are just another term for slavery.
Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.

Oh look, even Wikipedia [wikipedia.org] makes that point.

The United States prison system is being called "a new form of inhumane exploitation." Current penal labor in the U.S., it adds, "has its roots on slavery."

If you're a real communist you wouldn't be advocating for such shit.

Re:then stop hijacking phrases from other industri (1)

qbzzt (11136) | about a year ago | (#44091347)

Historically, communist regimes had no problem with using forced labor.

Labor camp, or any other similar phrases, are just another term for slavery.
Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.

...snip...

If you're a real communist you wouldn't be advocating for such shit.

Re:then stop hijacking phrases from other industri (1)

Cenan (1892902) | about a year ago | (#44091693)

Labor camp, or [*snip*]

I guess the "whoosh" meme would apply here, if it hadn't already been raped and beaten to death. Well, I guess it applies nonetheless, so there ya go: whoosh.

Re:then stop hijacking phrases from other industri (1)

magic maverick (2615475) | about a year ago | (#44091769)

Whoops. OK, you got me.

Re:then stop hijacking phrases from other industri (1)

Gr8Apes (679165) | about a year ago | (#44091133)

I think what we need is to recognize that creating and deploying software has consequences, and a such we need a developer license, similar to how being a surgeon or a lawyer requires a license.

But but but, how will this allow for those highly necessary H1Bs? Our economy would go down in flames!!!

Re:then stop hijacking phrases from other industri (1)

Cenan (1892902) | about a year ago | (#44091243)

Oh right, forgot about those. I guess we need some kind of if (has_license || is_H1Bs_worker) { do_stuff(); }, yes... yes, much better. All is well now.

Re:then stop hijacking phrases from other industri (3, Insightful)

Grishnakh (216268) | about a year ago | (#44091185)

Wrong. Why would anyone want to take on such a job?

Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).

Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

Re:then stop hijacking phrases from other industri (1)

Cenan (1892902) | about a year ago | (#44091429)

Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

Why should he or his boss be allowed off the hook when half a million records were just leaked? It's not so much about a license, that was an example, it is about enforcing due diligence in the business.

For instance, if you want to run a restaurant, you have to get a permit and will be subject to control visits to ensure that you comply with basic guidelines for handling food. Anyone can cook, but to be able to serve your food to other people, you have to have a permit. Same thing should apply to developers (and a whole host of other industries, but software development is the topic du jour), you can hack up a website all you want, but if you want to process payments or handle user data, get a permit and be subjected to control.

The problem is that programming is easy to begin doing, but hard to do right. And there are virtually no consequences when you screw something up royally. We've seen breach upon breach, malfunctions and abuse, yet every time it all boils down to "oops, sorry", and it fades away.

Lawyers and doctors are not self employed (1)

sjbe (173966) | about a year ago | (#44091707)

Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money

You are a quite incorrect. Better pick another example to compare to if you want your argument to hold any water.

Most doctors do not own their own business and many aren't even paid all that well especially considering the hours required. The majority [nejm.org] work for hospitals and thus are employed by someone else. The amount of money they make varies greatly by specialty. General practitioners as a rule do not actually make particularly high salaries. The lowest paid GPs have salaries of less than $90K [healthcare...online.com] per year with the mean somewhere around $175K. And they typically work 60-80 hours weeks to get that salary. Specialists tend to do better (though not always) and academic positions pay significantly worse than private practice as a rule of thumb. I'm married to an MD and she is not a business owner.

I don't know about lawyers quite as well but the data I've seen says about 20% are self employed [findthedata.org] . Lots of lawyers work for large law firms and most of them that do so are not partners.

Real developers don't do web development (-1, Flamebait)

Viol8 (599362) | about a year ago | (#44090683)

They do more interesting things, not hacking together some noddy webpage. So the only people left to do it are the ones who self taught themselves javascript after working their way up from HTML typesetting. I doubt many off them even have a clue how a computer works - "What, like the processor totally doesn't work on documents?? Like woah man!" - because the closest they ever got to a CS course was passing by the comp sci centre on their way to their BA or liberal arts course.

