New Web Standards Bring New Security Worries

A package of tools known together as HTML5 is likely to create internet websites as complicated and highly effective as desktop computer application. But with excellent power comes excellent liability, and the same HTML5 functions that let internet websites store information in the area, perform value while off-line, and accessibility components such as camcorders and microphone can also be used maliciously, according to demonstrations at this week's Dark Hat protection meeting in Las Las vegas. So far, anti-virus and software program can do little to secure customers.

"There's a lot of opportunity for hijacking the internet explorer with HTML5," said Shreeraj Shah, creator of Indian local protection organization Blueinfy, in a display on Friday. "You can evaluate HTML5 with a small os running in your web browser."

Many designers are switching their interest to HTML5, seeing it as a way to create internet websites more highly effective and capable, and a means of creating application that will run on any device with a appropriate web browser (see "The Web is Reborn"). So far though, little interest has been paid to the threats that could be presented by the technological innovation.

Shah stepped the viewers through his "top 10" strikes created possible using HTML5, most of which involved a individual viewing a harmful web page that used an HTML5 technique to get entry to their details saved on their pc, or to technique them into offering entry to such details. As opposed to most of the uses provided at Dark Hat, many of these techniques were created possible by the performance built into HTML5.

One example saw a individual provided with a bogus sign in when he tried to accessibility a real lender's website; another technique used HTML5 to discover the target's inner network; and a third used HTML5 to examine information, possibly such as private details, cached in the web browser by another web page.

The techniques confirmed were not in addition to methods to break outside a web browser and take complete management of a pc, but HTML5 could be used that way, said Shah. He also mentioned that internet explorer on cellular phone devices can also run HTML5 websites and so face the same difficulties, and added that HTML5 is used inside many cellular phone applications. "A multiple application is around 15 percent HTML5 and the rest local value," said Shah. "The pattern on cellular is changing to multiple."

Speaking after his display, Shah said that protecting Web customers against the problems he had determined would require "a mixture of web browser creators restoring weaknesses that they have, and guaranteeing people use HTML5 properly."

Antivirus application could, theoretically, check Web value, Shah said. However, the regular approach—looking for "fingerprints" of known risky programs—doesn't transfer well to this area, he said. "Exploits are specific to the particular value used, so it's not something they can easily look for," he said.

Sergey Shekyan and two co-workers, all with reasoning protection organization Qualys, provided their own display of the threats of new Web technological innovation on Friday. Shekyan used a technological innovation known as Websockets, usually bracketed as part of HTML5, to take handheld distant management of a web browser as it frequented a web page.

Websockets allow the provider of a web site to create a direct, fast relationship to a individuals web browser that is useful for functions such as loading video or entertaining games. However, Shekyan and co-workers found that many websites use Websocket relationships without security or other rights. The harmful web page they created used a Websocket relationship to obtain handheld distant management of a Firefox Web web browser without the user knowing about it. Shekyan revealed how the web browser could be instructed to quietly attack other websites, or grab surfing around history and biscuits.

"None of the systems that are expected to capture harmful traffic will work because there are no fire walls that are aware of Websocket method," said Shekyan. "They just allow any kind of relationship over Websockets." That could be changed, he said, but it will be a whole new feature for firewall-type programs, so may take time to apply.