Credit: flickr/Sean McCormick
HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe's Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash's major weaknesses, HTML5 is no panacea.
In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.
Among the risks that HTML5 brings, according to Bellanger:
- Canvas image-rendering exploits, which can cause buffer overflows that a hacker could then use to inject code into the session
- Cross-site scripting, where intruders can steal information from a session in the browser
- SQL injection, where a malicious query is used to extract information from a database in the browser
- Cross-site request forgeries, where a user token is taken over to impersonate a user on the Web
The use of HTML5 also exposes more of what's on the computer or mobile device, such as local storage and device location, says Dan Cornell, CTO of cyber security consultancy Denim Group. "Because HTML5 applications can access these facilities, there is an opportunity for abuse," he says.
Browsers are "inherently insecure"
"The problem we have is that browsers are inherently insecure," says Kevin Johnson, CEO at IT security consulting firm Secure Ideas. For example, HTML5 offers no secure sandboxing protection, such as what Flash can have in the Chrome browser, he notes.
"Another issue we have that we are adding significant complexity to HTML5 without adding the same level of control to the user," Johnson says. At least with Flash, users can turn it off. But they can't turn off HTML.
HTML5 still holds security promise
Despite the gloomy outlook, HTML5 offers hope for better security -- if the browser makers do the right thing, says Denim Group's Cornell. "Browser vendors need to look at how they plan to build their HTML5 support and design security into their implementations from the start," he says. "Many of the new capabilities introduced with HTML5 allow applications access to sensitive facilities, so care needs to be taken." Johnson adds that browser vendors should give users the ability to turn off the functionality that they do not want or do not trust.
The number of browsers in use also brings some security, because vulnerabilities in one browser may not exist in other browsers, Cornell says. That reduces the risk of a vulnerability being universally exploited, as in the case of Flash.
Browser makers are also working to improve security overall, says Richard Barnes, the Firefox security lead at Mozilla. Competition among Google, Microsoft, Mozilla, and Apple means their reputations are on the line if they have security issues, so all the major browser makers have strong security teams in place, he notes.
Sign up for CIO Asia eNewsletters.