Re:Real developers don't do web development (5, Interesting)

OG (15008) | about a year ago | (#44090777)

Not true at all. I've been programming since I was 6 (now 37), have a degree in CS, and spent the first 13 years of my post-college career doing C++ programming. I transitioned to web development because I find it interesting. I work with other highly intelligent, skilled web developers. Web development has moved beyond putting together a blog. Some people, such as myself, think the challenges involved in putting together a scalable, responsive, functional, secure web app are interesting, and after reaching a bit of burnout in my C++, I feel a bit renewed. Not to mention the fact that learning how best to utilize a new set of languages and technologies has made me a better programmer all around, even benefitting the times I need to switch back to C++ mode.

Re:Real developers don't do web development (1, Informative)

jimshatt (1002452) | about a year ago | (#44090905)

Speak for yourself.

Re:Real developers don't do web development (1)

qbzzt (11136) | about a year ago | (#44091441)

You might not think it is worth doing things like https://www.facebook.com/ [facebook.com] , http://slashdot.org/ [slashdot.org] , or http://www.amazon.com/ [amazon.com] (to pick three well known examples of web applications). But some of us care about usefulness and/or getting paid.

Re:Nothing new (1)

drinkypoo (153816) | about a year ago | (#44090845)

The word those people don't get to use is not "engineer" but "Developer". A developer is one who develops. The word says nothing whatsoever about whether the development is shitty. Consult your dictionary, and use it to build a bridge and get over your failure.

Re:Nothing new (1)

Cenan (1892902) | about a year ago | (#44091139)

OP used the word "developers", your beef is with him/her/it. I don't care what they call themselves, being vulnerable to XSS, SQL injection or any of a number of different script kiddie techniques instantly disqualifies you from being called anything but a hack.

Re:Nothing new (1)

drinkypoo (153816) | about a year ago | (#44091295)

Whoops, I got them backwards anyway.

Developer: one who develops. It's called a housing development even when it's full of shit shacks, and it's called software development even when the software is shit.

Engineering: A term that people can rightly complain about being misused if it were being used here

passing up on more web pages these days... (0)

Anonymous Coward | about a year ago | (#44090513)

I just hope web pages continue to fallback to plain html whenever possible.. they're pushing me "off the grid" by relying on too much javascript.

Re:passing up on more web pages these days... (1)

javakcl (857093) | about a year ago | (#44091263)

Too bad the users want more and more complexity in their web applications. Can't tell you how often I hear that a web site sucks because it's not as fast as the old green screen applications. Say, for example, you want to add a row to an HTML table. Either you go through the request-response cycle, or you use JavaScript in the browser. Hmmmmmm...which one would be noticeably faster to the user over their 1Mb connection?

Re:Nothing new (4, Insightful)

KiloByte (825081) | about a year ago | (#44090623)

Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

Re:Nothing new (0)

Anonymous Coward | about a year ago | (#44090679)

Not only the web "developers". The WhatWG ITSELF is a cesspool of medically certified cult-grade *insanity*.

I had a lengthy discussion (3+ hours) with the makers of the "living standard". They absolutely don't comprehend the concept of a *standard*. That it must be stable and reliable, and that that is the *whole damn point* of a standard.

Upon request, their guarantee to browser behavior was exactly *zero*. One of them even described how that "standard" literally changes every *hour*. Like an "agile" team, *forcing* you to use the *live* version of their code. Except that in this case *you* are the compiler.
So not only do you have to check for changes *all the fuckin' time*, but you even have to check for every damn feature if it is supported *separately*. And there's *no* way of knowing when in's stable enough to actually use it in a production environment! NONE.

So in fact it becomes completely *unusable*. Unless you are a complete hack... just like the WhatWG morons.

Their "excuse" is the most idiotic of all: Because [that horrible chaotic mess] is how it has always been in practice anyway.
Even if that was true (in XHTML times it wasn't), IT ISN'T SUPPOSED TO BE THAT WAY!
So they just gave up. They saw their own mind-boggling incompetence and the utter chaos they themselves created, and simply declared it "the new (living) standard"! Like a hoarder who shat all over his cluttered place going: "I declare that to be the new normal now! It always has been like that /anyway/.".

