Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security a Concern As HTML5 Advances

Posted by Soulskill on from the new-armor-with-new-holes dept.

Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."

11 of 234 comments (clear)

  1. I don't know about the rest of you by iONiUM · · Score: 4, Insightful

    But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

    The entire disarray of this, and the mobile space, makes up upset.

    1. Re:I don't know about the rest of you by Anonymous Coward · · Score: 5, Insightful

      Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

    2. Re:I don't know about the rest of you by religious+freak · · Score: 4, Insightful

      Articles like this are important then, aren't they? In reading this, it should give you some ammunition against those that want to upgrade for the wrong reasons.

      --
      If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
  2. Dancing balls? by Anonymous Coward · · Score: 4, Insightful

    "Google Inc.'s recent 'dancing balls' logo experiment "

    If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

    The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.

    1. Re:Dancing balls? by TheRaven64 · · Score: 4, Insightful

      Unlike Flash, HTML5 animations are not really modular. It's trivial to disable all Flash and individually enable the one Flash applet on the page that you actually want (if there is one). With HTML5, all of the animations in a page are run from the same JavaScript execution context. Unless the author split the scripts up into different source files, it's very hard for the browser to untangle them. With Flash, every script associated with a canvas is bundled with that canvas and run in a separate context.

      --
      I am TheRaven on Soylent News
  3. Optimize for the common case by Alwin+Henseler · · Score: 3, Insightful

    When HTML spec is extended that obviously increases the attack surface since popular browsers will have to support it. But in time it may replace a number of other technologies (Flash comes to mind), that -combined- may have a larger attack surface. And since displaying HTML is the core function of a browser, implementations are likely to be pretty solid compared to some add-ons.

    So you'd have to look forward, and compare [average setup now] with [average setup in XX years from now]. If that comparison turns out positive, HTML5 is a move in the right direction.

  4. As opposed to what? by grapeape · · Score: 4, Insightful

    How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

  5. Four seconds for that page to respond by tepples · · Score: 4, Insightful

    Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.

    The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation, but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.

  6. Re:Those who complain about PDF w/scripts by _Sprocket_ · · Score: 3, Insightful

    o.O

    Let's see...

    Browser... settings... Enable plug-ins... on demand.

    Well, I'll be.

  7. How can HTML4 be vulnerable? by Jugalator · · Score: 5, Insightful

    It doesn't even contain any code, being a markup language? It's not even Turing complete.

    [italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]

    *shrug*

    --
    Beware: In C++, your friends can see your privates!
  8. Re:A huge risk in HTML5 by kc8jhs · · Score: 3, Insightful

    It looks like that option was included with the intention the browsers implementing the feature would have a method to disable it's usage. I'm guessing if it gets crazy then major players will ship with it disabled, or maybe include some sort of same domain policy for pings (ping domain has to match referrer or href). I'm not too scared, and this would work much better than JS versions of the same thing.