The move to HTML5 will enable a whole host of new web applications, but could also create new challenges for enterprise security professionals, according to UK security firm Sophos.
In its security predictions for 2012, Sophos identified new web and networking technologies – such as HTML5 – as one of the major security risks for the year ahead. While these technologies introduce some impressive new capabilities that are exciting for rich web application development, they also introduce new attack vectors, the company explained.
HTML4 has driven content on the web for many years, but it is a very basic programming language, so developers have supplemented it with add-ons such as JavaScript, Flash and Google Gears. These add-ons are often littered with vulnerabilities, making the whole system very insecure. Sopos said.
HTML5 removes the need for most of the add-ons, because it is a more sophisticated language and comes with a full database that enables users to store gigabytes of information. So, for example, you can do full frame animation, 3D virtual reality or store applications inside the browser.
According to James Lyne, senior technologist at Sophos, this gets much closer to the in-client vision originally associated with cloud computing. However, by storing data within the browser, the browser becomes a target for cyber criminals.
“Traditionally the browser has been a gateway for cyber criminals to get access to your PC, now they’re going to be trying to attack the browser itself to steal its data,” said Lyne.
New sandboxing in HTML5 also makes “clickjacking” (tricking web users into revealing confidential information or taking control of their computer while clicking on a seemingly innocuous link) more of a risk, as web pages are no longer able to identify where commands are coming from, Sophos representatives believed.
“All that code that developers wrote to prevent applications from being automated and clickjacked by illicit parties now doesn’t work. They’ve implemented a security feature and inadvertently broken a more important one,” he said.
Furthermore, HTML raises new issues around cookies, which could make the ICO’s new guidance about removing cookies after a certain period redundant.
“HTML5 could have new super-uber-cookies,” said Lyne. “If people don’t code their sites properly the bad guys could code a huge database of the URLs that you’ve been to and track all of your field input. They could potentially capture masses of information.”
Despite these potential problems, Lyne said that there are a lot of security benefits to using HTML5. As well as reducing the need for potentially risky add-ons, there’s now client-side input validation, as well as libraries that can help deal with SQL injection issues.
“Over time, HTML5 will fix many of the problems that we have, but as with any new technology you tend to get a regression in the first place,” he said. “Broadly speaking, we should charge full ahead in this direction, because Flash has been a pain and the new web apps are really cool, but we also need to make sure that we’re not casually adopting a nightmare,” he concluded.