They are completely delusional, chock-full of cognitive dissonance, can't handle criticism AT ALL because they see every flaw one points out as a personal attack and insult and start whining and act offended like four-year-olds, and couldn't create a proper standard or proper code if their lives depended on it.
(And yes, of course I only started these criticisms of their *person* here, *after* that whole discussion, and I concluded that there's no saving it: Rationally, it's *them*. -- During and before the discussion, I always took the high road, remained rational and friendly. Exactly because otherwise I would have no right to say the things I just said.)

Re: Nothing new (0)

Anonymous Coward | about a year ago | (#44090897)

Can't see past the thousands of * in your post. Too much punctuation can be a distraction.

Re: Nothing new (1)

Molt (116343) | about a year ago | (#44090947)

It's just following the new standard for punctuation.

Re: Nothing new (0)

Anonymous Coward | about a year ago | (#44090775)

XSS attacks are due to the programmer not escaping control characters in string literals. Whether it's a single or double quoted JS string, HTML attribute, HTML text element, or URL request parameter, escape your ", ', , & characters already! It's user input; you don't know what they typed. This is most important in server-side languages like JSP.

What really sucks is when our front-end server, which escapes everything correctly, forwards an attacker's string to the back-end server, running a SQL DB, and they're not prepared for SQL injection. So then THAT team needs to get smacked for not parsing raw data before building up query strings.

It's not just code monkeys that need to write better HTML; it's the server guys, too.

Re: Nothing new (0)

Anonymous Coward | about a year ago | (#44090807)

Replying to myself. Slashdot didn't escape my less-than and greater-than angle brackets in my post!!!

Re:Nothing new (1)

maestroX (1061960) | about a year ago | (#44091085)

Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

The other half (=using pre-HTML5) cannot either. CORS is an improvement upon JSONP, simple script insertion, available in browsers right now.

Re:Nothing new (1)

Jason Levine (196982) | about a year ago | (#44091683)

I think a distinction needs to be made between the web developers who know how to program a web application and have an appreciation of security risks and the "web developer" who knows how to operate FrontPage, can "install" WordPress and put up one of the free themes with no modifications, or clicks on a web form to "create" a web page.

Both groups can wind up with security holes. The former will likely try to avoid them but might wind up with them due to untested cases or mistakes (it happens to all of us) or due to higher-ups who push for features over security. Yes, the web developer is to blame in this case also, but it is an important distinction to note. And before anyone responds "they should just quit", not everyone has that financial luxury.

The latter group will wind up with security holes because they don't understand how web technologies work and how they can be abused. They call themselves "web developers" but they are just "point and click" developers at best. They know just enough to be dangerous, not enough to protect themselves or their users from said danger, and ruin the reputation of the rest of us.

Wrong Audience (0)

betterprimate (2679747) | about a year ago | (#44090397)

Security risks are as stated in TFA, from the user's preferences and browser whatever. It's mostly sensationalist hyperbole. Try CNET next time as an audience. Thx.

crickets (-1)

Anonymous Coward | about a year ago | (#44090429)

So someone who doesn't know about HTML5 said something to someone who knew someone about HTML5 decided to tell someone they knew who told someone that they should write a really quick and poorly written blog post about HTML5 and then they had their friend do it.

What's with this, /.? Don't make me come over there and cut you with my HTML5 jiujutsu!!

Shouldn't there be full encryption by default? (5, Interesting)

roman_mir (125474) | about a year ago | (#44090435)

At the minimum there should be full data encryption at the client level, that's just to start. Then there are other problems to solve (cross site code accessing information that it shouldn't be able to access)... Basically your desktop will have to solve issues that application and database servers have to solve and I can imagine this is a much more difficult task to accomplish. With application and database servers at least there are people, whose JOB it is to ensure security of the client data (from programmers to testers and administrators), but on the client side... it's very very sketchy, the number of potential problems is enormous.

Re:Shouldn't there be full encryption by default? (4, Interesting)

Common Joe (2807741) | about a year ago | (#44090603)

Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons. As a user, I don't want to have to worry about what information is being written out to my hard drive. Clear text for personal information? Banking information? I've RTFA and it says "[There is] a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage." There are people who say [slashdot.org] that banking institutions still use java applets. Think long and hard about this. Another question: do modern day browsers encrypt cookies? I don't know for sure, but I suspect they don't.

And since I've RTFA, I'm going to take this conversation one level further. This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable? Write the thing in .NET or Java or C? It would be faster for the client and easier to secure from a programming perspective. There's nothing stopping you from using APIs on the web using these languages. Are you saying it's because we can't trust websites? Then why is HTML5 giving access to "system services, such as camera, microphone, and GPS" and allowing "JavaScript to request resources from different domains"? (Again, this is straight from TFA.) About the only thing it doesn't have is unfettered access to the whole hard drive under the user's permissions. Or does it? I don't know. I'm beginning to wonder about how far HTML5 will allow access and under what conditions. Even if HTML 5 asks for permissions on everything it needs to, what do you think the standard user will say to all the "allow access?" questions?

I'm a programmer, but not a web developer. Maybe this article is full of it and maybe it ain't, but in either case, roman_mir should not be modded down for what he is saying. There are legitimate concerns here that he is trying to raise and he hasn't said anything inflammatory in his post.

Re:Shouldn't there be full encryption by default? (-1)

Anonymous Coward | about a year ago | (#44090675)

He is a well known troll that must be stopped and not allowed to speak, all his comments must be moderated down to prevent his comments from appearing on any topic.

Re:Shouldn't there be full encryption by default? (1)

jbolden (176878) | about a year ago | (#44090693)

This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable?

Browsers are much more hardened environments than mainstream OSes. More or less what this is evolving towards is what Microsoft proposed a decade ago of having a very hardened windows core running normal windows and a trusted computing subsystem that had limited ability to pass information between them. Everyone agrees that browsers need to be hardened. Even Apple agrees that what they do for iOS to harden it is impractical for OSX and Microsoft would have an even tougher time doing it for Windows NT, and Linux triumphed not various hardened OSes. So it appears that everyone agrees that core OSes can't be hardened. So we are getting Microsoft's solution through gradual evolution rather than deliberate design a decade later.

Re:Shouldn't there be full encryption by default? (0)

Anonymous Coward | about a year ago | (#44090789)

If you want your files encrypted, then encrypt your filesystem. There's no need to make every single program on your computer have its own password to encrypt its own files with when the OS can just encrypt all of the user's files by the user's password.

And encrypting that stuff doesn't help against web exploits anyway. If an XSS attack injects a script which reads out data from your site localStorage container, then it doesn't matter if it's encrypted because it's already mounted by the browser.

Re:Shouldn't there be full encryption by default? (-1)

Anonymous Coward | about a year ago | (#44090805)

Also fuck you, for bringing up attention to the moderation of roman_mir, your comment draws attention to his comment.
Every time he makes a comment a troll war starts, his comments draw attention of hundreds of users here and overwhelm the important discussions, that is why his comments must be downvoted so he can't make them and so will your comments if you reply to him, that's your warning.

Re:Shouldn't there be full encryption by default? (1)

DrXym (126579) | about a year ago | (#44090973)

What threats do you think encryption will actually protect you from? If a browser transparently encrypts data as it is stored and transparently decrypts data as it is read then it's not going to help in any way at all if site A writes something and malicious site B reads it. It'll be plain text by then.

Perhaps it could stop a drive by somehow uploading the file. But that's why browsers randomize their storage paths to begin with so that's already covered.

So maybe it will stop a trojan or malicious plugin with local OS access (thereby able to search down random paths) from reading the file? Well not really since if a trojan can steal the file it can also steal the encryption key the browser used to scramble the file. Or it could log keystrokes to capture the user password used for the same purpose.

So basically encryption is basically false security. The old adage that a chain is as only strong as the weakest link applies here. Maybe encryption would be the icing on the cake but FAR more pressing would be making cross domain storage as stringent and secure by default; preventing cross domain access without explicit policy; enforcing limits on the amount of storage any site can use; setting small default limits to discourage sites dumping data to it; providing sensible management tools for the user to clear / delete / change the size limits globally or per site; providing preferences to expire / clear out data on exit or by age; and just generally testing this stuff within an inch of its life to ensure it is performant and secure.

Re:Shouldn't there be full encryption by default? (1)

Common Joe (2807741) | about a year ago | (#44091517)

What threats do you think encryption will actually protect you from?

