Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

HTML5 to create new challenges for security pros in 2012: Sophos

The web language enables new capabilities, but introduces new risks

Article comments

The move to HTML5 will enable a whole host of new web applications, but could also create new challenges for enterprise security professionals, according to UK security firm Sophos.

In its security predictions for 2012, Sophos identifies new web and networking technologies – such as HTML5 – as one of the major security risks for the year ahead. While these technologies introduce some impressive new capabilities that are exciting for rich web application development, they also introduce new attack vectors, the company explained.

HTML4 has driven content on the web for many years, but it is a very basic programming language, so developers have supplemented it with add-ons such as JavaScript, Adobe Flash and Google Gears. These add-ons are often littered with unpatched vulnerabilities, making the whole system very insecure, Sophos said.

HTML5 removes the need for most of the add-ons, because it is a more sophisticated language and comes with a full database that enables users to store gigabytes of information. So, for example, users can render full frame animations, create 3D virtual worlds or store applications inside the browser, all in HTML5.

According to James Lyne, senior technologist at Sophos, this last feature brings us much closer to the in-client vision originally associated with cloud computing. However, by storing data within the browser, the browser becomes a target for cyber criminals.

“Traditionally the browser has been a gateway for cyber criminals to get access to your PC, now they're going to be trying to attack the browser itself to steal its data,” said Lyne.

New sandboxing in HTML5 also makes “clickjacking” (tricking web users into revealing confidential information or taking control of their computer while clicking on a seemingly innocuous link) more of a risk, as web pages are no longer able to identify where commands are coming from.

“All that code that developers wrote to prevent applications from being automated and clickjacked by illicit parties now doesn't work,” said Lyne. “They've implemented a security feature and inadvertently broken a more important one.”

Furthermore, HTML raises new issues around cookies, which could make the ICO's new guidance about removing cookies after a certain period of time redundant.

“HTML5 could have new super-uber-cookies,” said Lyne. “If people don't code their sites properly the bad guys could code a huge database of the URLs that you've been to and track all of your field input. They could potentially capture masses of information.”

Despite these potential problems, Lyne said that there are a lot of security benefits to using HTML5. As well as reducing the need for potentially risky add-ons, there's now client-side input validation, as well as libraries that can help deal with SQL injection issues.

“Over time, HTML5 will fix many of the problems that we have, but as with any new technology you tend to get a regression in the first place,” he said. “Broadly speaking, we should charge full ahead in this direction, because Flash has been a pain and the new web apps are really cool, but we also need to make sure that we're not casually adopting a nightmare.”



Share:

More from Techworld

More relevant IT news

Comments

Internet Marketing Company said: HTML5 is not a security solution It is a long-awaited update to the HTML spec an update that took the time to more explicit about both security and privacy issues The new features of HTML5 will lead to exciting powerful applications delivered via the browser As such it is important for developers to keep in mind a few basic security basics all data from the client to validate whitelisting approaches are preferable to a blacklist use HTTPS whenever possible and test your site to verify that it performs how you intended

Miss Whispers said: Sounds like someone needs two sets of knee and elbow pads



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *