Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security a Concern As HTML5 Advances

Posted by Soulskill on from the new-armor-with-new-holes dept.

Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."

42 of 234 comments (clear)

  1. Those who complain about PDF w/scripts by Anonymous Coward · · Score: 2, Insightful

    should also complain about a hyperText markup language document with scripts

    1. Re:Those who complain about PDF w/scripts by _Sprocket_ · · Score: 4, Interesting

      One of my favorite things about Flash is that it's easy to block and control. There's times when I want the functionality Flash is providing - but most times, I'd rather pretend that I don't have it installed. I was rather rudely reminded of this the other day when I installed Flash on my Android phone. I was all happy until I started browsing around. Until I get NoScript on my Android, Flash has been removed.

      With this in mind, I'm wondering what level of control we might have over HTML5.

    2. Re:Those who complain about PDF w/scripts by Luyseyal · · Score: 2, Insightful

      Hopefully something akin to: image.animation_mode = once

      -l

      --
      Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
    3. Re:Those who complain about PDF w/scripts by AndrewNeo · · Score: 4, Informative

      Er, why don't you just set plugins to only start when you tap them?

    4. Re:Those who complain about PDF w/scripts by GravityStar · · Score: 2, Informative

      The browser can be set to only load flash on request. That makes it functionally similar to flashblock with firefox.

    5. Re:Those who complain about PDF w/scripts by _Sprocket_ · · Score: 3, Insightful

      o.O

      Let's see...

      Browser... settings... Enable plug-ins... on demand.

      Well, I'll be.

    6. Re:Those who complain about PDF w/scripts by _xeno_ · · Score: 4, Interesting

      That's not possible in the current spec. The browser has no idea that a canvas is even being used for animation, let alone when an animation has completed. Well, OK, a simple heuristic of "if this canvas is being repeatedly updated, it's an animation" is possible. But the problem is you still don't know when an animation has looped once.

      The best thing that can be done is to refuse to update a canvas after it's been updated once.

      So then people start removing and replacing the canvas element... Or use video instead... Or start using the audio APIs...

      Really, a lot of the new APIs are really cool from a web developer "whiz-bang" point of view, but the HTML5 spec authors don't seem to give a damn about actually providing control to the user. Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

      On the other hand, there's the thing where you can't full screen video in HTML5 because evil web page authors might some how trick people into typing their password into a video. Yet you can full screen Flash - they seem to have come up with a solution (the "press ESC to exit full screen" banner) so it's not like there's absolutely no way to protect users.

      So who knows what the HTML5 developers are thinking, because the inability to full screen HTML5 video makes it a complete non-starter versus Flash video. Especially if you want to share HD video.

      --
      You are in a maze of twisty little relative jumps, all alike.
    7. Re:Those who complain about PDF w/scripts by Anonymous Coward · · Score: 2, Interesting

      I'm sorry, but why should full-screen be part of the API? It is a browser UI feature. Firefox 3.6 supports it, other browsers are at least planning support for it. If you do not like the UI for it in the browser you use, use a different browser or submit a bug report. It is a browser issue, not an HTML5 issue.

    8. Re:Those who complain about PDF w/scripts by Penguinisto · · Score: 2, Insightful

      Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.

      There is a cure for that attitude - for the same reason that Facebook pretty much wiped MySpace off the map, or the way Google turned Yahoo! into a has-been: Keep it clean and user-friendly, keep the ads un-intrusive, or face instant death in the face of superior (cleaner, less intrusive) products.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    9. Re:Those who complain about PDF w/scripts by _xeno_ · · Score: 2, Insightful

      You've never dealt with actual users, have you?

      Go ahead. Explain to someone that in order to watch a video full screen they will need to either:

      1. Context-click the video and choose the "Full Screen" option, assuming there is one. This only works when using the browser's built-in video controls, I think.

      2. Click on the "expand" button to expand the video to take up the entire tab, and then use your browser's Full Screen feature, which is probably F11 except when it's something else. Or if you're using Safari, you're screwed.

      Users want a nice little Full Screen button they can click on and be done with. Even if there's a work around, they're not going to be happy.

      Besides, it's yet another reason to just stick with Flash: it provides this support already. So why use something else, especially when you need to encode twice to support all browsers?

      Ultimately, it's a useless restriction. Sure, make it a white-list only feature, but why the hell forbid it entirely?

      --
      You are in a maze of twisty little relative jumps, all alike.
  2. I don't know about the rest of you by iONiUM · · Score: 4, Insightful

    But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.

    The entire disarray of this, and the mobile space, makes up upset.

    1. Re:I don't know about the rest of you by Anonymous Coward · · Score: 5, Insightful

      Standards are important but without fancy technology buzzwords I don't think the IT department would ever get funding.

    2. Re:I don't know about the rest of you by religious+freak · · Score: 4, Insightful

      Articles like this are important then, aren't they? In reading this, it should give you some ammunition against those that want to upgrade for the wrong reasons.

      --
      If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
    3. Re:I don't know about the rest of you by WankersRevenge · · Score: 2, Informative

      Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.

  3. Dancing balls? by Anonymous Coward · · Score: 4, Insightful

    "Google Inc.'s recent 'dancing balls' logo experiment "

    If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.

    The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.

    1. Re:Dancing balls? by Anonymous Coward · · Score: 4, Funny

      Time to retire the C64 and cradle modem bro

    2. Re:Dancing balls? by Anonymous Coward · · Score: 3, Interesting

      He has a point though, I personally love most of the new HTML5 features, but if every site starts piling on canvas animations, videos and audio it'll be annoying as hell.

      I'd like to see this stuff become optional (on a browser basis and not site-by-site), perhaps don't start playing (or loading) a video/audio/canvas element until the user explicitly clicks play (with an option to pre-load but not autoplay for those with no bandwidth limits but who still don't want annoying unwanted video/sounds).

      Unfortunately most browsers seem to struggle with the idea that I don't want Flash by default (and the browser creators are the most vocal enemies of Flash) so I definitely can't see this happening.

    3. Re:Dancing balls? by ihatejobs · · Score: 3, Interesting

      So wait, you are claiming one tiny little webapp on the Google homepage was killing your machine?

      You might want to consider upgrading your machine... I had no issues when the danging balls were on the homepage and my machine is 3 years old. I quite liked it actually.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
    4. Re:Dancing balls? by symes · · Score: 2, Funny

      I have to agree with your sentiment - I often feel that my hardware is playing catchup. Fortunately, I have just discovered a browser that seems to cope well with all these new fancy gimmicks.

    5. Re:Dancing balls? by symes · · Score: 2, Funny

      It's Geocities all over again!

    6. Re:Dancing balls? by TheRaven64 · · Score: 4, Insightful

      Unlike Flash, HTML5 animations are not really modular. It's trivial to disable all Flash and individually enable the one Flash applet on the page that you actually want (if there is one). With HTML5, all of the animations in a page are run from the same JavaScript execution context. Unless the author split the scripts up into different source files, it's very hard for the browser to untangle them. With Flash, every script associated with a canvas is bundled with that canvas and run in a separate context.

      --
      I am TheRaven on Soylent News
    7. Re:Dancing balls? by forkfail · · Score: 2, Funny

      Maybe not so much.

      From the HTML 5 spec:

      16.2.7.1 Dancning balls shall be supported.

      16.2.7.1.1 Non-graphical browsers shall support curses like, text based dancing balls.

      16.2.7.1.2 Any browser unable to display dancing balls shall be immediately redirected to MySpace.

      --
      Check your premises.
    8. Re:Dancing balls? by ByteSlicer · · Score: 2, Interesting

      I have a fairly recent machine, and that buckyball thing bogged my cpu too.
      I googled around that day and found lots of people complaining. Aparently for Chrome it wasn't a problem, but Firefox users were hosed.
      You'd think they would test it for multiple browsers at Google, before pushing it to one of the most used pages of the web...

  4. New strategies? by AliasMarlowe · · Score: 2, Interesting

    web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks.

    MS will Embrace and Extend, but not Extinguish the potential for security holes.
    Apple will probably do much the same, but might do the enhanced functionality bit also.
    The BSD and *nix variants will only take on the functionality, most foolishly (using MBA "forced-upgrade-income" definition).

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  5. I'm more worried about advertisements by Aoet_325 · · Score: 4, Interesting

    While I'm sure some of the new functionality will be exploited, I expect most of the abuse will be from folks who want to push ads and track users.

    1. Re:I'm more worried about advertisements by straponego · · Score: 3, Interesting

      Look at that Arcade Fire demo, The Wilderness Downtown, for proof of concept of HTML5's browser-jacking and popup capabilities. When the marketing scum and other criminal types latch onto that... ugh.

  6. Not HTML5 by Anonymous Coward · · Score: 5, Informative

    Google's "dancing balls" wasn't HTML5, it was divs, javascript and CSS border radius.

  7. Optimize for the common case by Alwin+Henseler · · Score: 3, Insightful

    When HTML spec is extended that obviously increases the attack surface since popular browsers will have to support it. But in time it may replace a number of other technologies (Flash comes to mind), that -combined- may have a larger attack surface. And since displaying HTML is the core function of a browser, implementations are likely to be pretty solid compared to some add-ons.