Multi-user environment and (to a certain degree) laptop theft. Addressing multi-user environment first: I understand that it won't stop trojans or keystroke captures. It should stop my smarter-than-me 13 year old from getting information I don't want them to have. Or if I loan my computer to a friend of mine. Or a work colleague. Just trying to keep honest people honest. Will stop them if they really want to get to it? No. Once the computer leaves my physical possession, I know it can be cracked.

As for laptop theft, I know it's better to encrypt a whole hard drive via truecrypt or bitlocker, but is the common Joe (not me, I'm referring to people like my mother-in-law else) going to do this? We should be doing as much as we can from a security stand point that makes it transparent for power users and compartmentalized so data isn't being thrown into multiple places all over.

But that's why browsers randomize their storage paths to begin with so that's already covered.

I've seen the randomized storage paths. I can't say I'm overly impressed since cookies are not stored here and neither will this other kind of information they are talking about.

So basically encryption is basically false security.

No. Encryption key in this case should be based on hardware and should be unique. The user shouldn't even need to put it in. If one website can access another website's information because of browser or O.S. flaws, it's another layer to crack.

Re:Shouldn't there be full encryption by default? (1)

fnj (64210) | about a year ago | (#44091187)

What the FUCK?! Parent is not a troll. Fix the mod. Argue the merits.

Re:Shouldn't there be full encryption by default? (0)

Anonymous Coward | about a year ago | (#44091257)

The post is deliberately wrong and misleading - see other comments here, while pretending to be insightful.

Pretty much the definition of troll. Now if he'd be a successfull troll, he'd also even get a few positive mods from less smart readers.

Re:Shouldn't there be full encryption by default? (0)

Anonymous Coward | about a year ago | (#44091375)

He is a troll, read his comments and journal, his comments are trolls his journal entries are trolls he is definition of a troll and anybody supporting his comments should think twice.

What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090479)

Since when isn't it far simper to store some sort of ID in a cookie, and use that to index a database server-side where you store all of the data you need?

Storing large amounts of data in the web browser just seems like a solution to a problem that doesn't exist.

Re: What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090507)

Erm, offline apps?

Re: What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090525)

IMHO offline apps are also a solution looking for a problem.
We already have "offline apps".
They are called "programs".
The way it works is you use your web browser to download them, and then you install them.

Re: What the hell is the point of this anyway? (1)

Anonymous Coward | about a year ago | (#44090563)

Right, you download and install them for Windows XP, Windows Vista and later, Debian Linux, Redhat Linux, generic Linux - all in x86 and x64 versions, for Android, for iOS (whoops, you don't, at least not that easy), for Blackberry, for Windows Phone...

Re: What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090581)

Don't feed the trolls!

Re: What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090747)

Running on IE8, IE10, IE11, Firefox (unknown version), Chrome (unknown version), Safari (unknown version) and a myriad of other browsers, with a web of misconfigured caches, spam filters and firewalls between the server and the fat client certainly sounds a lot less nerve-wrecking than locally installed applications.

Re: What the hell is the point of this anyway? (2)

Behrooz Amoozad (2831361) | about a year ago | (#44090813)

Yes, I believe we have java, Qt, gtk, python, Tk, and a few quadrillion more cross-platform languages and frameworks for that purpose.

Re: What the hell is the point of this anyway? (0)

Anonymous Coward | about a year ago | (#44090879)

A program using Qt/Gtk compiled for Windows will run on anything else but Windows? Now that's surprising. You'll also likely need to package 10-20Mb of libraries with your 10Kb HelloWorld to let it run - both for Windows and for generic Linux distros.

Which cross-platform UI toolkit you recommend for Python and how do you propose to deliver it to users of your applications on different platforms?

Which implementation of Java SE do you propose to make my program available on iPhone?

Re: What the hell is the point of this anyway? (1)

etash (1907284) | about a year ago | (#44090579)

why download and install when you can just run it in the browser, saving the user all the issues with installing, license management (serials/product keys), incompatibilities etc. in a web app you write once and it runs always in most browsers ( yeah, don't nitpick, there are crossbrowser libraries like jquery etc. ).

Re:What the hell is the point of this anyway? (-1)

Anonymous Coward | about a year ago | (#44090543)

Since when isn't it far simper to store some sort of ID in a cookie, and use that to index a database server-side where you store all of the data you need?

