funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: In Defense of HTML5

From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 4 Dec 2012 12:20:34 -0800
I'll let people make up their own minds, of course, but I predict it
will be a security nightmare.

A former colleague (and great friend) at Trend Micro, Bob McArdle, did
a nice write-up of HTML5 called "HTML5: The Good, The Bad, and The
Ugly":

http://blog.trendmicro.com/trendlabs-security-intelligence/html5-thegood/
http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-bad/
http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-ugly/

He wins my award for presenting this at the most number of conferences
in 2012. :-)

Also: "HTML5 Overview: A look at HTML5 Attack Scenarios"
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf

All are worth reading.

- ferg (not at Trend Micro anymore :-)


On Tue, Dec 4, 2012 at 12:00 PM, Stephanie Daugherty
<sdaugherty () gmail com> wrote:


As far as attack surface goes, the comparison between Flash and HTML5 really
isn't a comparison.

I'll take the HTML5 pain if it replaces the black box of paper thin glass
that is Flash.




On Tue, Dec 4, 2012 at 2:08 PM, Jeffrey Walton <noloader () gmail com> wrote:



http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html

Many of the broad family of specifications commonly grouped under the
“HTML5” umbrella are scheduled to be completed in 2013, and with the
release of Internet Explorer 10, the users of every major web browser
flavor can enjoy rich Web apps written on the open web platform, with
no need for plugins.

Lots of people are excited about HTML5, but one group I don’t see as
particularly excited are security experts, or perhaps they’re only
excited in a rather cynical fashion.  Full employment!  Browser
botnets! A lifetime of conference talks!  And the malediction against
HTML5 isn’t just coming from folks with a product to sell or a slide
deck to submit – HTML5 has become a common boogeyman representing
out-of-control complexity and vast attack surface for some of the very
best analysts and researchers in the field.  So, although developers
are racing to embrace it, CISOs, CIOs and enterprise
security decision makers as a group seem wary.

Frankly this puzzles and distresses me, because from my perspective,
HTML5 is a key part – perhaps the most important part – in one of the
greatest security success stories in the history of computing.  The
story of the web browser over the last decade is the story of
something completely unprecedented – a tremendous increase in
functionality and use that happened side-by-side with a tremendous
decrease in  vulnerability and attack surface.   Don’t believe me?
Let’s go back a decade…

...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: