ENISA issues HTML5 internet security warnings
The European Network and Information Security Agency (ENISA), the official body funded by European Parliament to oversee the safety and security of digital communications, has issued a lengthy document outlining security issues that will need to be addressed before HTML5 standards get their seal of approval.
Although the Worldwide Web Consortium is responsible for ‘curating’ the HTML5 specification, plug-in manufacturers, browser developers and anyone involved in facilitating secure online transactions will also have a role to play in protecting our online activities.
The 61 page PDF A Security Analysis of Next Generation Web Standards is well worth a look if you are already involved in security-critical web development which will make use of HTML5. It is of course also fascinating reading for anyone who loves a bit of HTML injection with a friendly structured clone algorithm, or for the real thrill-seeker… some casual click-jacking on a friday night.
Every time a new version of HTML comes along, the specification quite rightly needs to be tested to breaking point for security weaknesses which would ultimately put browser users at risk. As HTML5 gradually becomes the de-facto web industry standard over the next few years, there will be a period – as with the introduction of HTML 4 in 1999 – when systems will be particularly vulnerable to new kinds of cyber-attacks.
Hackers – both good and bad – are already keen to point out some of HTML5′s weak points. The new specification will definitely increase the number of exploitable openings in existing code, forcing developers to revisit plenty of issues that may have been swept under the carpet.
Anonymous are no doubt considering the possibilities for their promised Facebook attack in November 2011.
Matt Austin pointed out one such weakness on his hacking site back in July, explaining how easy it was to access private data on Facebook by exploiting cross-origin resource sharing. Of course this is just one of thousands of potential attacks that could take advantage of HTML5′s youthful inadequacies, and one that the ENISA discusses in it’s report.
Along with the many exciting new possibilities of HTML5 for web designers and developers, there will certainly be some fresh excitement for the growing legions of hackers and their security conscious foes.
Could the Facebook vs Anonymous action on Bonfire night 2011 shape up to be the first global HTML5 hacking event worthy of live TV coverage?