HTML 5 is being touted as an Adobe Flash replacement that displays audio, graphics and video more efficiently, but security experts studying the technology say it poses new challenges for enterprise security professionals.
James Lyne, senior technologist at UK security vendor Sophos, said potential HTML 5 security issues could result from the rapid adoption of the technology. If HTML 5 features aren't programmed properly, security holes could enable attackers to achieve access to sensitive website data. The technology is feature-rich, giving developers local storage, built-in graphics rendering and the power to tap into geolocation data on mobile devices or display messages even when the browser is absolutely not connected to the web.
“All the things in HTML 5 are native and built-in in place of requiring a group of plug-ins,†Lyne said. “If we will standardize this with an amazing security model, an exceptional permissions model and good testing, then this might be fabulous both for the user experience of consistency across multiple devices and for security.â€
The HTML 5 standard remains to be in draft, however already was adopted by many of the browser makers. In a remarkable reversal of its original position, Adobe Systems announced in November it would now not support Flash on smartphones and tablet devices and instead put its support behind HTML 5. The sector Wide Web Consortium (WC3), which incorporates browser makers, was developing standards to enhance HTML's native capabilities.
Â
What i am hoping shall we accomplish is a consistent agreed security model around the browsers. If we leave it to organically happen I expect we shall have a painful period during these early days of HTML 5 adoption
James Lyne, Senior Technologist, Sophos
Experts say the WC3 must still workout security and privacy issues in HTML 5. The usual doesn't address cookie tracking, a regularly-criticized practice utilized by marketers to trace individuals' browsing habits. HTML 5 introduces many new how one can track and store information regarding Web users. The routines for purging the sensitive information and enabling users to cope privacy data, Lyne said, has not been well defined.Â
In addition, clickjacking, a typical attack technique used against Flash applications, can trick a user into executing malicious code or clicking on a malicious link when interacting with a web site or Web application. Browser makers have installed place protections to stop most clickjacking attacks.
According to Robert McArdle, a senior threat researcher at Tokyo-based Trend Micro Inc., sites that experience incorporated clickjacking defenses within the sort of JavaScript will find them useless to HTML5, which adds a sandbox featupt.
“In many cases, this actually results in a far more secure setup, however does have the disadvantage to nullifying the simplest current defense against clickjacking,†McArdle wrote in Trend Micro's TrendLabs blog.
Enterprises may wish to take additional steps to give protection to against attacks that exploit HTML 5 weaknesses, in step with a Sophos report, “HTML5: new shiny Web technology, new silly security issues?†being issued this month. Web pages filtering, antivirus and other endpoint security technologies, Lyne said, might actually help defend against attacks.
“What i am hoping shall we accomplish is a consistent agreed security model around the browsers,†Lyne said. “If we leave it to organically happen I expect we can have a painful period during these early days of HTML 5 adoption.â€
In addition, members of the Open Web Application Security Project (OWASP) are developing an HTML 5 best practices document and website for application developers. In a blog entry, “HTML 5 security in a nutshell,† Chris Eng, vice chairman of analysis at Burlington, Mass.-based application security testing vendor Veracode Inc., said developers that do not understand some HTML 5 features may turn them off, creating some security issues.
“The most crucial thing developers can do is to keep in mind basic security tenets, for instance, the concept all user input can be considered untrusted,†Eng wrote. “They should find out how the new HTML5 features actually work with the intention to understand where they'd be tempted to make erroneous assumptions.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free