When the free website provider doesn't give you access to server-side scripting [neocities.org]

Re:What the hell is the point of this anyway? (1)

liamevo (1358257) | about a year ago | (#44090577)

Speed, or the illusion of speed for an app is pretty vital.
There are certain aspects of your session and the the state of the app which can be stored client side and queried as needed, missing out http lookups, server speed, database queries etc make your app seem a hell of a lot more snappy.

Re:What the hell is the point of this anyway? (1)

mrvan (973822) | about a year ago | (#44090893)

Exactly. I have a web application that is essentially a front end to an API. Lots of calls return numbers that have value labels. Having some of these labels stored client side can prevent a lot of round trips.

As an attacker, I know exactly what you mean. (-1)

Anonymous Coward | about a year ago | (#44090533)

An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well.

I use indexedDB to attack Scientology by spreading entheta to every browser that visits [neocities.org] .

Can we mod articles? (0)

Anonymous Coward | about a year ago | (#44090553)

Say, (-1, Clueless) or (-1, Clickbait)?

Seriousy, "the data, which may be uploaded back to the server to attack others, as well"? My, those are some angry key-value pairs.

Seriously, CORS - that has to be properly set up both on server and client - as more of a risk than hacked together with Flash, JS and unholy gods solutions for cross-site access that were used before?

How is more insecure than what we have now? (1)

timothy_haak (773381) | about a year ago | (#44090561)

So wait if someone has access to your pc and can change things on it there may be a security problem? This is not really different than someone being able to steal your cookie. I would say that the problem is more that people can still access your data on the local pc at a latter stage (No worse than an old fashioned desktop application). This could and most probably will be mitigated by using some form of encryption of the offline storage using your login. CORS used incorrectly will be a problem but then again you can say the same for all the current technology at the moment. All new technology is a security problem till people work out best practices. Though there are many advantages to using them. (Transparent failover of your web app as one off the top of my head)

Re:How is more insecure than what we have now? (4, Interesting)

gbjbaanb (229885) | about a year ago | (#44090611)

there's one thing that's "good" about it - usually all that crap would be stored in a cookie and passed back and forth, back and forth each request. At least now the cookie can be a tiny token to pass to the server and all the session-cached data can be stored locally. At least that's what I hope will happen.

There is a need for local storage, even if its caching data. If you want security, there needs to be built-in support for encrypting the storage and keeping the key in the browser tied to a section of the url of the site you're working with. If that could happen transparently, then we'd have better security than what's we'd get otherwise (you can't use a login as many sites don't have one, and you need to keep each site secure from each other, so you can't even store the key in a cookie in case it gets hijacked as it passes over the network)

Anyway, at least people are thinking security of this stuff from the start, rather than wait for it to be exploited first.

Re:How is more insecure than what we have now? (0)

Anonymous Coward | about a year ago | (#44090901)

If it's in the browser, it's not secure. Encryption? Bullshit. Imagine a scriptlink included banner: that has full access to your code (even in anon closures, since it can reget your static resources and eval/inspect them). Localstorage is no less secure, than cookies; but everyone uses session cookies, you would say. The truth: not.

Re:How is more insecure than what we have now? (0)

Anonymous Coward | about a year ago | (#44091035)

So, what really needs to happen is, people need to be careful about what they store in the cache. There is plenty of non-secure data to store there. If your database has tons of objects or products that a user has looked up, why look them up everytime that user does anything? I mean, local storage *is* sandboxed. The only thing one can do to completely protect themselves is find a pay model that doesn't involve advertising; which (to me) sounds difficult; however, many of the successful websites don't seem to need them.

Re:How is more insecure than what we have now? (0)

Anonymous Coward | about a year ago | (#44091021)

I think another problem is many sites don't use https when they should. Any of your cookies can be read or replaced, which can lead to some cool replay attacks. Our computers today are fast enough to always use it. For those blogs that cannot afford it they should make a version without authentication that would still keep it encrypted (though this wouldnt stop MITM attacks, it would make them more resource intensive).

Re:How is more insecure than what we have now? (0)

Anonymous Coward | about a year ago | (#44091063)

Why is encryption something we have to afford? If it is that important, then it needs to be provided as a tag along service.

