HTML5 and security on the new web

Similar documents
Five Tips to Reduce Risk From Modern Web Threats

Mobile Device Security: What s Coming Next?

Buyers Guide to Web Protection

Application security testing: Protecting your application and data

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Table of Contents. Page 2/13

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Top five strategies for combating modern threats Is anti-virus dead?

Adobe Flash Player and Adobe AIR security

YOUR BROWSER WEARS NO CLOTHES

Next Gen Firewall and UTM Buyers Guide

Enterprise Application Security Workshop Series

The Top Web Application Attacks: Are you vulnerable?

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Introduction: 1. Daily 360 Website Scanning for Malware

Cross Site Scripting Prevention

HTML5 the new. standard for Interactive Web

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Layered security in authentication. An effective defense against Phishing and Pharming

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Growth and Challenges

Why The Security You Bought Yesterday, Won t Save You Today

Cross-Site Scripting

Common Security Vulnerabilities in Online Payment Systems

Protecting Your Organisation from Targeted Cyber Intrusion

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Basic Security Considerations for and Web Browsing

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Best Practices Top 10: Keep your e-marketing safe from threats

Recommended Practice Case Study: Cross-Site Scripting. February 2007

What Do You Mean My Cloud Data Isn t Secure?

Spear Phishing Attacks Why They are Successful and How to Stop Them

WEB ATTACKS AND COUNTERMEASURES

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees

WebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

The Importance of Patching Non-Microsoft Applications

CyberSecurity Innovation Assessing your Organizations Vulnerability to a Cyber breach

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Relax Everybody: HTML5 Is Securer Than You Think

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Botnets: The dark side of cloud computing

Data Breaches and Web Servers: The Giant Sucking Sound

Reducing the Cost and Complexity of Web Vulnerability Management

Where every interaction matters.

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

The Importance of Patching Non-Microsoft Applications

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Web-Application Security

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

elearning for Secure Application Development

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Sophos UTM Software Appliance

Protecting Your Roaming Workforce With Cloud-Based Security

WEB 2.0 AND SECURITY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Advanced Web Security, Lab

NATIONAL CYBER SECURITY AWARENESS MONTH

HTML5 - Key Feature of Responsive Web Design

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Simplifying Branch Office Security

Passing PCI Compliance How to Address the Application Security Mandates

white paper Malware Security and the Bottom Line

The Importance of Patching Non-Microsoft Applications

Mobile Application Security Sharing Session May 2013

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

An Insight into Cookie Security

Protecting Your Data On The Network, Cloud And Virtual Servers

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

How To Manage A Mobile Device Management (Mdm) Solution

Recent Advances in Web Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Towards a Comprehensive Internet Security Strategy for SMEs

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Simplifying branch office security

The Cyber Threat Profiler

Managing Web Security in an Increasingly Challenging Threat Landscape

Network protection and UTM Buyers Guide

Reducing the Cost and Complexity of Web Vulnerability Management

IJMIE Volume 2, Issue 9 ISSN:

OWASP Top Ten Tools and Tactics

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

Protection for Mac and Linux computers: genuine need or nice to have?

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Fighting Advanced Threats

Transcription:

HTML5 and security on the new web By James Lyne, Director of Technology Strategy There are lots of changes happening to the key technologies that power the web. The new version of HTML, the dominant web language, offers impressive enhancements for rich web applications. But as HTML5 comes into greater use we ll see new security issues arise. It s typical for a new technology to have defects and pitfalls. And although the standard is still being defined, it's already being implemented. So how does HTML5 stand up to security scrutiny?

A changing web The upgrade from HTML4 to HTML5 brings about a wide range of new and amazing possibilities for the web like 3D environments and email clients that work offline. And new products like Sophos upcoming SSL VPN will be written entirely in HTML5. HTML5 provides far more access to the computer s resources than its predecessor. It's built to integrate with modern web browsing devices and offers capabilities like location awareness, graphics rendering and access to the webcam and microphone. You can even use the application cache feature to have an application download to your browser for use offline, such as when you re on a plane. The potential of this language is reinforced by Adobe s announcement that it s working to transition from mobile Flash to HTML5 as the future of rich web media. Although the standard owned by the World Wide Web Consortium for HTML5 is still in draft form, a number of popular web browsers have already adopted it. This means that different browsers are implementing HTML5 in different ways with varying security models. The enhancements are great, but they radically change the attack model for the browser. We always hope new technologies can close old avenues of attack. Unfortunately, they can also present new opportunities for cybercriminals. With more local storage and offline chaching in HTML5, the browser is likely to contain much more sensitive data. That makes your browser a direct gateway to your data and an attractive target. Browser vulnerabilities Each browser s implementation of HTML5 varies, so it s hard to generalize about their security. HTML5 contains new security features, but it s not a security release it s a significant update to the standard in every way. Traditionally, the browser was a kind of thin client with small amounts of persistent data from cookies and cached files for performance. Attackers would use the browser as a means to access the computer, or to try to steal credentials for an online service. However, with more local storage and offline caching in HTML5, the browser is likely to contain much more sensitive data, such as from your email client or CRM. That makes your browser a direct gateway to your data and an attractive target itself. This subtle change in the attack vector could make trouble, as browser vendors will need to develop a richer security model, much like those for operating systems. A lack of definition of this security model in the standard raises further challenges, as browser vendors are left to make these design decisions independently. That said, the rollout of HTML5 will at least put us on a path to standardization, replacing insecure third party add-ons like Adobe Flash, which has suffered numerous exploits by cybercriminals. A Sophos Article December 2011 2

