Security a Concern As HTML5 Advances

Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."

Those who complain about PDF w/scripts

should also complain about a hyperText markup language document with scripts

Re:Those who complain about PDF w/scripts

[_Sprocket_]

One of my favorite things about Flash is that it's easy to block and control. There's times when I want the functionality Flash is providing - but most times, I'd rather pretend that I don't have it installed. I was rather rudely reminded of this the other day when I installed Flash on my Android phone. I was all happy until I started browsing around. Until I get NoScript on my Android, Flash has been removed.

With this in mind, I'm wondering what level of control we might have over HTML5.

Re:Those who complain about PDF w/scripts

[Luyseyal]

Hopefully something akin to: image.animation_mode = once

-l

Re:Those who complain about PDF w/scripts

[natehoy]

I'm sure NoScript will (if it isn't already) add detection of content types, and anything it considers "executable" in any form will need to get the whitelist treatment. There's already protection for a lot of things other than JavaScript.

Eventually, NoScript will probably have to have a whitelist for tags. <b> and <img> are OK by default, <video> might need whitelisting for a specific site, or you whitelist the whole site, or you whitelist the tag across all sites.

Re:Those who complain about PDF w/scripts

[AndrewNeo]

Er, why don't you just set plugins to only start when you tap them?

Re:Those who complain about PDF w/scripts

[GravityStar]

The browser can be set to only load flash on request. That makes it functionally similar to flashblock with firefox.

Re:Those who complain about PDF w/scripts

[_Sprocket_]

o.O

Let's see...

Browser... settings... Enable plug-ins... on demand.

Well, I'll be.

Re:Those who complain about PDF w/scripts

[_xeno_]

That's not possible in the current spec. The browser has no idea that a canvas is even being used for animation, let alone when an animation has completed. Well, OK, a simple heuristic of "if this canvas is being repeatedly updated, it's an animation" is possible. But the problem is you still don't know when an animation has looped once.

The best thing that can be done is to refuse to update a canvas after it's been updated once.

So then people start removing and replacing the canvas element... Or use video instead... Or start using the audio APIs...

Really, a lot of the new APIs are really cool from a web developer "whiz-bang" point of view, but the HTML5 spec authors don't seem to give a damn about actually providing control to the user. Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

On the other hand, there's the thing where you can't full screen video in HTML5 because evil web page authors might some how trick people into typing their password into a video. Yet you can full screen Flash - they seem to have come up with a solution (the "press ESC to exit full screen" banner) so it's not like there's absolutely no way to protect users.

So who knows what the HTML5 developers are thinking, because the inability to full screen HTML5 video makes it a complete non-starter versus Flash video. Especially if you want to share HD video.

Re:Those who complain about PDF w/scripts

[Luyseyal]

If you can't do "once", I'd be happy with a flashblock by default of canvas, video, and audio tags.

-l

Re:Those who complain about PDF w/scripts

[sed+quid+in+infernos]

One of my favorite things about Flash is that it's easy to block and control. There's times when I want the functionality Flash is providing - but most times, I'd rather pretend that I don't have it installed. I was rather rudely reminded of this the other day when I installed Flash on my Android phone. I was all happy until I started browsing around. Until I get NoScript on my Android, Flash has been removed.

In the Android browser settings, you can set it so that plug-ins will only show a placeholder until the plug-in is activated for a particular page. It basically gives you Flashblock functionaility, except activating one flash doc on a page will activate them all.

Re:Those who complain about PDF w/scripts

[tenco]

AFAICS it is already at least partially. I can whitelist for example ogg@domain.net/.../video.ogg or Font@domain.net with NoScript. But I couldn't find this for audio. But since Firefox's HTML5 audio player requires JS it can be easily blocked as well.

Re:Those who complain about PDF w/scripts

[_xeno_]

Hopefully something like FlashBlock will be possible. It should be easy for canvas and video because if they're not part of the DOM, there's nothing to display.

Audio, sadly, appears to have a JavaScript object-only model, making it harder to create a FlashBlock like extension.

But, of course, you shouldn't need an extension!

You can block image loading in Firefox, Safari, and Chrome via preferences/options. But not video loading. Unless blocking images also blocks videos, which would make sense, but you can't just block video via the UI. At least, I haven't found something to block just video in any of those browsers.

Opera at least allows you to disable sound, but I again didn't find anything for disabling videos.

Which is annoying - open video standards on the web is a good thing, but easily abuseable. Sadly the only thing in the spec which is forbidden is allowing a web app to full screen a video. Nothing about providing UI to disable videos entirely.

It kind of makes you wonder why they didn't think to add "disable videos" when "disable images" has been there from the beginning.

Re:Those who complain about PDF w/scripts

[MogNuts]

You are spot on.

As I posted elsewhere here (but modded down into oblivion because fanboys will be fanboys), all I have to say is thanks Apple.

All because you wanted to be greedy. Fanboys kept saying it was because of "the superior experience," but it really was so that Apple got a cut from one buying 30 Rock from ITunes instead of being able to stream it from Hulu via flash.

So instead of being able to use Flashblock to block malware and only view video when we chose (and not having multiple video ads/misc bogging down our system), we're screwed. We have no recourse.

I saw this coming a mile away the second Apple fanboys began defending Apple's position.

Re:Those who complain about PDF w/scripts

[awjr]

You do realise you can go into your brower settings on Android and turn on the plug in on demand option. This is effectively no script. You choose which Flash object to download and run.

Re:Those who complain about PDF w/scripts

NoScript already does that.

Re:Those who complain about PDF w/scripts

I'm sorry, but why should full-screen be part of the API? It is a browser UI feature. Firefox 3.6 supports it, other browsers are at least planning support for it. If you do not like the UI for it in the browser you use, use a different browser or submit a bug report. It is a browser issue, not an HTML5 issue.

Re:Those who complain about PDF w/scripts

[KiwiSurfer]

Mod parent up.

Re:Those who complain about PDF w/scripts

[Penguinisto]

Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

There is a cure for that attitude - for the same reason that Facebook pretty much wiped MySpace off the map, or the way Google turned Yahoo! into a has-been: Keep it clean and user-friendly, keep the ads un-intrusive, or face instant death in the face of superior (cleaner, less intrusive) products.

Re:Those who complain about PDF w/scripts

dude, just set Browsers setting to load plugins on demand only. (it has builtin no script already ;)

Re:Those who complain about PDF w/scripts

On the other hand, there's the thing where you can't full screen video in HTML5

Try F11.

Re:Those who complain about PDF w/scripts

[Randle_Revar]

Video tag (and audio) is blockable with NS, just like Flash. No option for canvas yet, but I also haven't run across canvas in the wild yet (actually, I think that arcade fire thing had some canvas. but that's it), while I have seen a fair bit of video.

Re:Those who complain about PDF w/scripts

[_xeno_]

You've never dealt with actual users, have you?

Go ahead. Explain to someone that in order to watch a video full screen they will need to either:

1. Context-click the video and choose the "Full Screen" option, assuming there is one. This only works when using the browser's built-in video controls, I think.

2. Click on the "expand" button to expand the video to take up the entire tab, and then use your browser's Full Screen feature, which is probably F11 except when it's something else. Or if you're using Safari, you're screwed.

Users want a nice little Full Screen button they can click on and be done with. Even if there's a work around, they're not going to be happy.

Besides, it's yet another reason to just stick with Flash: it provides this support already. So why use something else, especially when you need to encode twice to support all browsers?

Ultimately, it's a useless restriction. Sure, make it a white-list only feature, but why the hell forbid it entirely?

Re:Those who complain about PDF w/scripts

[cbhacking]

The Nokia N800 had full Flash on a 400 MHz ARM device with 96MB or so of RAM (and this was 3 years ago... Android is late to the party). It would have been incredibly painful browsing with full Flash on a platform like that except that it also had AdBlock Plus and Flashblock. Actually, even without Flash, ABP made the mobile browsing experience vastly better. Give me 800x480 with no ads over the iPhone 4's browsing experience, even sans Flash. Is there any ad-blocking extension for Android (honest question; I don't have one)?

Re:Those who complain about PDF w/scripts

[CarpetShark]

One of my favorite things about Flash is that it's easy to block and control.

Easy to block, yes. Control? No. When everything from business chart applications to sex games are all just "objects" to a browser/html parser, it's pretty hard to control what's allowed and what's not.

Re:Those who complain about PDF w/scripts

[lamapper]

One of my favorite things about Flash is that it's easy to block and control.

To coin a phrase, "that is not entirely accurate". It is well documented (2009 Study) that "Private Browsing" does not actually protect you, (blog post) that the Flash cookies + Javascript code simply store the Flash cookies in a location that is not monitored and/or controlled.

Linux using Symlinks to redirect the Flash stuff to a (/tmp) directory that gets automatically erased every time you reboot your PC is a great option. See (Banish flash cookies forever under linux. Since Mac OS X is based on BSD Linux, you should be able to do the same thing with that operating system. With Windows, you could always count on DOS to allow you to erase junk also, however with Windows 7 I honestly have no idea if it is even possible. As many of the articles pointed out, vendors will tell you that you are safe and browsing privately, but the reality is often something else. At best they only do a partial job with Flash. At worst they do nothing. Adobe blames the browsers API, which is interesting. I am not buying that at all. As for browsers, Internet Explorer and Google Chrome do not allow you to control Flash junk 100%, allowing for only a false sense of security. Since Google has partnered with Adobe, this is unlikely to change in the foreseeable future. See the comparison link below to see how those browsers stacked up based on Privacy.

With Firefox + NoScript + Linux you can at least control the Flash stuff after a reboot of your PC. However between reboots, Flash can track your activity on the web. Since there are over a 100 web browsers to choose from, surely a few of them will allow you to successfully control your Privacy and not just pay lip service to it.

Don't settle for security by obscurity or as this blog post (with examples) showed privacy settings that do not work 100%. A quote from that post, "Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security". Why settle....

Another options might be MPlayer or gnash, the point is you do NOT have to use Flash if you do not want too. HTML5 should be another positive development to diminish Flash.

I was annoyed that Google Chrome would let me only block the website cookie, not all the related tracking cookies from 3rd parties that are not named the same as the website. Even if you are not concerned about your privacy, you have to hate your Internet browsing experience slowing to a crawl because a website you are spending a second at wants to set 20 to 30 Flash cookies on your PC. This quote from the comments of the Linux article to banish flash cookies mentioned above, sums it up nicely...

(The real danger in all this is cross-site tracking via third-party web beacons, whether that is stored by browser cookies, Flash Local Storage, browser Local Storage, or IP-address tracking. This article at The Inquirer, for instance, wants to notify DoubleClick, Scorecard Research, Quantserve,

Re:Those who complain about PDF w/scripts

[Luyseyal]

It blocks the video and audio tags but allows you to play them if you want? If so, that rules. I may install that one.

-l

Re:Those who complain about PDF w/scripts

[hazah]

"Since Mac OS X is based on BSD Linux"

A bit of a nitpick, but I'd like to point out that there's no such thing as "BSD Linux". From Wikipedia: "Certain parts from FreeBSD's and NetBSD's implementation of Unix were incorporated in NeXTSTEP, the core of Mac OS X." FreeBSD and NetBSD are two distinct Unix like operating systems as is Linux. Two BSD's have more in common with each other than they do with Linux, and usually, GNU is used by all 3 to make a complete system. Personally, I use GNU on Mac OS X too, but I digress.

I don't know about the rest of you

[iONiUM]

But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

The entire disarray of this, and the mobile space, makes up upset.

Re:I don't know about the rest of you

Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

Re:I don't know about the rest of you

[religious+freak]

Articles like this are important then, aren't they? In reading this, it should give you some ammunition against those that want to upgrade for the wrong reasons.

Re:I don't know about the rest of you

[iONiUM]

Oh ya, you're quite right about that. My rant was on the topic of HTML5, not the article :)

Re:I don't know about the rest of you

HTML5 is usable right now for any website. Also, where can I find more high level execs running around going crazy over HTML standards? Sounds like my kind of exec.

Re:I don't know about the rest of you

[WankersRevenge]

Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.

Re:I don't know about the rest of you

[squallbsr]

Being unable to use HTML5 for enterprise applications only applies to those enterprises that are using Microsoft Windows without alternative browsers...

Re:I don't know about the rest of you

If my boss is using IE7 on XP he's not going to be impressed one bit about that site.

Re:I don't know about the rest of you

[CannonballHead]

Implementing stuff before the spec is finalized. That just seems weird. :P :)

Re:I don't know about the rest of you

[moderatorrater]

At least this is a new kind of article, though, rather than the same old "HTML5 will replace Flash, Java, CPUs and give everyone blowjobs!" article that they usually have. And this is a serious concern, too: HTML already has an attack surface as big as all outdoors. I'm not saying that HTML is useless or should be replaced or anything, but security should be designed in from the beginning and the HTML5 spec is no exception.

Re:I don't know about the rest of you

[dmomo]

I can't really complain about an open technology gaining momentum. So if it's those pointed haired bosses pushing for it, who cares if they fully get it.

Is a spec for this sort of thing ever really complete? Parts of it often are, and the early adopters taking advantage of those parts are the only reason this stuff moves forward. In fact, by using the technology early, you are helping to determine which features are most important and which ones need to be rethought.

We need people taking advantage of HTML5 now in order show those pointy haired bosses what it does / can do. This will drive demand and serve as a catalyst for solidifying or refining the spec, no?

As for the "usable for any serious enterprise application" part. You could be right. Depends on the application, I suppose. If the supporting pieces are done right, the choice of front end technology becomes less important. But I would be skeptical of any manager pushing for HTML5 simply because "it's the future". I haven't run in to a situation like this to be honest. Most competent managers would be more likely to say "well, sounds flashy, but what does it get me?". It's more often that these managers are BLOCKING the use of such things.

Some open minded managers do want to be on top of these things and rightly so. They want to make sure that their tech toolkit is up to date. This doesn't mean they are going to put all of their eggs in that basket. I would be grateful for the opportunity to embrace new challenges.

Re:I don't know about the rest of you

[mldi]

Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

You're probably right. The downside is you end up hiring people based on their "qualifications" that consist of listing a buzzword on their resume. Or when some marketing guy gets it stuck in their head and thinks they know how to do your job. Or when your site becomes a mess because someone in management insists that you include all these buzzword "technologies" in order to be on the "cutting edge".

Re:I don't know about the rest of you

[Civil_Disobedient]

Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

Yeah, and then you make the off-handed observation that you can do all of this stuff in Flash, and that this sort of thing (video + audio) is easy and is Flash's bread-and-butter, and, oh yeah, it's also worked for the past decade, and then you get modded down into oblivion because nobody wants to hear the bitter truth when there's fresh Flavor-Ade to be drunk.

Re:I don't know about the rest of you

[daveime]

Really, it seems like one of the (very) few HTML5 things that work across browsers is the contenteditable attribute, which Internet Explorer has implemented since I believe version 6, and was widely condemned at the time by the "purists" as it wasn't part of the "official" HTML 4 spec.

Just like the innerHTML attribute, MS implemented something that wasn't in the spec, got slagged to hell for it, and then had it copied by all the other browsers playing catchup.

Your point was what again ?

Re:I don't know about the rest of you

[brainboyz]

No kidding. I am usually not allowed to implement in a technology is obsolete...er, "well supported."

Re:I don't know about the rest of you

Well then it just doesn't work in your case. In my career, I couldn't give a shot about "enterprise" apps. HTML 5 is making websites faster and better for some of my consumers, that is all

Re:I don't know about the rest of you

[PaladinAlpha]

That is the slowest, clunkiest, most visually confusing, least responsive, and perhaps most overall depressing site I've been to this year. God, if I showed that to my boss arguing for html5 we'd get knocked clear back to plaintext. Maybe it's my browser, but Firefox 3.6 is a fair chunk of market share.

And as another person said, this is exactly the kind of thing that happened with Flash -- making fancy gizmos just because we can. This is why we programmers aren't let outside where the normal people play. Just because you can do something doesn't make it appropriate, and applications should ALWAYS be designed around use, rather than around implementations. That radial wheel with the highlighted column and the cheesy 3D text looks like an undergrad project (if it is, then kudos, keep studying).

Even if you wanted to make it 'fancy', simple grid-based arrangement with the same color scheme would have looked much better, and the mouseover highlighting instead of lables is crazy -- why should you have to highlight things at random to find something specific? It needs to be implementable without the interface lag -- grids instead of circles, or text instead of grids, and if html5 can't do it without the lag, then it needs to not be done at all.

Re:I don't know about the rest of you

[Tablizer]

When those things happen, I try to tell my boss to wait until the technology has been road-tested for about 3 years before putting it into line-of-business production. It takes most new standards about that long to become sufficiently-reliable. Maybe try it early in a side project, such as an obscure report or service.

Re:I don't know about the rest of you

[msclrhd]

It depends on what parts of the spec. Looking at the /. summary, it is silly to dismiss everything in HTML5 because it may compromise security.

If you take parts of the spec like the new section elements (header, footer, article, section, etc.) I can't think of any attack vectors for them from a specification point of view. Same goes for CSS3 things like rounded corners and gradients. There may be exploits in how browsers implement those specifications, but that is a QOI issue with the browser, not the spec. Same goes for loading audio or video and
the canvas drawing APIs.

There are at least two features of HTML5 I see that require consideration from a security POV: web sockets and the file API. These also have a QOI consideration for the browsers implementing them, and there may be other areas as well.

From a website designers POV, there is also a QOI consideration in that the site should work and be functional if JavaScript is disabled and/or if audio/video are disabled (just like there is the alt attribute for images). This is both a security concern and an acccessibility concern. Obviously, there will be a downgraded experience (e.g. not being able to play a game) just like what happens now if you disable JavaScript or Flash.

Re:I don't know about the rest of you

[kiddygrinder]

dissaray? how *long* have you been a web dev? it's actually only just starting to array.

Re:I don't know about the rest of you

[dmomo]

I'll be waiting for you three years in the future. There's nothing wrong with trying something new. Banking on it, that's a different story!

Re:I don't know about the rest of you

[Decker-Mage]

Off-topic: Love the sig. Maybe it should be, occasionally, coded in EBCDIC ;-).

Re:I don't know about the rest of you

[Decker-Mage]

And that's been a concern of mine since the supposed standardization process became the grail of vendors. Most everyone (actually ever vendor it seems) is mostly concerned with getting every feature into their hardware and software during the pre-draft stage rather than getting a standard and then building their widget(s). Frankly, if I designed and built things that way in, say, nuclear engineering (one of my disciplines), I'd be justly brought up on charges. Yet we allow that in devices that are being used day-in and day-out for, say, medicine. That doesn't even address security defects and bugs that inherently happen in rushed designs.

Re:I don't know about the rest of you

[DaVince21]

It's funny that you mention this when a lot of companies seem to be unable to switch away from IE6 at the exact same time.

Re:I don't know about the rest of you

[mini+me]

If you are using consumer software for mission critical applications, like in medicine, you are doing it wrong.

As a consumer of software I do not want to wait, and more importantly, pay, for software that is strictly engineered. I want whiz-bang features now at a reasonable price, even if that means the software will occasionally crash and that security updates need to be applied once in a while.

The great thing about open standards is that if, for example, a hospital needs to use a web browser in a mission critical application, they can wait until the spec is completely ratified before proceeding with implementation. This allows them to follow strict engineering principles in the software they want to use, without hindering everyone else.

Re:I don't know about the rest of you

[mini+me]

Firefox is the IE6 of modern-day web browsers. It has a large market share, but falls seriously behind in technical advancement. Besides, I thought we were finally past the idea that we need to implement for the lowest common denominator?

Dancing balls?

"Google Inc.'s recent 'dancing balls' logo experiment "

If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.

Re:Dancing balls?

Time to retire the C64 and cradle modem bro

Re:Dancing balls?

He has a point though, I personally love most of the new HTML5 features, but if every site starts piling on canvas animations, videos and audio it'll be annoying as hell.

I'd like to see this stuff become optional (on a browser basis and not site-by-site), perhaps don't start playing (or loading) a video/audio/canvas element until the user explicitly clicks play (with an option to pre-load but not autoplay for those with no bandwidth limits but who still don't want annoying unwanted video/sounds).

Unfortunately most browsers seem to struggle with the idea that I don't want Flash by default (and the browser creators are the most vocal enemies of Flash) so I definitely can't see this happening.

Re:Dancing balls?

[ihatejobs]

So wait, you are claiming one tiny little webapp on the Google homepage was killing your machine?

You might want to consider upgrading your machine... I had no issues when the danging balls were on the homepage and my machine is 3 years old. I quite liked it actually.

Re:Dancing balls?

[m50d]

I think it's time to accept that the web is now irrevocably an applications platform (sad, I remember the day when we would laugh at anyone calling themselves a "website programmer", but that's how it goes). For actual content I'm going back to gopher. Anyone know a good tech news site?

Re:Dancing balls?

[symes]

I have to agree with your sentiment - I often feel that my hardware is playing catchup. Fortunately, I have just discovered a browser that seems to cope well with all these new fancy gimmicks.

Re:Dancing balls?

I would say that the dancing balls logo was not a sing or sign of what's coming with HTML5, SINCE IT DIDN'T USE ANY HTML5. People just saw something cool, had heard of HTML5, and assumed that something cool and new from Google had to be HTML5.

Re:Dancing balls?

[zombieChan51]

Indeed, can you imagine what some bad web developer might add to their website. I could see a lot of web sites getting a lof of crap bogging down your browser as it tries to render the site. But I think some browsers give you the option on what to load and what not to load.

Re:Dancing balls?

Amiga 500, here I come!

Re:Dancing balls?

[symes]

It's Geocities all over again!

Re:Dancing balls?

[ihatejobs]

Well Slash... oh, you said news site... Pahaha, good luck finding one of those!

Re:Dancing balls?

[TheRaven64]

Unlike Flash, HTML5 animations are not really modular. It's trivial to disable all Flash and individually enable the one Flash applet on the page that you actually want (if there is one). With HTML5, all of the animations in a page are run from the same JavaScript execution context. Unless the author split the scripts up into different source files, it's very hard for the browser to untangle them. With Flash, every script associated with a canvas is bundled with that canvas and run in a separate context.

Re:Dancing balls?

[ihatejobs]

Yea because you know, websites don't currently load up on inane bullshit that bogs down your browser.

Look, they are just giving us a new easier to use and more efficient way of doing things. First it was random flash garbage, now it will be HTML5 garbage. You can't blame the spec because of what people choose to do with it. For every site that loads up with so much crap that it destroys your browser there will be several that are beautifully done.

Re:Dancing balls?

that wasn't even html5, it was all just a bunch of colored divs with border-radius and z-index...and javascript to do the logic. nothing html5 about it. html5 will actually make that perform better, along with the new browsers that are coming out with better javascript engines and hardware acceleration.

Re:Dancing balls?

[Runaway1956]

I'll echo the comment about getting a more modern machine. My 6 year old Opteron had no problems with dancing balls. I paused a second, looking for dancing boobs, but the computer didn't even blink. FFS, get a modern computer - today they run in multiple GIGAhertz. Ditch that 133 mhz machine. And, add some frigging MEMORY!! Yeah, there really is a use for more than 640k of memory. And, finally, upgrade to a real operating system and a real browser. Dump Windows 95 and IE4. FFS, get with the times!

Re:Dancing balls?

[Runaway1956]

Myspace, all over the web! Imagine it! I'm ready to emmigrate. Is there a flight to the moon soon?

Re:Dancing balls?

[Runaway1956]

"Can anyone tell me why 99% of /. users are total assclowns?" I, for one, don't clown around.

Re:Dancing balls?

[forkfail]

Maybe not so much.

From the HTML 5 spec:

16.2.7.1 Dancning balls shall be supported.

16.2.7.1.1 Non-graphical browsers shall support curses like, text based dancing balls.

16.2.7.1.2 Any browser unable to display dancing balls shall be immediately redirected to MySpace.

Re:Dancing balls?

"I'll echo the comment about getting a more modern machine."

Umm, dude ... seriously? I was running it on a quad core, 2+ GHz machine with 8GB of bloody RAM on it. I keep about 5 browser windows open, with varying amounts of tabs, spread across four virtual desktops.

In my case, that meant I had about 6 google windows open -- the CPU was pegged at 25% and the machine was definitely lagging. Even with only one single instance of it open, the CPU stayed at around 25%. I had to make sure I didn't have anything sitting on google, because it just chewed CPU to run the damned animation. Mozilla was taking 25% of the CPU according to task manager -- it was using more damned CPU than VMWare running two machines.

I don't install Flash because I don't want to see things spinning and flashing -- if HTML 5 is going to add the ability for any random moron to embed an animation that I can't turn off, I don't bloody want it, because it's going to be used for really annoying things.

"And, finally, upgrade to a real operating system and a real browser. Dump Windows 95 and IE4. FFS, get with the times!"

Oh, come on ... shut your fucking pie hole. You don't know what you're talking about. Why do so many people on Slashdot think that everyone else is an idiot? I've been in the software industry for 15 years -- I think I know how to identify if my beefy machine is being dragged down by my friggin web browser. You sound like some wet behind the ears little shit who thinks he knows everything.

Re:Dancing balls?

[mcgrew]

If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

HUH??? What are you running, IE3 in Windows 95 on a 386? It didn't slow my netbook (running windows 7 at the time with FireFox) down a bit, and I only paid $300 for the computer.

I think you either need a new computer, or get rid of a shitload of viruses.

Re:Dancing balls?

"So wait, you are claiming one tiny little webapp on the Google homepage was killing your machine?"

That's exactly what I'm saying.

"You might want to consider upgrading your machine."

To what? It's a quad core machine with 8GB of RAM. The fact that I noticed *that* machine bog down is why I was so underwhelmed with the bouncing balls.

Like I said, if that's what HTML 5 is bringing me, I'm not impressed.

Re:Dancing balls?

[lostmongoose]

Post that under your real user name, then. Until then *you* stfu. Any machine that got bogged down by that animation needs some serious tuneup work done. There's a 1.8ghz Skt754 Sempron here w/2GB ram running Vista that didn't get bogged down by it. So you're either full of shit or haven't bothered cleaning out the cruft in your comp in some time.

Re:Dancing balls?

[ByteSlicer]

I have a fairly recent machine, and that buckyball thing bogged my cpu too.
I googled around that day and found lots of people complaining. Aparently for Chrome it wasn't a problem, but Firefox users were hosed.
You'd think they would test it for multiple browsers at Google, before pushing it to one of the most used pages of the web...

Re:Dancing balls?

You say upgrade but what's wrong with having a "lightweight" browsing experience without all the crap that's forced on people?

That is why Google became so successful in search and why Adblock Plus and NoScript (in addition to the extra security) are so popular.

Re:Dancing balls?

[armanox]

Check your machine? My old laptop (1.7GHz Celeron M, 1.5GB RAM, WinXP, ca 2006) saw no issues. Wish I could say the same for my 10 year old Mac.

Re:Dancing balls?

...except when a Flash page behaves the same way. See Pandora for example: it's one big applet in the center that consolidates 6 different features. As for animations, I think we'll see CanvasBlock extensions for HTML5, not BlockStuffUsingCanvas. And the browser could make it easy to right-click-disable specific canvas instances.

Re:Dancing balls?

[tepples]

You might want to consider upgrading your machine

Do you know of an affordable 10" laptop PC with noticeably better performance on such a webapp?

Re:Dancing balls?

[Sancho]

Heck, my netbook didn't slow to a crawl. The animation was slow, but the rest of the machine was fine.

Re:Dancing balls?

[istartedi]

html5 will actually make that perform better

That's the problem. We don't want that to perform better. We don't want it to perform at all. Not unless we tell it to, and only in very specific circumstances.

Re:Dancing balls?

[umbrellasd]

HTML5 is still under initial development. Flash has been around for years. Of course, Flash is the more mature technology. The point of HTML5 is to develop an open standard alternative with comparable functionality (including security). That isn't going to happen over night, and, as with any product, it will take some time to stabilize, mature, and become secure.

The reason HTML5 is important is the open standard aspect of it. Flash is ubiquitous on the web, but we are all at the mercy of a company and their proprietary technology. Believe me when I say that this is a huge risk, because I work full-time on a product that uses Flash as its core technology (www.smilebox.com). When the Flash 10.1 minor revision came out, it broke out product--HARD. And we had no choice but to deal with it and quickly because Adobe pushes hard on the update path in browsers. What resulted was a costly scramble to identify bugs, many of them in the 10.1 player, and adjust our product for the new API.

Mind you, this was in a minor revision, but I can tell you the changes and impact were huge and sudden. That. Really. Sucks. So an open-standard with more transparency is a valuable alternative. And that's where the real face-off is between the two alternatives.

Re:Dancing balls?

[tenco]

It did slow down my netbook. Atom N450. Win XP, nearly fresh install.

Re:Dancing balls?

That's an interesting point of view. However, the convenience of being unable to see stupidly designed web pages is not worth the times I need to see something buried underneath metric craptons of Flash and I just can't.

The HTML5 pre-standard is pretty usable as it is and it includes features such as ruby that should have been there years ago. When used correctly it makes for readable and visually appealing pages from presentation to source.

It seems to me that people confuse the ability to use Javascript to emulate flash with a need to do it. In fact you don't need to use Javascript at all for things such as a basic information web site.

If I was writing the standard, the presentation stuff in both HTML and Javascript should conveniently be completely deprecated and replaced by static CSS powerpoint style, whoosh in, whoosh out, fly over, look like some fake user interface in Stargate/trek, replace text links with spheres of energy. And scripts could then be left to deal with user data. Plugins obviously would be completely banned. Be a retard, but write your content within correct HTML and actually useful Javascript so that the content that matters is still there if people need it.

Re:Dancing balls?

Google inc.'s dancing balls logo wasn't HTML5, it was just basic javascript (Source : Bubbly Google Logo (wait-till-i.com). So, it's best not to ever quote it as an example for/against HTML5. If you read the blog, you will actually see some examples of the same google logo done in HTML5 and I would be happy if you let us all know how that ran.

Re:Dancing balls?

[shutdown+-p+now]

You know what I'm really afraid about HTML5 canvas? Not the lack of easy blockability, but that various jerks who hate the ability to easily share information on the Web will start to use it to e.g. block copy/paste (and "view source", and other ways to easily share the contents). You can do it today with Flash, but then your website becomes completely inaccessible on many devices, and will load slowly on many others. But the promise of HTML5 is that it works, natively, everywhere - and so will such anti-hacks...

Re:Dancing balls?

[ByteSlicer]

I'm not the AC you replied to, but I disagree with your statement. The animation hogged one core (90% FireFox, 80% Chrome) of my (fairly recent) laptop too.
In fact lot's of people had this experience, so your milage may vary.
I'm not sure what causes the differences, maybe it works better on Vista/Win7, I'm using XP.
My major gripe with it was that it continued to use CPU if you left a tab open on the google main page, even if that tab was not active or the browser minimized.

Re:Dancing balls?

[ChienAndalu]

you can override all 2d-context drawing instructions for a specific canvas element

Re:Dancing balls?

[DaVince21]

perhaps don't start playing (or loading) a video/audio/canvas element until the user explicitly clicks play

This is actually easily implementable, and actually already mostly implemented in the form of userscripts. No problem.

Re:Dancing balls?

[DaVince21]

Most canvases will have an id or class attached to them, making them easily selectable. And even when they don't, you can always access them with JS by saying "I want the fourth video element", for example. (Only when the webpage changes could this potentially become a problem.) It's not exactly difficult to select and hide these elements, though.

