Sick of Flash security holes? HTML5 has its own

HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe’s Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash’s major weaknesses, HTML5 is no panacea.

In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.

Among the risks that HTML5 brings, according to Bellanger:

• Canvas image-rendering exploits, which can cause buffer overflows that a hacker could then use to inject code into the session
• Cross-site scripting, where intruders can steal information from a session in the browser
• SQL injection, where a malicious query is used to extract information from a database in the browser
• Cross-site request forgeries, where a user token is taken over to impersonate a user on the Web

The use of HTML5 also exposes more of what’s on the computer or mobile device, such as local storage and device location, says Dan Cornell, CTO of cyber security consultancy Denim Group. “Because HTML5 applications can access these facilities, there is an opportunity for abuse,” he says.

Browsers are “inherently insecure”

“The problem we have is that browsers are inherently insecure,” says Kevin Johnson, CEO at IT security consulting firm Secure Ideas. For example, HTML5 offers no secure sandboxing protection, such as what Flash can have in the Chrome browser, he notes.

“Another issue we have that we are adding significant complexity to HTML5 without adding the same level of control to the user,” Johnson says. At least with Flash, users can turn it off. But they can’t turn off HTML.

HTML5 still holds security promise

Despite the gloomy outlook, HTML5 offers hope for better security — if the browser makers do the right thing, says Denim Group’s Cornell. “Browser vendors need to look at how they plan to build their HTML5 support and design security into their implementations from the start,” he says. “Many of the new capabilities introduced with HTML5 allow applications access to sensitive facilities, so care needs to be taken.” Johnson adds that browser vendors should give users the ability to turn off the functionality that they do not want or do not trust.

The number of browsers in use also brings some security, because vulnerabilities in one browser may not exist in other browsers, Cornell says. That reduces the risk of a vulnerability being universally exploited, as in the case of Flash.

Browser makers are also working to improve security overall, says Richard Barnes, the Firefox security lead at Mozilla. Competition among Google, Microsoft, Mozilla, and Apple means their reputations are on the line if they have security issues, so all the major browser makers have strong security teams in place, he notes.

There’s also work happening across the browser industry to improve security for all, Barnes says. For example, a universal encryption method is under development, and browser makers are giving users more awareness of and control over what the Web knows about them, he says.

Help from a standards body is on the way as well. The World Wide Web Consortium, which has overseen the development of HTML5, has its Content Security Policy specification proposal, which W3C Domain Lead Wendy Seltzer says offers a policy language for Web authors to restrict active content on their sites, protecting against script injections. There’s also the Secure Content specification effort to ensure that powerful Web features only operate in secure, authenticated contexts.

Ultimately, however, apps need to assure security, whether they run in a browser or in an OS. Prevoty’s Bellanger recommends that developers adopt Microsoft’s secure development lifecycle guidance to strengthen applications against breaches. “It’s still the developer’s responsibility to build the application as securely as possible,” he says.