Privacy concerns Concerns over privacy have led to numerous regulations focused on cookies. Cookies and associated data can be used to track users across multiple sites, recording their clicks, purchases or preferences. As consumers become more aware of web tracking and data mining, privacy features are growing in importance for browser vendors. In HTML5 the new local storage mechanisms open up new ways to store information about users that could compromise your privacy or tip off cybercriminals. There s more flexibility for local storage and a relatively liberal access model, depending on site developer implementation. And how to restrict or periodically purge data is less clear than with cookies in HTML4. Because we do so much of our web browsing from our mobile devices, location data and media tools for mobile devices present additional privacy challenges. HTML5 can more natively interact with the capabilities of modern web browsing devices. And it defines a series of new helpful application programming interfaces (API) for access to location services, microphones or cameras. However, these services have less-tested security models and have already shown some security weaknesses. For example, we ve seen problems where accessing the location services API cache could enable a caller to identify the last queried location of the user without explicit permission. The media access API for cameras and microphones is also not well defined and varies across browsers, potentially providing cybercriminals with a way to break in and use them for spying. Imagine a web-based attack where hackers turn on the microphone on your ipad and record you unnoticed. Traditional privacy tools and policies will need to catch up to new technologies. We can expect browser vendors to invest more in privacy controls. And we'll likely see some revisions to guidelines from privacy regulators. In general, a more flexible and integrated technology carries a greater risk of privacy invasion and data loss. But we should also consider that moving these capabilities into the core language and browser is a step up from the terrible plugins that cybercriminals have targeted over the past 18 months. Overall, traditional privacy tools and policies will need to catch up to new technologies. We can expect browser vendors to invest in more privacy controls. And we ll likely see some revisions to guidelines from privacy regulators. A Sophos Article December 2011 3

Sandboxing and permissions One question we re asking is how sandboxing and isolation models of browsers will evolve for HTML5. Many browsers work to prevent distribution of malware by isolating themselves from the operating system using sandboxing. But all the new browser capabilities provided by HTML5 create the type of opportunities for data theft that we've had to deal with in our operating systems. Your browser will be able to access local data, break out of the sandbox, and capture data via your media devices or your location. When your browser does these things at the same time as you visit a website that s been infected with nasty attack code, it s a bad combination. There s not a great deal of definition on how the permissions model will work here, but with the browser becoming more capable, the security model needs to become more multi-dimensional. We should also be looking at cross document messaging, which attempts to prevent cross-site scripting (XSS) by restricting permissions to a domain. Abuse of DNS and insecure use of the API could also leave websites open to abuse and manipulation in new ways. Separating individual sessions and the rights of different authors, publishers and sites within the content rendering environment becomes all the more important. There are a few ways these controls could be implemented. But having users set controls by answering a complex set of questions would have a negative impact on security. Legacy problems Some of the old security issues of HTML4 and JavaScript remain in HTML5. And cybercriminals who spread malware or steal user information on the web will continue to seek new ways of doing so in HTML5. Browser vendors have patched many of the security holes that opened the door to clickjacking (tricking a user to click a link or modifying the page to emulate a user click) and phishing websites. Or they ve put in place restrictions to minimize the probability of attack, such as requiring a click to occur in the window of focus. As we launch new technology we have to learn from our past mistakes. As cybercriminals investigate HTML5 they are likely to find new ways of tricking users, spreading malware and stealing clicks. A Sophos Article December 2011 4

Developers adopting HTML5 are going to need to change their validation routines and filters. Plenty of websites use web application firewalls or free add-ons like mod_security to prevent attacks like XSS. Better still is for developers to implement proper checks in their code to prevent incorrect use of data. The traditional focus areas for XSS attacks might widen and change. Media related functions are notoriously problematic just look at the major attack vectors used by the bad guys over the past couple of years. Tags like <video>, <audio> or <canvas> might open up new possibilities for attackers. Websites and applications are only as secure as the care the web developer took to make it. If you re a web developer, be sure to follow best practices for filtering data and writing secure code, and borrow from cheat sheets like those produced by the Open Web Application Security Project (OWASP). What s next On our journey to greater web usability we're seeing interesting tensions between flexibility, security and privacy. HTML5 introduces some powerful concepts and we should look forward to using more of these web applications. But it s far from perfect. HTML5 does make progress in usability and security from today s HTML4 and associated components, but it will require a lot of work to be as tried and tested. The web is the biggest vector for distribution of malware. As web technology merges with conventional thick client capabilities and is deployed across a wider range of devices, we can expect cybercriminals to find new ways to attack. And as HTML5 becomes the backbone of our ecommerce, social media and elearning, the security community will need to diligently identify new attack vectors and revise the security model. We should demand that standards committees and browser vendors be consistent and act responsibly in their work now on HTML5, before the cybercriminals get ahead of us. James Lyne, Director of Technology Strategy @jameslyne United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Boston, USA Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Article 12.11v1.dNA

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information