No risks here (3, Interesting)

hobarrera (2008506) | about a year ago | (#44090633)

So... where's the risk? How can my computer be put at risk?
If an app want to use localStorage, firefox prompts me for permision, and only assings 5KiB or something like that tops.

The worst scenario I can picture, is my MANUALLY authorizing literally millons of websites and them filling up my disk.

As for CORS: where's the security issue for the user? CORS is allowed for web hosts that explicitly state they support it. And again, how could that possible expose me?

Re:No risks here (2, Informative)

Anonymous Coward | about a year ago | (#44090677)

The risk is that in case the client computer is compromised (and a lot of them are) the attacker can steal data that is normally stored server-side. Say what you want, there are more clients-zombies than compromised servers. OTOH, if you have your client compromised, the convenience of stealing a stored session instead of hijacking it while it lasts isn't all that much of a gain for the attackers.

Stop it. (4, Insightful)

SuricouRaven (1897204) | about a year ago | (#44090821)

Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

Re:Stop it. (4, Funny)

0123456 (636235) | about a year ago | (#44090831)

But the future is web apps replacing local apps so they can run anywhere.

Except on tablets and phones, where the future is local apps replacing web apps.

Or something.

HTML5 looks like a total clusterfsck from here.

Re:Stop it. (1)

lightknight (213164) | about a year ago | (#44091027)

Oh, my head, stop. We've already been down this path once before.

Re:Stop it. (0)

Anonymous Coward | about a year ago | (#44091087)

Yeah it does, but to be fair so does coding apps for every specific phone platform that comes out and testing it.

Re:Stop it. (2)

Saint Gerbil (1155665) | about a year ago | (#44090837)

The needs of the business world is always changing and the needs of the internet is changing to meet it. HTML 5 isn't just a new shiny stuff which people can use. Its stuff people can do already but need large libraries and stuff to create now.
Newer libraries just mean that you will download less to the client, in order to provide the rich user experience they expect now a days.

TFA is pure FUD most of the problems which it highlights exist already. If anything HTML5 sorts out more issues than it creates.

Re:Stop it. (1)

SuricouRaven (1897204) | about a year ago | (#44090965)

I do like the video element, simply because it's a very common thing to want in a page and now can be done without an ugly plugin.

Re:Stop it. (1)

Murdoch5 (1563847) | about a year ago | (#44090849)

Security, which is something the client side can't give you.

Re:Stop it. (1, Insightful)

mwvdlee (775178) | about a year ago | (#44090853)

Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

Same thing, but with text-based terminals and same thing but with punchcards.
Just make it up yourself, I'm too tired to demonstrate the ignorance of what you just said.
Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

Re:Stop it. (1)

SuricouRaven (1897204) | about a year ago | (#44090939)

And I'd be just as happy if that 'reply to this' link took me to reply.pl?parent=44090853, where I'd get a plain old form I could type my reply into.It may be old fashioned, but it'd run on every browser on every platform, even those with scripting disabled.

Re:Stop it. (1)

Jah-Wren Ryel (80510) | about a year ago | (#44091197)

Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

Not those of us who use noscript. Admittedly, slashdot has made some very anti-noscript design decisions in recent years - in some cases instead of employing graceful degradation they've opted for "screw you" degradation - but it's stil mostly usable without javascript.

Re:Stop it. (1)

Anonymous Coward | about a year ago | (#44091201)

Does anyone else long for the days when could communicate information without needing a machines costing hundreds of dollars, an special internet connection, and some "operating system"? When people were happy to submit things via mail and accept a several processing delay, rather then require tons of computers to handle some electric signals? The time when things just worked, every time, when you didn't need a computer. When catalogs were catalogs, and not some advanced search mechanism trying to predict what you want.

If you need anything more than the post office and a pencil, I hope you have a very good justification.

Re:Stop it. (1)

ShopMgr (1639595) | about a year ago | (#44091345)

Damn kids, get off my lawn...

Re:Stop it. (0)

Anonymous Coward | about a year ago | (#44091389)

Many computer languages have features which programmers should just saw "NO" to.

On the web: Third party cookies, persistent cookies, overriding the users desired font size, javascript, and now html5 localstorage.

