In its security predictions for 2012, Sophos identified new web and networking technologies – such as HTML5 – as one of the major security risks for the year ahead. While these technologies introduce some impressive new capabilities that are exciting for rich web application development, they also introduce new attack vectors, the company explained.
HTML5 removes the need for most of the add-ons, because it is a more sophisticated language and comes with a full database that enables users to store gigabytes of information. So, for example, you can do full frame animation, 3D virtual reality or store applications inside the browser.
According to James Lyne, senior technologist at Sophos, this gets much closer to the in-client vision originally associated with cloud computing. However, by storing data within the browser, the browser becomes a target for cyber criminals.
“Traditionally the browser has been a gateway for cyber criminals to get access to your PC, now they’re going to be trying to attack the browser itself to steal its data,” said Lyne.
New sandboxing in HTML5 also makes “clickjacking” (tricking web users into revealing confidential information or taking control of their computer while clicking on a seemingly innocuous link) more of a risk, as web pages are no longer able to identify where commands are coming from, Sophos representatives believed.
“All that code that developers wrote to prevent applications from being automated and clickjacked by illicit parties now doesn’t work. They’ve implemented a security feature and inadvertently broken a more important one,” he said.
Furthermore, HTML raises new issues around cookies, which could make the ICO’s new guidance about removing cookies after a certain period redundant.
“HTML5 could have new super-uber-cookies,” said Lyne. “If people don’t code their sites properly the bad guys could code a huge database of the URLs that you’ve been to and track all of your field input. They could potentially capture masses of information.”
Despite these potential problems, Lyne said that there are a lot of security benefits to using HTML5. As well as reducing the need for potentially risky add-ons, there’s now client-side input validation, as well as libraries that can help deal with SQL injection issues.
“Over time, HTML5 will fix many of the problems that we have, but as with any new technology you tend to get a regression in the first place,” he said. “Broadly speaking, we should charge full ahead in this direction, because Flash has been a pain and the new web apps are really cool, but we also need to make sure that we’re not casually adopting a nightmare,” he concluded.