Re:Dancing balls?

[DaVince21]

3 years is... not exactly a great comparison. But heck, the animation will run fine on a 6 year old computer as long as you don't use IE.

Re:Dancing balls?

[mcgrew]

That's interesting, how old is the netbook? My Acer's running an Atom as well. With Firefox running under Win 7 Starter with a wifi connection those balls flew, and I didn't notice any slowdown at all.

Re:Dancing balls?

[tenco]

That's interesting, how old is the netbook?

http://en.wikipedia.org/wiki/Atom_n450#Pineview

http://www.mobilewhack.com/asustek-announces-latest-netbook-eeepc-1005pe/

My Acer's running an Atom as well. With Firefox running under Win 7 Starter with a wifi connection those balls flew, and I didn't notice any slowdown at all.

Maybe ION graphics?

Re:Dancing balls?

[mcgrew]

Hmm, that's puzzling.

New strategies?

[AliasMarlowe]

web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks.

MS will Embrace and Extend, but not Extinguish the potential for security holes.
Apple will probably do much the same, but might do the enhanced functionality bit also.
The BSD and *nix variants will only take on the functionality, most foolishly (using MBA "forced-upgrade-income" definition).

Re:New strategies?

[avatar139]

web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks.

MS will Embrace and Extend, but not Extinguish the potential for security holes.

Apple will probably do much the same, but might do the enhanced functionality bit also.

The BSD and *nix variants will only take on the functionality, most foolishly (using MBA "forced-upgrade-income" definition).

Mac OS X is *NIX variant though so I'm not sure what you mean when you refer to Apple in your post?

I'm more worried about advertisements

[Aoet_325]

While I'm sure some of the new functionality will be exploited, I expect most of the abuse will be from folks who want to push ads and track users.

Re:I'm more worried about advertisements

[straponego]

Look at that Arcade Fire demo, The Wilderness Downtown, for proof of concept of HTML5's browser-jacking and popup capabilities. When the marketing scum and other criminal types latch onto that... ugh.

Re:I'm more worried about advertisements

You've been open to launch pop up windows with javascript for a really long time. That had nothing to do with HTML5...

Re:I'm more worried about advertisements

When the marketing scum and other criminal types latch onto that... ugh.

Bill Hicks on Marketing

Re:I'm more worried about advertisements

[leromarinvit]

Is there really anything special about HTML5 regarding popups? Modern browsers block automatically opened popups, but it is still possible to open a popup in response to user action. I guess that is what they do here.

Re:I'm more worried about advertisements

Sorry, but the popup and browser jacking you are talking about is available in the current and last ecmascript specs.

Re:I'm more worried about advertisements

Just off the top of my head, ads that pop up for 5 seconds each in a random position on the screen. I'm going to effing hate HTML 5 in the hands of the devil (the marketing department). the only hope is that browser developers stay far enough ahead to allow us to control how we view the web.

Re:I'm more worried about advertisements

If we don't have control of the bastard child known as HTML5, I just won't upgrade my browser.

'dancing balls' logo experiment

Where can we find this 'dancing balls' logo experiment? Link please. I did a search but came up with nothing.

Not HTML5

Google's "dancing balls" wasn't HTML5, it was divs, javascript and CSS border radius.

Re:Not HTML5

[daveime]

So are the majority of the HTML5 "demos" being touted as the future of the web.

I was exploring some "HTML5 demos" the other day ... bunches of timed PNGs on layers, controlled by js. The only HTML5 tag in most of them was an &ltaudio> tag, and amusingly enough they had fallback tags to the <object> we all know and love.

Presumably the world will be a much better place when we have separate audio and video tags as opposed to that outmoded, messy object tag that does EXACTLY THE SAME THING. Ah, progress ...

Re:Not HTML5

[daveime]

If it's "Plain Old Text", why do I have to escape (and sometimes fail to escape) < > " & as HTML entities ?

Re:Not HTML5

So are the majority of the HTML5 "demos" being touted as the future of the web.

I was exploring some "HTML5 demos" the other day ... bunches of timed PNGs on layers, controlled by js. The only HTML5 tag in most of them was an &ltaudio> tag, and amusingly enough they had fallback tags to the <object> we all know and love.

Presumably the world will be a much better place when we have separate audio and video tags as opposed to that outmoded, messy object tag that does EXACTLY THE SAME THING. Ah, progress ...

Are you sure those "layers" weren't canvas tags? You are correct in stating that most HTML5 apps are one big canvas tag with javascript controlling everything and maybe a few other features like the audio or video tags or whatnot. In reality, the real problem is that "HTML5" is now a term that means more than just the HTML 5 spec. When most people say "HTML5" they mean the new HTML 5 spec and latest Javascript stuff as well. So I've gotten to the point where I realize it's best to think of HTML5 in this way, just the same as the AJAX/Web2.0 monikers. Maybe we should start calling the suite of technologies used "Web 3.0". I sort of hate the name (like I hate "web 2.0") but at least we could then have HTML5 refer to only HTML. Then again, probably too late for that.

Re:Not HTML5

[daveime]

Sorry, showing my age now ...

When I said layers, I was meaning divs (you know, the thing that replaced layers when reflowing content became fashionable).

Not a canvas tag in sight.

Re:Not HTML5

[DaVince21]

http://www.observer.com/2010/daily-transom/look-what-web-dragged-google-terrifies-public-mysterious-balls has a video. All I could find.

Optimize for the common case

[Alwin+Henseler]

When HTML spec is extended that obviously increases the attack surface since popular browsers will have to support it. But in time it may replace a number of other technologies (Flash comes to mind), that -combined- may have a larger attack surface. And since displaying HTML is the core function of a browser, implementations are likely to be pretty solid compared to some add-ons.

So you'd have to look forward, and compare [average setup now] with [average setup in XX years from now]. If that comparison turns out positive, HTML5 is a move in the right direction.

stop using technology

stop using technology

More features == More potential security holes

[Zen-Mind]

Wow, who would have thought of that? Yes I do understand that security is an issue hard to cope with, but with that mentality we could also just stop progress because it might have risks ...

Re:More features == More potential security holes

[grayn0de]

That's not it at all...

The point that security researchers have been trying (for years) to get across to developers and companies alike is that ALL software/protocols/standards/whatever should be developed with security in mind from the beginning. Granted, even with secure coding practices and rigorous application security testing, there will always be some vulnerability that gets overlooked by the developer or discovered by an attacker. The thing is that most companies tend to put functionality and features far above security, which is IMHO a completely ass backward way of doing things when it comes to technology in general.

Re:More features == More potential security holes

[Zen-Mind]

Unfortunately, most people want feature over security. Many people don't even think about security for themselves and only complains when it bites them in the ass. "What do you mean I shouldn't write my PIN on my debit card? You should just have made your system more secure!"

Re:More features == More potential security holes

[bertok]

That's not it at all...

The point that security researchers have been trying (for years) to get across to developers and companies alike is that ALL software/protocols/standards/whatever should be developed with security in mind from the beginning. Granted, even with secure coding practices and rigorous application security testing, there will always be some vulnerability that gets overlooked by the developer or discovered by an attacker. The thing is that most companies tend to put functionality and features far above security, which is IMHO a completely ass backward way of doing things when it comes to technology in general.

You say that like it's an "or" choice.

How hard is it to write software that doesn't come with a password baked into the CD, but simply asks you for an initial root password on first start?

Every operating system does this, as do most server applications that need authentication.

It's not exactly rocket surgery! It's not like they'd have to sacrifice some complex industrial control feature to implement "do I have piece of text? No? Then wait for user to enter a piece of text". That simple feature alone would go a long way towards stopping these kind of attacks.

For real security, some sort of PKI type system should be used, where if an attacker manages to obtain a private key ("password") of one machine, it does not give them the keys/passwords of anything else. That way, intrusions are isolated, and can't spread to take out national power grids. It's not exactly a new invention, it's been around for 35 years, invented during the bronze age of computing!

None of this is particularly hard, it's just that programmers are lazy, their managers are incompetent, and clients are ignorant to the issues.

It all boils down to a lack of professional standards in the software development world, unlike similar industries where human lives are at stake, like mechanical engineering or medicine. You don't have to ask your doctors to wash their hands, they just do, because it's the right way to do it.

As opposed to what?

[grapeape]

How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

Re:As opposed to what?

And even if you stay off the internet, you can still get herpes.

Re:As opposed to what?

I was dedicated to remaining secure by staying off the internet and computers altogether until somebody broke into my house and stole my filing cabinet.

Re:As opposed to what?

In fact I'd say it's at least 10x as likely because you might actually be having sex.

Re:As opposed to what?

How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

Actually this is a very very important point. You can't compare the potential security risk betwenn HTML5 and HTML4. You have to compare it with HTML4 plus all the plugins it can potentially replace (like, say, Flash).

My biggest concern, as others have pointed out, are using things like canvas elements over top of content to display ads and whatnot. But then, really, it will just be like the new features of any previous HTML/Javascript spec. There will be a lot of annoyances and some features used in really bad ways (blink tag, anyone?) but then things will calm down and use it in practical ways. Browsers and browser plugins will get smarter about ad blocking features with the newer technologies and methods and we'll all be better for the useful things that HTML5 does provide.

There's a REASON that "web developers" get excited when talking about the future of HTML5 and how things are being developed and supported. If you don't understand why, then you probably weren't doing web stuff in the days of the IE and Netscape fighting it out or the long drawn out HTML4/Early CSS specs that were useless because MS was so slow in bothering to update IE. Sure we still have some divides (video tag, for example) but nothing as bad as it was. ANd sure, MS is a bit slower than the rest with IE8 and IE9 but these releases and evolving support of actual specs are LIGHTNING fast for MS compared to before...

Re:As opposed to what?

[meloneg]

Maybe not? http://news.cnet.com/8301-17852_3-20016505-71.html

Re:As opposed to what?

[GreyWolf3000]

I think it would be a nice browser feature to disallow clicks or any other mouse/keyboard events on a canvas element to cause the browser to navigate.

Re:As opposed to what?

You missed the point. Everyone are eager to jump on the newest and hottest tech standard, but this does bring more danger to our internet enabled life. Making public announcement like this helps to bring awareness to the mass especially when people are still fall for the email phishing schemes.

Besides, HTML5 mainly concentrates on visual and functionality but have almost no emphasis on security perspectives. Ultimately, the standard implementation will be up to each browser provider, and each company will have their own approach in dealing with security issues. Are these good things? Programming with security in mind requires both understanding and experience in locating these issues, the reason why security advisers exists, why Black Hat is important, and why tech companies have security audits. Well, unless you are Apple I guess.

