The Security Risks of HTML5 Development

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

Nothing new

[Urd.Yggdrasil]

Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.

Re:Nothing new

[digitalchinky]

You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

Re:Nothing new

[Calydor]

What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?

Re:Nothing new

[KiloByte]

Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

Shouldn't there be full encryption by default?

[roman_mir]

At the minimum there should be full data encryption at the client level, that's just to start. Then there are other problems to solve (cross site code accessing information that it shouldn't be able to access)... Basically your desktop will have to solve issues that application and database servers have to solve and I can imagine this is a much more difficult task to accomplish. With application and database servers at least there are people, whose JOB it is to ensure security of the client data (from programmers to testers and administrators), but on the client side... it's very very sketchy, the number of potential problems is enormous.

Re:Shouldn't there be full encryption by default?

[Common+Joe]

Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons. As a user, I don't want to have to worry about what information is being written out to my hard drive. Clear text for personal information? Banking information? I've RTFA and it says "[There is] a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage." There are people who say that banking institutions still use java applets. Think long and hard about this. Another question: do modern day browsers encrypt cookies? I don't know for sure, but I suspect they don't.

And since I've RTFA, I'm going to take this conversation one level further. This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable? Write the thing in .NET or Java or C? It would be faster for the client and easier to secure from a programming perspective. There's nothing stopping you from using APIs on the web using these languages. Are you saying it's because we can't trust websites? Then why is HTML5 giving access to "system services, such as camera, microphone, and GPS" and allowing "JavaScript to request resources from different domains"? (Again, this is straight from TFA.) About the only thing it doesn't have is unfettered access to the whole hard drive under the user's permissions. Or does it? I don't know. I'm beginning to wonder about how far HTML5 will allow access and under what conditions. Even if HTML 5 asks for permissions on everything it needs to, what do you think the standard user will say to all the "allow access?" questions?

I'm a programmer, but not a web developer. Maybe this article is full of it and maybe it ain't, but in either case, roman_mir should not be modded down for what he is saying. There are legitimate concerns here that he is trying to raise and he hasn't said anything inflammatory in his post.

then stop hijacking phrases from other industries

developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.

engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong

programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.

Re:How is more insecure than what we have now?

[gbjbaanb]

there's one thing that's "good" about it - usually all that crap would be stored in a cookie and passed back and forth, back and forth each request. At least now the cookie can be a tiny token to pass to the server and all the session-cached data can be stored locally. At least that's what I hope will happen.

There is a need for local storage, even if its caching data. If you want security, there needs to be built-in support for encrypting the storage and keeping the key in the browser tied to a section of the url of the site you're working with. If that could happen transparently, then we'd have better security than what's we'd get otherwise (you can't use a login as many sites don't have one, and you need to keep each site secure from each other, so you can't even store the key in a cookie in case it gets hijacked as it passes over the network)

Anyway, at least people are thinking security of this stuff from the start, rather than wait for it to be exploited first.

Re:Real developers don't do web development

[OG]

Not true at all. I've been programming since I was 6 (now 37), have a degree in CS, and spent the first 13 years of my post-college career doing C++ programming. I transitioned to web development because I find it interesting. I work with other highly intelligent, skilled web developers. Web development has moved beyond putting together a blog. Some people, such as myself, think the challenges involved in putting together a scalable, responsive, functional, secure web app are interesting, and after reaching a bit of burnout in my C++, I feel a bit renewed. Not to mention the fact that learning how best to utilize a new set of languages and technologies has made me a better programmer all around, even benefitting the times I need to switch back to C++ mode.

Stop it.

[SuricouRaven]

Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

Re:Stop it.

[0123456]

But the future is web apps replacing local apps so they can run anywhere.

Except on tablets and phones, where the future is local apps replacing web apps.

Or something.

HTML5 looks like a total clusterfsck from here.

I've lived it - you haven't

[sjbe]

I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money?

Basically that is exactly what I'm saying. While no one is asking anyone to cry for the doctors, you seem to think they are incredibly wealthy which demonstrably is not true. Many do quite well in the long run but they pay a steep price to get there.First off that is gross pay and makes no allowance for cost of living in your area. $175K in NYC doesn't go far when even a crappy condo can easily cost $500K. Where I live the gross salary for a GP is more like $90-120K/year. Cut that salary number in half once taxes are taken into account. Furthermore a huge number of doctors graduate with between a quarter million to a half million in debt from their schooling. That takes $20-50K per year right off the top of their pay just in debt service. Don't forget the huge insurance costs which are in the tens of thousands of dollars. Also bear in mind that doctors are not paid for the 4 years on medical school on top of 4+ years of undergrad school and are paid a rather low salary (usually around $40K/year) while in residency which can last for between 3-8 years. That's effectively a decade or more of less than minimum wage work once you calculate the hourly wage while piling up enough debt to pay for a fairly nice house. The opportunity cost is enormous.

Did you start your career 10 years after your college educated peers with a mountain of debt and limited transferable skills? Did anyone have to pass laws to prohibit you from being forced to work more than 80+ hours a week for no extra compensation? (laws which regularly get ignored and endanger patients by the way) Have you ever been required to work 36 hour shifts without any sleep? No. You just looked at the gross salary number and decided they make just a bit less than Bill Gates and live lives of luxury and ease. The real world is a little more complicated than a gross salary figure.

60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family.

I've been there working very long hours for minimum wage or less. Know what? Doctors often have it worse when it comes to lifestyle. They give up a decade or more of your life training working your ass off for an hourly rate of less than minimum wage just to get started in your career with a mountain of debt. They might make a decent salary but many of them hardly get to enjoy it. I've worked a 14 hour day, and my wife who left for work before me was still at work. I've seen her pull 36 hour shifts at the hospital. Being on call means you effectively do not get any sleep and some doctors are on call as often as every 3rd or 4th night and they often don't get a day off in between. My wife spent a year or two working for minimum wage in a lab before medical school and refers to it as the happiest year of her life. Sure she had to scrape to make ends meet but her time outside of work was her own. Becoming a doctor is a objectively miserable experience and even once you begin your career the lifestyle still sucks for many doctors. I don't know how many I've spoken to who would choose another profession if they had the chance to do it all over.

FIX YOUR PERSPECTIVE!

You have no idea what my perspective is. I've been poorer than a church mouse and worked my ass off to get where I am today. I've also have worked with and lived with doctors (including my wife) and seen what they have to go through first hand. I know up close and personal what I am talking about and I'm pretty sure you do not.