funsec mailing list archives
Re: In Defense of HTML5
From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 4 Dec 2012 12:20:34 -0800
I'll let people make up their own minds, of course, but I predict it will be a security nightmare. A former colleague (and great friend) at Trend Micro, Bob McArdle, did a nice write-up of HTML5 called "HTML5: The Good, The Bad, and The Ugly": http://blog.trendmicro.com/trendlabs-security-intelligence/html5-thegood/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-bad/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-ugly/ He wins my award for presenting this at the most number of conferences in 2012. :-) Also: "HTML5 Overview: A look at HTML5 Attack Scenarios" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf All are worth reading. - ferg (not at Trend Micro anymore :-) On Tue, Dec 4, 2012 at 12:00 PM, Stephanie Daugherty <sdaugherty () gmail com> wrote:
As far as attack surface goes, the comparison between Flash and HTML5 really isn't a comparison. I'll take the HTML5 pain if it replaces the black box of paper thin glass that is Flash. On Tue, Dec 4, 2012 at 2:08 PM, Jeffrey Walton <noloader () gmail com> wrote:http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html Many of the broad family of specifications commonly grouped under the “HTML5” umbrella are scheduled to be completed in 2013, and with the release of Internet Explorer 10, the users of every major web browser flavor can enjoy rich Web apps written on the open web platform, with no need for plugins. Lots of people are excited about HTML5, but one group I don’t see as particularly excited are security experts, or perhaps they’re only excited in a rather cynical fashion. Full employment! Browser botnets! A lifetime of conference talks! And the malediction against HTML5 isn’t just coming from folks with a product to sell or a slide deck to submit – HTML5 has become a common boogeyman representing out-of-control complexity and vast attack surface for some of the very best analysts and researchers in the field. So, although developers are racing to embrace it, CISOs, CIOs and enterprise security decision makers as a group seem wary. Frankly this puzzles and distresses me, because from my perspective, HTML5 is a key part – perhaps the most important part – in one of the greatest security success stories in the history of computing. The story of the web browser over the last decade is the story of something completely unprecedented – a tremendous increase in functionality and use that happened side-by-side with a tremendous decrease in vulnerability and attack surface. Don’t believe me? Let’s go back a decade… ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list._______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- In Defense of HTML5 Jeffrey Walton (Dec 04)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Dan Kaminsky (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Michal Zalewski (Dec 04)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Michal Zalewski (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)