    So you'd have to look forward, and compare [average setup now] with [average setup in XX years from now]. If that comparison turns out positive, HTML5 is a move in the right direction.

  8. As opposed to what? by grapeape · · Score: 4, Insightful

    How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

    1. Re:As opposed to what? by Anonymous Coward · · Score: 3, Interesting

      How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?

      Actually this is a very very important point. You can't compare the potential security risk betwenn HTML5 and HTML4. You have to compare it with HTML4 plus all the plugins it can potentially replace (like, say, Flash).

      My biggest concern, as others have pointed out, are using things like canvas elements over top of content to display ads and whatnot. But then, really, it will just be like the new features of any previous HTML/Javascript spec. There will be a lot of annoyances and some features used in really bad ways (blink tag, anyone?) but then things will calm down and use it in practical ways. Browsers and browser plugins will get smarter about ad blocking features with the newer technologies and methods and we'll all be better for the useful things that HTML5 does provide.

      There's a REASON that "web developers" get excited when talking about the future of HTML5 and how things are being developed and supported. If you don't understand why, then you probably weren't doing web stuff in the days of the IE and Netscape fighting it out or the long drawn out HTML4/Early CSS specs that were useless because MS was so slow in bothering to update IE. Sure we still have some divides (video tag, for example) but nothing as bad as it was. ANd sure, MS is a bit slower than the rest with IE8 and IE9 but these releases and evolving support of actual specs are LIGHTNING fast for MS compared to before...

  9. FUD by Art3x · · Score: 4, Interesting

    The article points out no specific flaws. It just says that HTML is growing, therefore the chance of a hole (the "attack surface") also is growing.

    Choose your poison. The same can be said about writing an app for an operating system. "Windows/Mac OS/Linux has an enormous amount of functionality. Therefore I'm concerned that there could be a lot of vulnerabilities."

    Yes.

    But the growth of the browser will not simply add to the overall size of the computer. Because of a big browser, you may have a smaller operating system. This is the idea behind Chrome OS.

    It is not a perfectly equal replacement. If the browser grows 15 MB, that does not mean the operating system will shrink 15 MB. But one thing that is better about putting a feature in the browser is that more eyes are on it. There will be a lot more users who try to write a program in JavaScript than against even the Windows, even the iPhone, API. HTML 5 will bring about a lot more software developers and a lot more software development.

  10. Fear, Fear, FEAR! by Quiet_Desperation · · Score: 2, Insightful

    said Jeremiah Grossman of security firm WhiteHat.

    So you really need to buy their security solutions! NOW! Meanwhile, Goodyear tires said to really safe on the road (and to keep your CHILDREN! safe) you should get new tires every 5000 miles, and the Head & Shoulders folks claim washing your hair three times a day will avoid a stinky head. And the government said they taking blood and tissue samples at the airport will protect us from engineer^H^H^H^H^H^H terrorists ever more so.

  11. Re:More features == More potential security holes by grayn0de · · Score: 3, Interesting
    That's not it at all...

    The point that security researchers have been trying (for years) to get across to developers and companies alike is that ALL software/protocols/standards/whatever should be developed with security in mind from the beginning. Granted, even with secure coding practices and rigorous application security testing, there will always be some vulnerability that gets overlooked by the developer or discovered by an attacker. The thing is that most companies tend to put functionality and features far above security, which is IMHO a completely ass backward way of doing things when it comes to technology in general.

  12. The Modern Techie by jellomizer · · Score: 2, Insightful

    The Modern Techie will now by definition reject all new technology no matter what advancements are in it. While adopting any new technology will have tradeoffs the modern will hold on to whatever tradeoff negative effect and call it a horrible plan. Any new tech is now a threat to their way of life and no longer a new interesting field to study...

    I think us techs have gotten too old.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  13. Re:More features == More potential security holes by Zen-Mind · · Score: 2, Insightful

    Unfortunately, most people want feature over security. Many people don't even think about security for themselves and only complains when it bites them in the ass. "What do you mean I shouldn't write my PIN on my debit card? You should just have made your system more secure!"

  14. A huge risk in HTML5 by Dracos · · Score: 3, Interesting

    Let me start out by reminding everyone that when Netscape came up with Cookies, everyone thought they were fine. Now, thanks to 1 pixel images and other tracking methods, cookies are the key to online companies aggregating bits of "anonymous" data into an identifiable profile of a person. Does Google know only as much about you as you would like? In fact, they know far more about you than you would expect, even if you don't use GMail.