Would you rather the issue be raised now and the browser community to start treating this seriously, or would u rather something like another ActiveX that ultimately results in the use of killbits?

dancing balls

[martas]

i didn't see them! is there a link where that still exists, or perhaps a video?

Re:dancing balls

[CannonballHead]

I couldn't find a permanent google link, but here's a youtube video. :)

FUD

[Art3x]

The article points out no specific flaws. It just says that HTML is growing, therefore the chance of a hole (the "attack surface") also is growing.

Choose your poison. The same can be said about writing an app for an operating system. "Windows/Mac OS/Linux has an enormous amount of functionality. Therefore I'm concerned that there could be a lot of vulnerabilities."

Yes.

But the growth of the browser will not simply add to the overall size of the computer. Because of a big browser, you may have a smaller operating system. This is the idea behind Chrome OS.

It is not a perfectly equal replacement. If the browser grows 15 MB, that does not mean the operating system will shrink 15 MB. But one thing that is better about putting a feature in the browser is that more eyes are on it. There will be a lot more users who try to write a program in JavaScript than against even the Windows, even the iPhone, API. HTML 5 will bring about a lot more software developers and a lot more software development.

Run in Sandbox, erase after session.

Seriously, sandboxing is in almost every browser by default now, you wouldn't even need to run external ones.

But if you want to be safe from pretty much every useful attack out there, just run the damn thing in a sandbox / virtual OS.

Re:Thanks Apple

[MogNuts]

Pardon me, I meant flashblock

Fear, Fear, FEAR!

[Quiet_Desperation]

said Jeremiah Grossman of security firm WhiteHat.

So you really need to buy their security solutions! NOW! Meanwhile, Goodyear tires said to really safe on the road (and to keep your CHILDREN! safe) you should get new tires every 5000 miles, and the Head & Shoulders folks claim washing your hair three times a day will avoid a stinky head. And the government said they taking blood and tissue samples at the airport will protect us from engineer^H^H^H^H^H^H terrorists ever more so.

Re:Fear, Fear, FEAR!

[owlstead]

We should therefore not take it face value, but dismissing it entirely because it comes from a security firm is just as stupid. This is Slashdot, lets discuss this on technical merit of the arguments, not on some notion of politics.

Isn't this natural evolution?

[achyuta]

It's true that the HTML5 spec is huge on functionality but they've put in some very simple Unix type philosophies to achieve security.

The suggestion should not be to decrease HTML5 functionality - the web can't stand still on that - but to increase focus on and mitigate security threats through more policies in the HTML5 spec.

The increased functionality also allows developers to do away with some crazy workarounds (read security loop holes) to get some generally expected experiences on their web page.

Plus, as it has been pointed out earlier, the surface area for Flash and other plugins will also come down. So while the net surface area for attacks increase, the implementations are going to be a lot more secure by design.

And of course :) ..

[achyuta]

.. isn't an increase in functionality and thus the addressable attack area natural evolution of any technology ?

The Modern Techie

[jellomizer]

The Modern Techie will now by definition reject all new technology no matter what advancements are in it. While adopting any new technology will have tradeoffs the modern will hold on to whatever tradeoff negative effect and call it a horrible plan. Any new tech is now a threat to their way of life and no longer a new interesting field to study...

I think us techs have gotten too old.

Re:The Modern Techie

[equex]

Not old, but experienced. Frustrated with throwing away working stuff and rebuild from scratch projects that did it's job perfectly yesterday and has little to gain by jumping the bandwagon just for the sake of being on a bandwagon. Maintenance and incremental improvements is the True Way. No matter how old your framework culture is. In most cases, 'new' improvements can be bridged instead with some nifty 'old' techniques.

Let people play with new toys at home if they so wish, and bring it to work when it's refined and become a true seamless upgrade to what is already working. We don't need to use our workplaces as playgrounds for the latest buzzcrap and have us coders be trapped over weekends on end because some new fancy piece of shit component screwed up production.

Not all of us coders enjoy coding anymore after a few years in the grind and we would rather not fuck with everything just because some pointy haired dumbass needs jumping AJAX balls. It's a job like any grocery store cashier (and in many cases, they pay the same. God bless their extremely important work btw, they distribute food and not stupid canvases in a browser.), and we'd prefer as little extra work as possible. Buzzwords became the law of my office land and the hipster newfags ended up screwing everything up time after time. None of them had any spare time. Had to log on from vacations, beeing on call 24/7. Debugging some new shit from a hotel room in Ibiza. Losing their wives & arguing with them over the phone from the office. I was lucky to be stuck with some tasks that really couldn't take too much upgrading yet, but it was coming my way and I bailed.

Oh yeah, I quit my coding job to do something completely else. I reached my goal wich was getting a higher education followed by starting a professional coding career. I wish I knew coders would be less appreciated than sewer rats before I got into it. Back then it had a promising future, bordering the status of pilots and doctors with a paycheck to back it up. Maybe one day I will code for fun again. Still too scarred by the grind. You know, writing code because its enjoyable.

damn, that was some rant. im done now. thanks.

Re:Thanks Apple

Pardon me, I meant flashblock

Stop drinking the Apple-hate koolaid.

Something like NoScript or an add-in could emulate Flashblock for video/audio in HTML5. And that's assuming the browser developers don't add that directly into the browser settings.

Audio/visual info playing only when clicked is not a hard problem to solve.

I'll take the heat and stay in the kitchen

[gsgriffin]

For myself, having to use jQuery and always be mindful of the variation in scripting code for each browser is the headache neverending. I want to see more HTML5 (and then 6) integrate more of the features and functions users are coming to enjoy and demand. Then, we only have to worry and complain about the browsers not implimenting the standards...like always.

Coming soon, CERT® Advisories for HTML

CERT® Advisory CA-2012-01 HTML5 Vulnerability ... we recommend disabling HTML until the fix is installed.

Another member of the Tautology Club...

[Angst+Badger]

Shock! The attack surface is proportional to the amount of functionality offered! Ergo, we can build more secure applications by eliminating functionality!

I have a lot of respect for the security community, but sometimes they confuse the newsworthy with the merely obvious.

A huge risk in HTML5

[Dracos]

Let me start out by reminding everyone that when Netscape came up with Cookies, everyone thought they were fine. Now, thanks to 1 pixel images and other tracking methods, cookies are the key to online companies aggregating bits of "anonymous" data into an identifiable profile of a person. Does Google know only as much about you as you would like? In fact, they know far more about you than you would expect, even if you don't use GMail.

The single biggest shot across the bow to privacy in HTML5 is the ping attribute. It may seem innocuous at first glance, but according to MozillaZine, it sends an HTTP POST request to each url. Why not GET instead?

This will allow Google, Alexa, FaceBook, or any "partner" to track users, if a site implements ping, easier than ever before. Some say trackers will migrate away from redirect URLs, but I say they will do both, if only to sop up every last piece of data they can.

I can see ping being used as a stealth DDOS attack, if enough malicious links can be distributed. Some content provider web API gets hacked, thousands of sites load up links (via AJAX) that ping slashdot.org, and Slashdot goes down. Will ping implementations be smart enough to reduce the list of URLs down to unique values? How many times does ping="slashdot.org slashdot.org/foo slashdot.org/comments.pl slashdot.org/article.pl" actually hit the poor, unsuspecting server? There's no apparent limit to how many URLs can be stuffed into a single ping, either.

I'm sure the black hats will think of other ways to exploit this. I agree that tools are neither evil nor good, but this is ripe for unintended consequences.

Re:A huge risk in HTML5

[kc8jhs]

It looks like that option was included with the intention the browsers implementing the feature would have a method to disable it's usage. I'm guessing if it gets crazy then major players will ship with it disabled, or maybe include some sort of same domain policy for pings (ping domain has to match referrer or href). I'm not too scared, and this would work much better than JS versions of the same thing.

Re:A huge risk in HTML5

[BitZtream]

The single biggest shot across the bow to privacy in HTML5 is the ping attribute [w3.org]. It may seem innocuous at first glance, but according to MozillaZine [mozillazine.org], it sends an HTTP POST request to each url. Why not GET instead?

Why does it matter if its a GET or POST? I mean, why would you want GET? More chances that the URL will contain sensitive data that gets logged in more places. My webservers log GETs with all their encoded data by default, but the only thing I know about posts in the log is that they were posts and I know nothing about whats in them. My browser did, and so did the proxy that brought that post into the actual web servers, so its not like they can 'hide' information in there that you 'cant' see.

From the link you gave:

The a and area elements have a new attribute called ping that specifies a space-separated list of URLs which have to be pinged when the hyperlink is followed. Currently user tracking is mostly done through redirects. This attribute allows the user agent to inform users which URLs are going to be pinged as well as giving privacy-conscious users a way to turn it off.

Emphasis mine. You can bet it will default to prompt initially in most browsers. Makes it fairly easy to control. Much has been learned since cookies came out, and the ping attribute is an attempt to use that experience.

You're worried about how it can be abused and completely ignore that its really simple for a browser to not allow anything you mentioned to happen. You could already do a DDOS with hidden iframes that would accomplish the same thing for instance.

Its no worse thank cookies, is just as controllable as cookies in every way, and is designed to fill a specific roll that is already filled using a bunch of kludges.

Re:A huge risk in HTML5

[GreyWolf3000]

I also don't get the hangup with ping using POST. It's just a word that shows up in the HTTP dialog. According to HTTP spec, POST would make more sense for this, since you're essentially publishing tracking information to a site.

Re:A huge risk in HTML5

[Dracos]

The browser already has a location from the href, it doesn't care what the ping response(s) are, except for the headers (so that cookies can be updated), so HTTP HEAD would suffice.

Re:A huge risk in HTML5

[dkf]

The browser already has a location from the href, it doesn't care what the ping response(s) are, except for the headers (so that cookies can be updated), so HTTP HEAD would suffice.

Except that HEAD is cacheable in proxies, so the tracking information that the W3C's participants want so badly would get swallowed. By using POST, they're circumventing efficiency for the sake spying on you (in a small, mean-spirited way).

Well the problem

[Sycraft-fu]

Is that the more core to the spec it is, the less you can do to mitigate it. With Flash there's a simple solution: Block it. You can use a plugin like Flashblock that allows you to run it only as needed, you can set it to only run on some sites, or you can shut it off entirely. It is easy to restrict access to it when ti isn't needed and thus increase security.

When the features are in HTML itself... Well then what do you do?

Re:Well the problem

div block with ad block

Re:Well the problem

[GreyWolf3000]

Well, you install a plugin that will be able to remove ads from the DOM. Problem solved.

Re:Well the problem

[daveime]

Good luck with that div block.

