HTML 5 features present new security risks
Will new HTML 5 features provide opportunities for malware writers, as some AV companies predict? Why or why not?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Practically every technology provides opportunities for malware writers, and with the number of new HTML 5 features, there are bound to be plenty of opportunities. Even if HTML 5 were designed with integrated security, there would still be attempted attacks, as any new technology is attacked and investigated for security weaknesses and vulnerabilities. HTML 5 is going to be complex and support a wide variety of functions that are currently handled by multiple different plug-ins. This sort of broad functionality, in general, tends to raise the potential for attacks; the more code there is, the more complex and potential weaknesses there are for attackers to exploit.

One of the new high-risk HTML 5 features is the cross-domain trust functionality. The cross-domain trust functionality will allow different domains (DNS names) to communicate between iframes in your Web browser. This feature will be tricky for developers to get right initially -- need to verify that the cross-domain requests are received from other domains from domains from which they expect to receive requests -- and even advanced, technical users may find it difficult to understand the risks involved. Malware writers will likely try to abuse this functionality to gain access to sensitive data, since this check may not happen as intended.

One of the most difficult security issues with HTML 5 is the movement of functionality from the server to the client where the server may trust the client perhaps more than it should. One example is the server trusting that the data from a client contains valid, non-malicious input. The server would assume the client is checking for these types of attacks/bugs on his or her own, so there would be a disconnect there. Servers and applications should be programmed to validate data received from the client to ensure it is not malicious.

This was first published in May 2010

Back to top