Web developers accountable for HTML5 security

Whether HTML5 will introduce new security threats is less an issue than the need for Web developers to be able to effectively mitigate any potential risk borne from the pending programming standard, advise industry observers.

Jeremiah Grossman, CTO of WhiteHat Security, told ZDNet Asia: "With a specification as large and as powerful as HTML 5, implementation should be taken with the upmost concern toward security."

Currently still a working draft, Hypertext Markup Language version 5 (HTML5) is the latest revision of the Web language--used to describe Web pages--and boasts several new advancements. These include data storage on a local computer which allows Web applications to run offline, as well as native support for rich Web applications and interactions which was previously only possible by installing third-party, proprietary plugins such as Adobe Flash and Microsoft Silverlight.

In an e-mail interview, Ian Jacobs, communications head of the World Wide Web Consortium (W3C), stressed the need for HTML5 to be adopted particularly because its last official update, HTML4, was in 1999. The consortium is the official standards body responsible for overseeing HTML5's development.

As the Web evolves from "a Web of documents to a formidable platform of networked applications", facilitating the sharing of information and services over the Internet, Jacobs said there is a significant demand for open standards that allow the creation of rich Internet applications.

Heightened security threats
However, with its promise to deliver new richer functionalities, HTML5 has also sparked much discussion among security experts whether the increased capabilities could bring along added security vulnerabilities. Paul Roberts, security evangelist from Kaspersky Labs, said in a blog post last month that while Web security professionals agreed HTML 5 encompasses security enhancements, they also expressed concern that the new Web language will "greatly increase the attack surface of HTML" and provide more avenues on which malicious codes can be delivered.

Hon Lau, senior security response manager at Symantec, said: "Increased functionality often brings with it increased risks."

Lau explained in an e-mail that HTML5 includes "around 45 new markup tags", such as the <canvas> and <video> tags, to enable rich multimedia functions. "[The possible] attack surface is increased due to the sheer volume of changes undergone," he added.

WhiteHat's Grossman also pointed to another potential security threat where users could face an amplified risk of data loss due to the massive amount of data in local storage.

He explained that in the past, Web developers could only save small snippets of data in the form of cookies on the browser. With HTML5, however, they can store "many megabytes of data" on the user's computer and this will most likely include sensitive data to allow Web applications to be used offline, he said.

Naveen Hegde, market analyst at IDC's Asia-Pacific software research group, said the conventional motive for attacks has been gaining access to sensitive data and hackers would launch cross-site scripting and SQL injection attacks in a bid to steal confidential user information.

Developers obligated to address risks
According to Hegde, developers looking to build on HTML5 should first evaluate whether it is "beneficial" to deploy the platform's new features which could "end up facilitating Web attacks" on a user's machine.

Lau echoed a similar view, noting that while changes in the Web standard may introduce new security risks, the onus is still on developers to mitigate these threats.

He suggested that developers practise and build more security coding principles to reduce potential security risks, such as improved error handling, validating inputs and ensuring boundary checks to avoid buffer overflows.

Grossman also advised developers to create backups and save large volumes of potentially sensitive information contained in end-users' PCs.

"Care should be taken by developers not to...assume it cannot be manipulated by someone with local or remote access to the machine," he cautioned.

He concluded that since HTML5 vulnerabilities are expected to appear at some point in the future, HTML5 designers and implementers "should be prepared to respond quickly" whenever new issues or vulnerabilities arise.

Jacobs from W3C, too, emphasized the importance of designing and building Web applications "with sensitivity to user privacy and security needs".

Lau said: "From a security standpoint, the issues with HTML in the past were a result of poor and inconsistent implementation of features described in the HTML specification, and also the non-practice of security coding principles within browser engines and the plugins used by them."

He described HTML5 to be "a reaction to the current state of the Web space and the evolution that has taken place over the past decade". "[It is a] public standard that aims to address many shortcomings in the functionality provided by previous versions," he added.

Despite its security risks, WhiteHat's Grossman acknowledged that "HTML5 has arrived". "Security, as a discipline, must help enable technology and business applications, not inhibit them," he said.

Echoing similar sentiments, W3C's Jacobs said HTML5 may only still be a working draft, but browser vendors are already deploying its features, allowing W3C to revise its drafts. "This way, the final standard can transparently inform implementers where they need to pay close attention to security and privacy issues," he noted.