I seem to remember a while back some assholes suggesting that content and presentation should (sorry, they insisted MUST) be separated. While some of us fought it tooth and nail, the masses of buzzword obsessed PHBs won, with their demands that every page be W3C compliant, meaning web designers would strip 99% of the markup out to a separate CSS file to hide it where the validator wouldn't find it.

So now we have a generation of web designers (the last 5 years batches, I'd guess), who place all their content inside div tags, then do all the font, color, and positioning stuff via CSS. The majority of webpages today are NOTHING but a pile of div tags controlling menus, sidebars, main content areas etc.

Won't THAT work well when we have to start blocking all the div tags in a page, ONE BY ONE ...

This little div has some content
This little div has none
This little div has a commercial
This little div has a song
And this little div went whee whee whee all over your fucking dumb idea.

And forget about HTML5 canvas helping you, that's just a div that you can draw on with 25 year old turtle commands, and anything more complex than a blue square and a yellow rectangle will be kludged with PNGs, transparency and z-index same as always.

Welcome to HTML5, it's gonna be a wild ride. Or a blank page, if you are using canvas block and div block. Take your pick.

let crockford fix it

let Doug Crockford lead a new draft committee. he seems to be competent to do it right.

Re:Thanks Apple

Thanks Apple.

All because you wanted to be greedy and only let media be delivered through you, instead of other websites being able to deliver it.

So instead of being able to use adblock, to block malware and only view video when we chose, we're screwed. We have no recourse.

I saw this coming a mile away the second Apple fanboys began defending Apple's position.

So your basic premise is:

1. Apple wants to control all media everywhere
2. Apple supposedly creates HTML 5, a standard that it doesn't control
3. Apple somehow gets Google and a bunch of other organizations it doesn't control to implement the standard that it doesn't control. You know, because Google and the rest want to help Apple control everything
4. ???
5. Profit (for Apple, obviously, and maybe Google, and...Microsoft?)
6. This is all Apple's fault.

Is a web browser an application or a platform?

[tepples]

if an idiot developer wants to make an application in an insecure way, the platform can not stop them.

I find your statement ambiguous. Did you mean that in the sense of the web browser as an application and a device's operating system as a platform? Or did you mean it in the case of a web app as an application and the web browser as a platform? The article, as I understand it, is about the latter sense.

Re:Is a web browser an application or a platform?

[Mike+Kristopeit]

i mean what i said. security is built in the application. if the platform implements something insecurely, then relying on that implementation is not building a secure application... it doesn't mean that a secure application can not be built on that platform.

Four seconds for that page to respond

[tepples]

Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.

The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation, but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.

Re:Four seconds for that page to respond

Windows XP? Welcome time traveler. You have landed in the year 2010. Enjoy the new Slashdot. There's a lot of AJAX here and there.

Re:Four seconds for that page to respond

[Dynedain]

You don't know what you're talking about. There's no mystery-meat on that page. The only navigation are clearly labeled text links.

And just because your particular browser sucks at rendering the interactive graph doesn't make it a bad page. The whole point of the graphic is to illustrate browser support for HTML5 in a compelling way. And how better than to make that display actually use and encourage HTML5

FF is the weakest of the current browsers when it comes to javascript and canvas speeds. Safari and Chrome both handle that interactive graph quite well. IE8 fails miserably, which is great for showing why people need to update to 9 when it comes out. FF4 is supposed to improve things over 3.6, but proof of concepts like this one are exactly what are driving the improvements and competition between browsers.

Re:Four seconds for that page to respond

[WankersRevenge]

You obviously didn't even look at the page since it is A CHART. A freakin CHART! Vincent Flanders doesn't apply. It's even pretty laughable that you mentioned him. He hasn't been relevant since the blink tag was in style.

You just proved an excellent lesson on how to get modded up on slashdot:

Rail against the lack of flash on the iphone or rail against the poor performance of flash on the desktop.

Re:Four seconds for that page to respond

[Lord+Ender]

Four seconds? It works instantly in chrome.

Re:Four seconds for that page to respond

I'm using Chrome 6.04 and there is maybe a half second delay. I'm sure Mozilla will improve performance as HTML 5 becomes more popular.

Re:Four seconds for that page to respond

The point here is that HTML5 is a PR stunt, it's more marketing than IT - here's a hint, it's a f******* markup language, it's not anything special. Worse yet, even when it's complete it'll be a non-standard standard as you'll be able to hack about with it XML well-formed or not. The point of a standard is, surely, that there is one standard way of doing things...? It's actually worse specced than XHTML 2 was.

Not as many people were taken in by it as the fanboys imagine. Just because people can't be bothered to point out that html5 is whalesong does not mean that they think its going to fly. It won't.

html5 {
position: indifferent;
display: eventually;
overflow: 5yrs;
padding: 3yrs;
background: #eeeeek url('http://ishtml5readyyet.com/') repeat-daily;
}

Re:Four seconds for that page to respond

[tepples]

You don't know what you're talking about. There's no mystery-meat on that page.

Hover over one of the wedges and see a label at the bottom center of the chart. For example, the labels corresponding to the wedges at the top center are "BORDER RADIUS" and "QUERYSELECTOR". You might have to scroll the page down to see the label if you use a 1024x768, 1280x800, or 1360x768 pixel display mode. These labels are still mystery meat that negatively affects usability even if they are not navigation per se.

And just because your particular browser sucks at rendering the interactive graph doesn't make it a bad page.

Ideally, a script is supposed to detect that its visuals are rendering at less than three frames per second and reduce their complexity. Here, it runs at two seconds per frame: one to hide one label and one to show the next.

And how better than to make that display actually use and encourage HTML5

What it tells web developers is "if I use the same HTML5 technologies that this web page uses, my pages will be as unusably slow as this page."

FF is the weakest of the current browsers [...] IE8 fails miserably

And guess what most of your site's viewers are probably using: Fx 3.6 and IE 8. There are a lot of PCs still in use that will never run an operating system to which IE 9 will ever be ported.

FF4 is supposed to improve things over 3.6

Is there a projected date for Fx 4 other than "when it's done"? And is there a projected substantial bump in system requirements the way there was from Fx 2 to Fx 3?

Re:Four seconds for that page to respond

[tepples]

Worse yet, even when it's complete it'll be a non-standard standard as you'll be able to hack about with it XML well-formed or not.

HTML5 defines two content-types: text/html and application/xhtml+xml. The text/html form is a variant of SGML (though not a strict application of SGML as HTML 4 was), and the HTML5 spec specifies exactly how a parser should turn ill-formed tag soup into a well-formed DOM. This error handling is identical in any conforming parser. If you want well-formed XML, use application/xhtml+xml.

http://ishtml5readyyet.com/

From this site: "The only reliable, modern cross-platform application solution that runs reliably in every browser from IE6 to Safari 5- and now many Android phones- is Flash." Safari for iOS doesn't support it, and iOS is far more popular than Android on handheld devices that aren't cell phones (namely iPod touch and iPad, compared to Archos tablets). Moreover, the free web browsers (Fx and Cr) are far more complete than free alternatives to Adobe Flash Player such as Gnash.

How can HTML4 be vulnerable?

[Jugalator]

It doesn't even contain any code, being a markup language? It's not even Turing complete.

[italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]

*shrug*

Re:How can HTML4 be vulnerable?

[Tablizer]

Something doesn't have to be Turing Complete to be a danger. True, not being TC may reduce the options available to hackers, but does not eliminate them. Even some images and documents were able to exploit bugs by taking advantage of a hole in some graphics renderers (browsers) whereby certain pixel combinations triggered a bug that allowed the rest of the image's bytes to "flow" into memory, where the render engine starts executing them as if they were machine code. It's similar to a buffer-overflow exploit: find a hole that tricks something to execute data as if it was machine language. URL syntax has also been know to do similar things.

Re:How can HTML4 be vulnerable?

[Spykk]

[bold attribute="exclamation';DROP TABLE Attributes;"]Let's find out![/bold]

Re:How can HTML4 be vulnerable?

[Lord+Ender]

He is probably thinking of XSS and CSRF vulnerabilities. These are technically not HTML's "fault," but they are so common it is clear HTML "encourages" them happening.

Re:How can HTML4 be vulnerable?

The HTML parsers are written in code, so I imagine Grossman meant something like:

'I know that we're still finding vulnerabilities in HTML4 [implementations/renderers/parsers]'

Reference implementation

[tepples]

Implementing stuff before the spec is finalized. That just seems weird. :P :)

A proper spec isn't finalized until a reference implementation is ready. One of the reasons that some of the HTML 4.01 features never entered wide use is that absolutely nothing supported them correctly for years after HTML 4.01 became a W3C Recommendation. Take the <col> and <colgroup> elements for example; those still aren't consistent even in browsers that do support them.

Re:Reference implementation

[CannonballHead]

I understand the idea of a reference...

But it seems like the reference implemenntations end up being marketed and the full spec is finalized much after the reference has essentially been adopted. Hopefully, the reference was correct...

I may just have an idealistic view, though. :)

Browsers should be strictly sandboxed!

[cowdung]

Browsers, IM tools, Skype, and other such tools should ALWAYS run under very restrictive permission levels. I don't need my browser writing anywhere on my computer except for maybe one folder (usually). I don't need it changing the registry. I don't need it to be able to unsandboxed execute code.

So keep it isolated using permissions. That is the the last line of defense against malicious sites.

That would solve a great number of problems.

Re:Browsers should be strictly sandboxed!

[arndawg]

HTML5 wants to be as good as native apps. How do you do that without compromising security? ALLOW YES OR NO for the whole fucking internet. Good luck. Google thinks their Chrome store is the security model of the future. Everything is denied, except when you download a web app from chrome store. SInce it's google you can trust them. And finally the web is owned by google. NICE

Re:security is built in the application, not platf

[Khuffie]

You misread the summary; the article is not about an idiot developer building an insecure application that compromises the developer's server's security. It's about malicious developers building seemingly benign websites that compromise a user's home computer

No platform is 100% secure

[tepples]

if the platform implements something insecurely, then relying on that implementation is not building a secure application... it doesn't mean that a secure application can not be built on that platform.

As far as I know, formal verification of the security of a computer program as large as a platform is nowhere near prime time. This means you can't be sure that any platform implements every necessary feature 100% securely, and relying on any implementation is not building a secure application, unless perhaps your application requires so few platform features that it would work in HTML 1.0.

Re:No platform is 100% secure

[Mike+Kristopeit]

so how is knocking HTML5 relevant?

you idiots are all missing the point.

Most sites aren't in an SWF

[tepples]

.except when a Flash page behaves the same way. See Pandora for example: it's one big applet

Typically, only media players (such as Pandora) and corporate brochureware (such as Pop-Tarts.com) act that way. Other sites have accessibility concerns that preclude putting the whole site in an SWF.

