Slashdot Mirror
Security a Concern As HTML5 Advances
Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."
But I'm really sick of hearing about HTML5. Maybe it's because every other day I see/hear a high level exec coming around and going crazy with statements like "HTML5 IS THE FUTURE WE HAVE TO BE ON IT. RIGHT NOW." Then I have to spend an hour explaining why it's not even currently usable for any serious enterprise application, and how the spec is not yet solidified.
The entire disarray of this, and the mobile space, makes up upset.
"Google Inc.'s recent 'dancing balls' logo experiment "
If that's a sing of what's coming in HTML 5, I don't want it. That stupid thing dragged my machine to a crawl and I had to be sure I didn't have any google tabs open.
The last thing I want is for more &*^%*() CPU-hogging crap to be added to the friggin' web.
While I'm sure some of the new functionality will be exploited, I expect most of the abuse will be from folks who want to push ads and track users.
One of my favorite things about Flash is that it's easy to block and control. There's times when I want the functionality Flash is providing - but most times, I'd rather pretend that I don't have it installed. I was rather rudely reminded of this the other day when I installed Flash on my Android phone. I was all happy until I started browsing around. Until I get NoScript on my Android, Flash has been removed.
With this in mind, I'm wondering what level of control we might have over HTML5.
Google's "dancing balls" wasn't HTML5, it was divs, javascript and CSS border radius.
How are the "concerns" over HTML5 any different than any other platform? Flash, ASP, javascript, etc have all had and continue to have vulnerabilities. The only way to stay 100% safe is to stay off the internet. Did anyone expect people who make their living by addressing both real and imagined security risks to not comment with an angle that puffed up their importance in the net ecosystem?
The article points out no specific flaws. It just says that HTML is growing, therefore the chance of a hole (the "attack surface") also is growing.
Choose your poison. The same can be said about writing an app for an operating system. "Windows/Mac OS/Linux has an enormous amount of functionality. Therefore I'm concerned that there could be a lot of vulnerabilities."
Yes.
But the growth of the browser will not simply add to the overall size of the computer. Because of a big browser, you may have a smaller operating system. This is the idea behind Chrome OS.
It is not a perfectly equal replacement. If the browser grows 15 MB, that does not mean the operating system will shrink 15 MB. But one thing that is better about putting a feature in the browser is that more eyes are on it. There will be a lot more users who try to write a program in JavaScript than against even the Windows, even the iPhone, API. HTML 5 will bring about a lot more software developers and a lot more software development.
Er, why don't you just set plugins to only start when you tap them?
Just because a spec isn't finalized doesn't mean some of the feature haven't been implemented. You can find what's been implemented and just maybe, impress your boss.
The web page you linked is an example of what can go wrong with HTML5 in the wrong hands: it ends up just like Flash in the wrong hands has ended up for years. Not only does it use mystery meat navigation, but it also takes literally four seconds from when I move the pointer to when another wedge of the graph lights up. I'm using the latest release version of Firefox (3.6.10) on Windows XP.
It doesn't even contain any code, being a markup language? It's not even Turing complete.
[italic attribute="question"]Is this invented markup language of mine also vulnerable?[/italic]
*shrug*
Beware: In C++, your friends can see your privates!
That's not possible in the current spec. The browser has no idea that a canvas is even being used for animation, let alone when an animation has completed. Well, OK, a simple heuristic of "if this canvas is being repeatedly updated, it's an animation" is possible. But the problem is you still don't know when an animation has looped once.
The best thing that can be done is to refuse to update a canvas after it's been updated once.
So then people start removing and replacing the canvas element... Or use video instead... Or start using the audio APIs...
Really, a lot of the new APIs are really cool from a web developer "whiz-bang" point of view, but the HTML5 spec authors don't seem to give a damn about actually providing control to the user. Rather it's the whole "it's MY content, you MUST view it MY WAY!!! " stance yet again.
On the other hand, there's the thing where you can't full screen video in HTML5 because evil web page authors might some how trick people into typing their password into a video. Yet you can full screen Flash - they seem to have come up with a solution (the "press ESC to exit full screen" banner) so it's not like there's absolutely no way to protect users.
So who knows what the HTML5 developers are thinking, because the inability to full screen HTML5 video makes it a complete non-starter versus Flash video. Especially if you want to share HD video.
You are in a maze of twisty little relative jumps, all alike.