From animated logos to Web videos for hip, independent bands, HTML5 is getting buzz and gaining traction. But concerns about the security of features in the new version of the Web’s lingua franca persist.
Currently under development by the World Wide Web Consortium (W3C), the Web’s standards-setting organization, the HTML 5 specification is an effort to revamp the Web’s lingua franca after its last major makeover, HTML4, in the late 1990s. The new specification adds features that support the kind of rich interactions and application functions that have become common on the Web, mostly through the addition of third party tools like Adobe’s Flash and Microsoft’s Silverlight platforms. Among the additions to HTML5 are new elements and APIs that will enable two dimensional drawing, native rendering of video and audio files, drag and drop capabilities and offline capabilities for Web applications using local storage and databases.
HTML5 has some major backers, among them: search giant Google. In addition to its eye catching logo animations, that company has lent development talent to the development of HTML5 with projects like the Arcade Fire Web video “the Wilderness Downtown,” which highlight the capabilities of Google’s Chrome Browser, and which Google promoted on its blog. The company has also created a Web site, HTML5rocks.com, to extol the virtues of the new version of HTML.
The new standard does make strides in plugging up some gaping security issues inherited from earlier versions of HTML, said Adam Barth of the University of California, Berkeley, who has been involved with the development of the new specification.
For one thing, HTML5 actually specifies how HTML code should be parsed by Web browsers. Previous iterations of the language left it up to individual platform vendors to develop their own interpretations of how the code should be parsed, which led to differences in how the language was rendered on different browsers. That also created opportunities for attackers to exploit quirks in the HTML parsing of specific browsers in Cross Site Scripting and other Web based attacks, Barth wrote in an e-mail response to questions from Threatpost.
New features are also intended to make HTML5 more secure than its predecessors. Among them is a new sandbox attribute that allows Web sites that use iFrames to aggregate untrusted content from external sources to run it in a secured environment. The postMessage() feature, for cross document messaging, allows secure communication between different web sites in the browser, Barth said.
Web security experts contacted by Threatpost agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the “attack surface” of HTML – providing more avenues by which malicious code can be delivered through the Web.
“HTML5 has an enormous amount of functionality. The (specification) is just huge,” said Jeremiah Grossman of Web security firm WhiteHat. The breadth of the new specification gives him concern. “I know that we’re still finding vulnerabilities in HTML4,” Grossman said.
Others echoed that concern.
“With any new functionality you’re going to have new security concerns. HTML5 is going to increase the attack surface considerably,” said Neil Daswani of Web security firm Dasient.
Though no specific vulnerabilities or attacks against HTML5-specific features are documented, experts point to a few areas of concern:
Local, database and session storage: More options for storing user data locally will make it easier to develop Web applications that can also work in offline environments. They’ll also reduce the reliance on session cookies and improve the performance of Web based applications, which can retrieve data locally instead of having to make requests out to a Web server and retrieve the results.
The conventional wisdom has been that these sensitive data stores will be a rich target for malicious hackers who might leverage cross site scripting attacks or other means to siphon sensitive data from them. Security experts we talked to played down that threat, noting that local storage has been around for a long time with technologies like Flash. However, engineers at Veracode in May raised warnings about an implementation issue with the sessionStorage feature that could make it vulnerable to manipulation from untrusted Web sites.
The new sandboxing and postMessage() features are examples of tools that, if not used properly, could fail to provide protection against hacks, or even enable new types of attacks. Veracode, in its analysis of HTML5, raised red flags about the security of the postMessage() feature, as well, noting that Web applications that use cross-document messaging could be vulnerable to attack from malicious Web sites, which could spoof rogue messages.
Even features, like postMessage() designed to improve security could actually make Web sites less secure if they’re implemented incorrectly, said Isaac Dawson, a security researcher at Veracode.
“As with any security functionality, over reliance or simple misuse of it could unknowingly make a site less secure,” he wrote.
“I imagine we’ll see a lot of people building custom fuzzers for the supported video codecs,” said Dawson. That will put the onus on the Web browser makers themselves – Microsoft, Google, Mozilla and Apple – to review the code used for video parsing and rendering heavily to prevent them from being exploited, he said.
Grossman, of WhiteHat, also worries about the ripple effects of HTML5 adoption. In particular, the way that new HTML features will break or disable Web security filters that are designed to block malicious activity. In just one example, he notes that HTML5’s broader support of event handlers on HTML elements could defeat blacklist filters designed to allow HTML but block scripting.
Still, with the HTML5 not finalized and adoption still in its infancy, the full impact of the specification – for good and bad – won’t be felt for years, experts agreed.
Grossman said he sees support for HTML5 in around 10% to 12% of the 2,000 Web sites his firm monitors. It could be three years or more before the security implications of the new capabilities in HTML5 are fully grasped, he said.
However, HTML5 features could start working their way into the fabric of the Web long before wholesale adoption of the new standard, as Web sites look to take advantage of features, like local storage, on browsers that can support it, Grossman said.
“Honestly, I think it will make some things better,” said Dawson of Veracode. “But as with all technologies it’s going to take a while for the repercussions of certain designs to be fully known.”