Re:security is built in the application, not platf

[istartedi]

I disagree. For example:

1. System has ability to delete your files.
2. System loads file from the Internet. File from the Internet contains instructions.
3. System is designed to accept delete() instructions from users, but not from files downloaded from the Internet.

My idea for quite some time is that in the long run, all file formats become programming languages. A web page should have always been regarded as an application that is sandboxed by the browser, even before we started building apps with them.

Re:security is built in the application, not platf

[Mike+Kristopeit]

... which is not specifically relevant in any way to HTML5 or any other specific platform... you missed my entire point, and then suggested i didn't understand the basis of my own argument. you're an idiot.

security is built in the application just as malice is built in the application. the platform is irrelevant.

Favor what?

[egnop]

I don't get it, are we all that paranoid,

Naturally we favor functional above secure

oh wait, security experts.

Fuck them

Re:Favor what?

[rgviza]

Yea! Fuck them!

Gimmah HTML5!

(3 months later)

WTF! My bank account is drained and I can't send email any more! I want my mommy!

My concern

[nine-times]

I'm not an expert of any kind, but my general concern with the web has been growing as static documents have become applications. It's the same reason I don't like the idea of javascript in PDFs. I like the idea of a static document that doesn't do anything, but is merely viewable. Yes, yes, I know that it's possible for malformed documents to trigger exploits in the document viewer, but that seems like it should be more rare and easy to protect against.

At you upgrade HTML to make web applications more and more powerful, it seems likely to me (from a non-expert standpoint) that you're increasing the variety of security concerns we need to worry about. There's a part of me that wishes we had two different things: a web browser that allowed for safe passive viewing of relatively static content, and an application that supported an application framework similar to current web applications.

Ok, I'm ready for people to yell at me for being stupid now.

Re:My concern

[owlstead]

I'm a security expert of some kind, but you are of course spot on. The more flexibility you have, the bigger the attack service. And things like a scripting language may add a lot of flexibility. Of course, there are ways to mitigate the risk. Having sites run in there own sandbox (including the scripts) for instance. Or having plugins run in their own process, so they don't have direct access to browser data.

The current set of web-browsers and web standards do make a pretty brittle system. I've always wondered for instance if we wouldn't have been better off if a single page view could only come from a single server. Adding all this kind of functionality certainly won't make it safer. That said, it may still be a lot safer than a browser with plugins for flash, shockwave, pdf, silverlight added. Initially at least it is more likely that we have all these plugins *and* HTML 5, so that means less safety whichever way you look at it.

Having a secure browser (and web standard) sounds like a good idea, but the trick is to decide which parts should be included. My bank site itself uses quite a lot of HTML features that I would like to have excluded for safety reasons. I'm not so sure that my bank wants to do away with their fancy GUI though. And they are one of the less obnoxious ones.

Re:Thanks Apple

[mr100percent]

Give me a break. You'd rather lash yourselves to Adobe rather than the open HTML5 standard?

Besides, there will be an adblock for HTML5 eventually. There's no structural limitations on it.

Re:security is built in the application, not platf

[Khuffie]

And yet again, you still miss the point. The article states that the scope of HTML5 is so huge, that it will be difficult for browser developers to fully secure their browser against exploits. The scope of HTML5 makes securing the browsers more difficult, and as a counter point, they compare it against HTML4, which was far simpler, but exploits are still being found to this day.

This in no way suggests that HTML5 sucks or is evil, it is just something that people need to consider.

Unless in your original point, by developer you meant Firefox, Chrome, Opera or IE dev teams and by application you meant the aforementioned browsers, then your point was, at best, vague.

oh really? new tech new problems!

[daveb1]

oh really? new tech new problems!
who would have thunk it!

Nothing to see here people, please move along.
oh really? new tech new problems!

alert(1)

Re:security is built in the application, not platf

[Z00L00K]

Effectively there is a need for web browsers to isolate different parts of the page from each other.

A look into what Netscape had earlier with "Data Tainting" and also the "Same Origin Policy" should be considered, which would limit the interaction between content with different origin.

Another catch is the thread based model in applications (mostly a problem for C and C++ applications) instead of a process based model where interprocess communication has to be defined stricter. Any coding mistake in a thread based coding can cause one thread to trample unhindered into areas of another.

New functionality means a range of new interesting bugs.

Re:Thanks Apple

[MogNuts]

No there won't. Flash was a singular fixed object. HTML5 is an entire markup.

Let me know how easy it is to block every and on each page. Let me know how that works out for ya

Re:security is built in the application, not platf

[Mike+Kristopeit]

so the HTML5 spec includes the requirement to delete any file on the host file system?

Re:security is built in the application, not platf

[Mike+Kristopeit]

just because a specific group of developers working on a specific implementation of a specific platform layer spec can't securely implement that spec, does not imply anything other than the group of developers is incompetent.

this has absolutely nothing to do with HTML5 as a platform layer spec or as a platform layer implementation... this has everything to do with furthering an acceptance and expectation of incompetent developers.

you are all idiots.

Re:Thanks Apple

Pretty easy actually. About as easy as blocking gifs

Re:security is built in the application, not platf

[istartedi]

I was just using file delete as an example of something that a system must be able to do; but that you don't want being done at the request of an arbitrary application.

Perhaps window creation would have been a better example. I don't know how HTML5 is put together. I would hope that creation of new windows outside the frame of the existing browser (ie, popups) would be easy enough to trap in the browser and subject to permissions.

A browser has to be capable of creating popups at the request of the user (otherwise how would you even set your preferences?) but it should be capable of limiting popup requests by anything under its process hierarchy.

That's why HTML should have been an API.

[master_p]

the new specification will greatly increase the 'attack surface' of HTML -- providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge

If HTML was an API, not only security would be handled much more easily, but the functionality could be enhanced and extended much faster...

Re:security is built in the application, not platf

[Mike+Kristopeit]

my sole point is that this story and any argument about a platform being implicitly insecure is ignorant. HTML5 is not prone to allowing anyone to delete an arbitrary file off of any HTML5 user's computer, as you suggested.

an application implementation of the HTML5 platform layer is itself an application, and then the recursive confusion begins.

this is a MARKETING story... a smear campaign by the incumbents... completely ignorant and irrelevant.

Re:security is built in the application, not platf

[istartedi]

I took "platform" to mean "operating system and its installed applications". I probably skimmed too quickly somewhere or something. If so, my bad, sorry. Hopefully that clears up any confusion about where the confusion over the confusion over what was confusing came from.

(foghorn-leghorn (Ahh say, that's a joke, son.))

I'm waiting for...

[Decker-Mage]

We have all the functionality of a supercomputer sitting in more than a few machines as nVidia has so lovingly demonstrated with CUDA, Fermi and Tesla. Now we have the browser able to harness that hardware functionality via the DirectX and OpenGL API's. Should it be any surprise that given a new threat vector right into the heart of the machine with API's that are most definitely not designed with security in mind, that something bad can happen?

I'm just waiting for the hijack that takes over your graphics card and does SETI@Home or Folding@Home behind your back.

Re:security is built in the application, not platf

[beej]

Believe me, there's a lot of security stuff in the HTML5 specs. Want to get an image from behind a firewall and AJAX the data out? The spec disallows it. (Nothing in the JS code makes it impossible--you can absolutely code it up. The only thing that stops you is the spec says a security exception must occur when the JS program attempts to access the pixel data.) That's just one example of many.

So, actually, the platform can stop security-unaware developers. Security is in both the platform and the app which runs upon it. In a later post, you say "if the platform implements something insecurely, then relying on that implementation is not building a secure application." This is true. But there's nothing stopping us from building a more secure platform, as well.

Like with SMTP, being built with implicit trust causes all kinds of problems with HTML/JS. Strides are being made, and specs are being produces by W3C to address the issues.

Re:No platform is 100% secure - YET!

[Decker-Mage]

I have been engineering formally verified code for almost four decades now, it's part of my mental toolkit here. Frankly, I'm surprised that not everyone does it but given the sheer amount of buggy crap out there, I suppose I really shouldn't be surprised.

Re:security is built in the application, not platf

[Decker-Mage]

Which is what separates, in my not so humble opinion, software 'developers' from software engineers. Then again, if I fragged up and someone was hurt or died, or there was a large amount of damage, as a result of negligent software engineering on my part, I was going to a federal prison to be guarded by a bunch of pissed off Marines (who really don't want to be there in the first place!). "The prospect of being hanged in a fortnight concentrates the mind wonderfully."

Re:security is built in the application, not platf

[Mike+Kristopeit]

when you have things like OpenID and facebook connect running rampant because THERE IS DEMAND, a "more secure platform" that disallows such things has no chance.

Re:security is built in the application, not platf

[beej]

Demand for these things plays a role, sure, but nevertheless the HTML5 platform still makes an effort to enforce security policy below the JavaScript/HTML layer. See CORS, for instance, or the Same-Origin Policy.

Re:security is built in the application, not platf

[Mike+Kristopeit]

eventually 2 distinct services will exists... at the same time the mutually inclusive users will develop a framework with the intent of utilizing both services within a new interface. which "origin" relative to either service does that new interface exist within? this story is pure marketing... slander from the incumbents

HTML 5 Canvas

[mrjb]

The killer feature of HTML 5 is the canvas which permits client-side drawing. Unfortunately, the only way to enjoy this rich functionality is by having JavaScript enabled. If memory serves, JavaScript was at the base of ALL serious security vulnerabilities in the recent past. Unfortunately as well, there is no other standardized way to provide this kind of interactivity (no, Flash is not a standard). So at some point, we're going to have to choose between limiting functionality (not an option), using a nonstandard solution (introducing cross-browser compatibility problems) and/or fixing the possible security holes. Originally JavaScript was pretty well thought-out, as scripts could only be included in the header of an HTML page. This at least made script injection in HTML pages impossible. We've got a fine company in Redmond to thank for allowing scripts in the body of HTML pages as well. Now that the can of worms has been opened, there's no way we're gonna be able to close it again. So this is a typical case where we're just going to have to deal with things. If security is an issue, don't allow JavaScript- and therefore, don't use the canvas tag.

What specification ??

[Sla$hPot]

Hum..."that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web"

What specification ??

"greatly increase the 'attack surface' of HTML"

Omg. sounds horrible to me :(
Sounds like its gonna turn my browser into remote desktop with a blank password..oh shit!!

