HTML 5 is being touted as an Adobe Flash replacement that displays audio, graphics and video more efficiently, but security experts studying the technology say it poses new challenges for enterprise security professionals.
James Lyne, senior technologist at UK security vendor Sophos, said potential HTML 5 security issues could result from the rapid adoption of the technology. If HTML 5 features aren’t programmed properly, security holes could enable attackers to gain access to sensitive website data. The technology is feature-rich, giving developers local storage, built-in graphics rendering and the ability to tap into geolocation data on mobile devices or display messages even when the browser is not connected to the Internet.
“All the things in HTML 5 are native and built-in rather than requiring a set of plug-ins,” Lyne said. “If we can standardize this with a good security model, a good permissions model and good testing, then this could be really good both for the user experience of consistency across multiple devices and for security.”
The HTML 5 standard is still in draft, but it already has been adopted by most of the browser makers. In a remarkable reversal of its original position, Adobe Systems announced in November it would no longer support Flash on smartphones and tablet devices and instead put its support behind HTML 5. The World Wide Web Consortium (WC3), which includes browser makers, has been developing standards to improve HTML's native capabilities.
What I hope we could accomplish is a consistent agreed security model across the browsers. If we leave it to organically happen I expect we will have a painful period during these early days of HTML 5 adoption
James Lyne, Senior Technologist, Sophos
Experts say the WC3 must still work out security and privacy issues in HTML 5. The standard doesn’t address cookie tracking, an often-criticized practice used by marketers to track individuals' browsing habits. HTML 5 introduces many new ways to track and store information about Web users. The routines for purging the sensitive information and enabling users to manage privacy data, Lyne said, has not been well defined.
In addition, clickjacking, a common attack technique used against Flash applications, can trick a user into executing malicious code or clicking on a malicious link when interacting with a website or Web application. Browser makers have put in place protections to prevent most clickjacking attacks.
“In many cases, this actually leads to a much more secure setup, but it does have the downside to nullifying the best current defense against clickjacking,” McArdle wrote in Trend Micro’s TrendLabs blog.
Enterprises may need to take additional steps to protect against attacks that exploit HTML 5 weaknesses, according to a Sophos report, “HTML5: new shiny Web technology, new silly security issues?” being issued this month. Web content filtering, antivirus and other endpoint security technologies, Lyne said, will help defend against attacks.
“What I hope we could accomplish is a consistent agreed security model across the browsers,” Lyne said. “If we leave it to organically happen I expect we will have a painful period during these early days of HTML 5 adoption.”
In addition, members of the Open Web Application Security Project (OWASP) are developing an HTML 5 best practices document and website for application developers. In a blog entry, “HTML 5 security in a nutshell,” Chris Eng, vice president of research at Burlington, Mass.-based application security testing vendor Veracode Inc., said developers that don’t understand some HTML 5 features may turn them off, creating some security issues.
“The most important thing developers can do is to remember basic security tenets, for example, the idea that all user input should be considered untrusted,” Eng wrote. “They should learn how the new HTML5 features actually work in order to understand where they’d be tempted to make erroneous assumptions.”