July 02, 2012
Debate

Featured Debate: HTML5 is eroding website security

FOR

Johannes Ullrich, chief research officer, SANS Technology Institute

HTML5 is going beyond adding a number of new HTML tags for video and audio. One of the core components is an extensive JavaScript application programming interface (API) allowing for offline applications and increasing the ability to store data on the client. This ability, frequently used in mobile applications with unreliable network connectivity, tempts the developer to move larger pieces of the application logic to the client. For example, the developer may choose to send a complete data set to the client and use client-side JavaScript to provide access control to data already stored on the client. A flaw reminiscent of JavaScript client side input validation, but more dangerous. 

As well, data validation can be redone on the server. Once data left the server and is stored on the client, no server fix will be able to recall it. Applications like this will be more responsive and functional than applications relying on server side access control – making these dangerous techniques attractive to developers.


AGAINST

Mike Shema, director of engineering at Qualys

HTML5 infuses the aging web standard with features that distill programming hacks into APIs with better security controls. Long polling becomes WebSockets; JSONP and IFRAME juggling become Cross Origin Resource Sharing,and  media and canvas elements replace insecure, platform-specific plugins.

HTML5 improves the granularity of the Same Origin Policy. IFRAME tags get sandbox attributes. Web workers are separated from the Document Object Model (DOM). It's no coincidence that several aspects resemble the emerging Content Security Policy (CSP). 

Browsers will encounter implementation errors; that's been the case since Mosaic appeared 20 years ago. Such flaws aren't blemishes on HTML5's fundamental design. HTML5 is actively used, but still in draft so problems can be resolved when the specs meet reality. This is how WebSockets API and WebGL evolved. Browsers have put great effort into improving security. Now it's up to sites to embrace them.

From the July 2012 Issue of SCMagazine »
Similar Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.