It's buggy crap because it's affordable

[tepples]

I have been engineering formally verified code for almost four decades now, it's part of my mental toolkit here. Frankly, I'm surprised that not everyone does it

I wrote under the impression that formal verification was at least an order of magnitude more expensive than the shortcut that Mozilla already uses: a spot-check (r= and sr=) and an automated test suite. Revenue from home PC software, whether paid for by users or by advertisers, isn't enough to cover formal verification of anything except possibly a few low-level operating system components. So instead, they use the shortcut and offer the software with ABSOLUTELY NO WARRANTY, as seen in any free software license or any proprietary COTS software EULA. The license of some software, such as the Java player, even has a specific disclaimer against using the product for systems where a failure could cause loss of life. So the YET to which the subject of your comment alluded will need a breakthrough in efficiency of formal verification.

Security is important, but so is functionality.

[DaVince21]

(...) the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks.

Well, duh. But does that mean that we should keep all development at a standstill, just because that means that there won't be any more new attacks? Of course not.

LOL! That's cute!

[Quiet_Desperation]

Wow. What wonderful universe did you just slide in from? This one sucks ass *and* balls, dude. Slide back out as soon as you can, because this one is toxic as all hell.

Re:security is built in the application, not platf

[DaVince21]

Newsflash: smart people can crack the platform and find insecurities at that level.

Re:security is built in the application, not platf

[Mike+Kristopeit]

the platform isn't getting cracked... the flawed implementation of the platform is getting cracked.

the mention of HTML5 in such a story is irrelevant and the product of a marketing smear campaign run by the HTML vendor incumbents.

Re:security is built in the application, not platf

[exomondo]

just because a specific group of developers working on a specific implementation of a specific platform layer spec can't securely implement that spec, does not imply anything other than the group of developers is incompetent.

How so? The developers should be following the security policy as defined by the spec, also the spec defines such things as when and where security exceptions should be raised, which is what a spec should do.

Re:security is built in the application, not platf

[Mike+Kristopeit]

it's not about flaws in the spec creating exploit potential... it's about flaws in the implementation of the spec creating exploit potential. if you can't understand the difference, you're an idiot. i can't help you.

Re:security is built in the application, not platf

[exomondo]

it's not about flaws in the spec creating exploit potential... it's about flaws in the implementation of the spec creating exploit potential. if you can't understand the difference, you're an idiot. i can't help you.

No, actually i understand that it's BOTH. And if you can't understand that then you're just an epic fail.

Re:security is built in the application, not platf

[MichaelDa.Kristopeit]

it's NOT about both. a platform allowing interfaces to tie multiple services together is not a flaw in the platform... ignorant users trusting malicious service providers is not a flaw in the platform. i understand you are BOTH ignorant and hypocritical.

you are NOTHING.

Re:security is built in the application, not platf

[exomondo]

a platform allowing interfaces to tie multiple services together is not a flaw in the platform... ignorant users trusting malicious service providers is not a flaw in the platform.

I never said they were. But the platform spec is much more than that, it includes security policies, which you would know if you'd actually read it.

Security is a part of BOTH the platform implementation AND spec, inherent flaws in the spec can lead to exploits in the implementation regardless of the platform which is precisely why the specification includes the security exceptions and security policies. Pretty obvious.

i understand you are BOTH ignorant and hypocritical.

exactly how am i hypocritical? just because i don't agree with you doesn't mean im ignorant and your use of that as an argument just shows how little you know about the subject matter. when you're trying to sway people to your way of thinking the method of 'im right and if you can't understand that you're an idiot' simply shows that you think you're right but have no idea why.

you are NOTHING.

lol, what are you replying to then? All you're giving out is baseless personal attacks, you have no facts so the more you post the stupider you look.

Re:security is built in the application, not platf

[Kristopeit,+Mike+Dav]

what flaws in the HTML5 spec can lead to exploits that users of modern web based applications which tie multiple secure external services together don't already require?

what you really have a problem with is such users existing and demanding such "inherently exploitable" interfaces.

as long as you continue to argue about the argument instead of providing facts, you will continue to be NOTHING

Re:security is built in the application, not platf

[exomondo]

what flaws in the HTML5 spec can lead to exploits that users of modern web based applications which tie multiple secure external services together don't already require?

Im not saying there specifically are any, but that there certainly is scope for them, which is exactly what TFA is about. Hence the reason we have security policies in the spec, otherwise they wouldn't exist. So security is a part of BOTH the spec AND implementation.

what you really have a problem with is such users existing and demanding such "inherently exploitable" interfaces.

So what you're saying is that the W3C are developing an inherently insecure platform spec because it's what people demand? Those potential exploits - which is what TFA is referring to - are closed by properly defining security policies that implementations follow.

as long as you continue to argue about the argument instead of providing facts

The facts are right there in the spec, the security policies. These are there to prevent implementation-agnostic security exploits.

you will continue to be NOTHING

Patently false, otherwise you wouldn't be reading this. Your reply will prove yourself wrong.

Re:security is built in the application, not platf

[Mike+Dav.+Kristopeit]

Im not saying there specifically are any...

i'm done.

you're an idiot... once again pushing your ignorance and hypocrisy and then ignorantly and hypocritically claiming you don't, all the while demanding for facts concerning a point that has already been proven, implying facts exist to disprove that point, but then conceded you can offer no such facts.

you PROVIDE nothing, THUSLY...

you are NOTHING

Re:security is built in the application, not platf

[exomondo]

i'm done.

Yet im fairly confident you'll reply...again.

you're an idiot... once again pushing your ignorance and hypocrisy and then ignorantly and hypocritically claiming you don't

Again, you fail to use with your use of the term 'hypocrisy', in no way is anything i said hypocritical. I told you there are security policies in the spec and the reason for them is that there are security concerns outside of the individual implementations of the platform, otherwise why are they there? You don't know do you.

all the while demanding for facts concerning a point that has already been proven

you didn't prove anything, except that you haven't read the HTML5 spec, nor know what a security policy is.

implying facts exist to disprove that point, but then conceded you can offer no such facts.

i gave you facts, the HTML5 spec has security policies, that is a fact that proves that security is a part of the spec. Explain to me why they are there if security isn't a necessary component of BOTH the spec AND implementation.

you PROVIDE nothing, THUSLY...

you are NOTHING

Well it's obvious you aren't an engineer of any sort if you fail to see that statement is illogical.

Re:security is built in the application, not platf

[Mike+Dav.+Kristopeit]

ur mum's face'll reply...again

Re:security is built in the application, not platf

[Mike+Dav.+Kristopeit]

if the spec says USER A can choose to allow HOST A to interact with HOST B using USER A's secure credentials... and your only argument is that such a policy is not a "valid security policy", then you'll probably have a few million facebook users to explain a few things to. there is nothing flawed in the spec or inherently flawed in any implementation... MY ENTIRE POINT IS THAT HTML5 IS IRRELEVANT IN THIS STORY. THIS IS A FUNDAMENTAL BATTLE, NOT TECHNICALLY, and you're seemingly endless availability to provide no technical and factual reasons i'm wrong, but still endlessly imply that i might be wrong only further demonstrates your only possible intentions in such a debate.

it's more obvious that you have no concept of relativity.

ur mum's face didn't read the HTML5 spec.

you are NOTHING

Re:security is built in the application, not platf

[exomondo]

if the spec says USER A can choose to allow HOST A to interact with HOST B using USER A's secure credentials... and your only argument is that such a policy is not a "valid security policy"

Which is why it's an issue with BOTH the spec and the implementation. If that security policy is specified in the specification then it will implemented in the implementation. You see, the clue is in the names. If it isn't in the specification then it shouldn't be in the implementation, this is how we ensure different implementations of the same specification have the same behavior.

there is nothing flawed in the spec or inherently flawed in any implementation...

If they have missed a spot where a security policy should be this would be a security flaw, and - assuming the developers correctly followed the specification - would be present in the implementations. There absolutely is scope for this to happen, have a look at the revisions of earlier HTML standards for examples.

ur mum's face didn't read the HTML5 spec.

oh dear, why can't you just discuss this like an adult instead of this childish bullshit?

you are NOTHING

then who's typing this? grow up.

Re:security is built in the application, not platf

[Kristopeit,MichaelDa]

not a SINGLE fact.

you are NOTHING

Re:security is built in the application, not platf

[exomondo]

not a SINGLE fact.

what you just showed in the last post was a perfect example of a security problem in a platform specification. Hence proving that to have a secure platform you must consider security in BOTH the specification and the implementation.

you are NOTHING

you really don't seem to know what that means do you.

Re:security is built in the application, not platf

[Kristopeit,MichaelDa]

if the spec says USER A can choose to allow HOST A to interact with HOST B using USER A's secure credentials... and your only argument is that such a policy is not a "valid security policy"

Which is why it's an issue with BOTH the spec and the implementation.

NO, you gimpy idiot. it's why YOU BELIEVE there is an issue.

there is no implicit exploitable security flaw in allowing a user to have a system do what they wish of it. the max OS X interface allows me to enter a "Speak Text" dialog... i could put my password in and everyone in earshot would know it. does that mean it's an issue with the OS?

NO. it means you're an idiot.

SUCK MY TOES.

Re:security is built in the application, not platf

[exomondo]

Are you really truly incapable of expressing your point intelligently like an adult? Dispense with the childish name-calling, it only shows your lack of intelligence that you have to stoop to that level instead of discussing the topic like an adult.

it's why YOU BELIEVE there is an issue.

there is no implicit exploitable security flaw in allowing a user to have a system do what they wish of it.

That's user error, that is the user doing something stupid, absolutely nothing to do with the spec whatsoever. It is merely ANOTHER failure point of security.

The specification needs security - proof of that is that there are security policies. The implementation needs security - to protect from thing such as buffer overflows, etc... And the user needs to have some intelligence. All 3 of those are layers of security, not one or two but all 3

So let's try this another way:

Can a specification be wrong? Yes, the proof of that is the fact that specifications are revised many many times

Can security policies be wrong? Yes of course they can.

If the security policy is wrong could this lead to an exploit in the implementation? Absolutely, because the implementation should implement the specification as it is written.

Re:security is built in the application, not platf

[Kristopeit,MichaelDa]

[citation needed]

you're an ignorant hypocrite.

until you provide a SINGLE PROVABLE FACT, you are NOTHING

Re:security is built in the application, not platf

[Kristopeit,MichaelDa]

the policy of a computer letting a user do EXACTLY what they want to do CAN NEVER BE "WRONG".

you're a presumptuous IDIOT.

Re:security is built in the application, not platf

[exomondo]

the policy of a computer letting a user do EXACTLY what they want to do CAN NEVER BE "WRONG".

Why were these changes made? Because the spec was wrong, that's why.

Re:security is built in the application, not platf

Have you ever engaged in an online discussion that didn't devolve into you flinging shit like a retarded zoo ape?