Other languages:
FORTRAN has the computed GOTO which is awkward to use correctly
C has "goto" which should be almost never used. Just saw "NO".
"Exceptions" are another horrid construct in more recent languages.
Python is missing "synatic sugar" (block delimiters). Just say "NO".
XML has a horrid tokenization scheme (comment don't nest, cdata sections, and other bizare oddities for getting parsers correct). Someone should have said "NO" years ago.

Yes, these are all useful in limited contexts, but are far more frequently abused by folks who don't understand what they are doing.

Re:Stop it. (0)

Anonymous Coward | about a year ago | (#44091751)

Yes, we all miss the days when Flickr was a usable web site.

What? (2)

Murdoch5 (1563847) | about a year ago | (#44090841)

Why are you using client side code to store data? Bad overall concept from the get go. If you really need to store "large" amounts of data for a web session then store a session flag in the client and use encrypted sockets to transport the data to a secure server and flush the temp storage when your done.

Re:What? (1)

Intrepid imaginaut (1970940) | about a year ago | (#44091235)

I can see a lot of potential insofar as P2P browsergames go. Cut out the middleman so to speak. You could have decentralised discussion forums, exchanges, anywhere people need to collaborate. Things get kind of weird at that stage though, many websites would become much more like torrent indexes than a centrally served resource. Who knows, maybe the security risks will exceed the value created, to say nothing of efficiency, we'll see.

Re:What? (0)

Anonymous Coward | about a year ago | (#44091361)

Offline applications.

now that Jobs is dead (0)

Anonymous Coward | about a year ago | (#44090891)

maybe Apple will change its iTune regarding HTML5?

Not new (0)

Anonymous Coward | about a year ago | (#44091055)

Storing information on the client's computer isn't new and isn't limited to HTML5. Using JavaScript it has been possible to store/access files on the client's computer since the 90s, at least in supporting browsers. Plus, with the ability to use cookies, a creative developer could store a good deal of important information on the client for future use. There isn't anything new about this concept, except perhaps ease of storing large volumes of data.

Misleading when exploits already in HTML4. (0)

Anonymous Coward | about a year ago | (#44091247)

Some fun facts about exploits that are available in HTML4 but are now being said to be HTML5 based so people stop thinking about them:

JSONP - Way more dangerous than CORS due to actually executing whatever is returned.
Flash - Cause who doesn't want your saved state to be accessed by other domains? See localStorage for a saner approach.
Iframe workers - WebWorkers are nicer, only pass around data, don't have code executing that can access multiple frames.

Some notes about "exploits" concerning attack vector origin:

Plaintext cookies - Just a storage medium. Only thing of note is it is always sent over the wire. You don't send passwords and usernames over the wire unencrypted right?
Storing data on the client side as an "exploit" - Lets just throw out file systems too, do you store data in your Java/C#/... programs on disk? could something run on the machine that could access the disk?
Same domain policy - Does your Java/C#/... program have this check in place if it has to pull down updates, a client side join on your data structures, or even nested web views?
Man in the middle - Use HTTPS with a CA and cache headers. For the love of Zod, cache headers.

Most of the "new" "exploits" are just the media not understanding that these attack vectors already exist in much worse ways. Unfortunately, many of the programmers reading "HTML" and "exploit" don't think about the attack vector as it affect's their programs :-/

html5 and anchor thingy (0)

Anonymous Coward | about a year ago | (#44091353)

what happened to the anchor thingy where a link goes to the same page but a different location?*blink*

Re:html5 and anchor thingy (0)

Anonymous Coward | about a year ago | (#44091385)

https://developer.mozilla.org/en-US/docs/Web/Guide/DOM/Manipulating_the_browser_history

There are AES libraries... (2)

ducomputergeek (595742) | about a year ago | (#44091749)

We use HTML5/JS in conjunction with Apache Cordova to create Mobile Apps for iOS & Android. For most applications we're hired to do, mainly form apps really, this combo works well, we can build & deploy quickly. But everything we put into localstorage is encrypted using an AES library. User chooses a password as the key and have to reenter the password to retrieve the information. There is an option to wipe the database and clear all storage if you can't remember the password. It's simple and it keeps the data secure enough for our purposes. We're not storing credit card or other data usually. Is it foolproof, probably not, but better than nothing.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...