    The single biggest shot across the bow to privacy in HTML5 is the ping attribute. It may seem innocuous at first glance, but according to MozillaZine, it sends an HTTP POST request to each url. Why not GET instead?

    This will allow Google, Alexa, FaceBook, or any "partner" to track users, if a site implements ping, easier than ever before. Some say trackers will migrate away from redirect URLs, but I say they will do both, if only to sop up every last piece of data they can.

    I can see ping being used as a stealth DDOS attack, if enough malicious links can be distributed. Some content provider web API gets hacked, thousands of sites load up links (via AJAX) that ping slashdot.org, and Slashdot goes down. Will ping implementations be smart enough to reduce the list of URLs down to unique values? How many times does ping="slashdot.org slashdot.org/foo slashdot.org/comments.pl slashdot.org/article.pl" actually hit the poor, unsuspecting server? There's no apparent limit to how many URLs can be stuffed into a single ping, either.

    I'm sure the black hats will think of other ways to exploit this. I agree that tools are neither evil nor good, but this is ripe for unintended consequences.

    1. Re:A huge risk in HTML5 by kc8jhs · · Score: 3, Insightful

      It looks like that option was included with the intention the browsers implementing the feature would have a method to disable it's usage. I'm guessing if it gets crazy then major players will ship with it disabled, or maybe include some sort of same domain policy for pings (ping domain has to match referrer or href). I'm not too scared, and this would work much better than JS versions of the same thing.

    2. Re:A huge risk in HTML5 by BitZtream · · Score: 2, Interesting

      The single biggest shot across the bow to privacy in HTML5 is the ping attribute [w3.org]. It may seem innocuous at first glance, but according to MozillaZine [mozillazine.org], it sends an HTTP POST request to each url. Why not GET instead?

      Why does it matter if its a GET or POST? I mean, why would you want GET? More chances that the URL will contain sensitive data that gets logged in more places. My webservers log GETs with all their encoded data by default, but the only thing I know about posts in the log is that they were posts and I know nothing about whats in them. My browser did, and so did the proxy that brought that post into the actual web servers, so its not like they can 'hide' information in there that you 'cant' see.

      From the link you gave:

      The a and area elements have a new attribute called ping that specifies a space-separated list of URLs which have to be pinged when the hyperlink is followed. Currently user tracking is mostly done through redirects. This attribute allows the user agent to inform users which URLs are going to be pinged as well as giving privacy-conscious users a way to turn it off.

      Emphasis mine. You can bet it will default to prompt initially in most browsers. Makes it fairly easy to control. Much has been learned since cookies came out, and the ping attribute is an attempt to use that experience.

      You're worried about how it can be abused and completely ignore that its really simple for a browser to not allow anything you mentioned to happen. You could already do a DDOS with hidden iframes that would accomplish the same thing for instance.

      Its no worse thank cookies, is just as controllable as cookies in every way, and is designed to fill a specific roll that is already filled using a bunch of kludges.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  15. Four seconds for that page to respond by tepples · · Score: 4, Insightful

    Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.

    The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation, but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.

  16. How can HTML4 be vulnerable? by Jugalator · · Score: 5, Insightful

    It doesn't even contain any code, being a markup language? It's not even Turing complete.

    [italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]

    *shrug*

    --
    Beware: In C++, your friends can see your privates!
  17. Browsers should be strictly sandboxed! by cowdung · · Score: 2, Interesting

    Browsers, IM tools, Skype, and other such tools should ALWAYS run under very restrictive permission levels. I don't need my browser writing anywhere on my computer except for maybe one folder (usually). I don't need it changing the registry. I don't need it to be able to unsandboxed execute code.

    So keep it isolated using permissions. That is the the last line of defense against malicious sites.

    That would solve a great number of problems.

  18. My concern by nine-times · · Score: 2, Insightful

    I'm not an expert of any kind, but my general concern with the web has been growing as static documents have become applications. It's the same reason I don't like the idea of javascript in PDFs. I like the idea of a static document that doesn't do anything, but is merely viewable. Yes, yes, I know that it's possible for malformed documents to trigger exploits in the document viewer, but that seems like it should be more rare and easy to protect against.

    At you upgrade HTML to make web applications more and more powerful, it seems likely to me (from a non-expert standpoint) that you're increasing the variety of security concerns we need to worry about. There's a part of me that wishes we had two different things: a web browser that allowed for safe passive viewing of relatively static content, and an application that supported an application framework similar to current web applications.

    Ok, I'm ready for people to yell at me for being stupid now.