Enisa Details HTML5 Threats

ENISA, the European Union’s cyber-security agency, has published a report detailing 51 security threats in upcoming web standards, including HTML5 issues such as disabling click-jacking protection and tampering with forms.

The report covers HTML5, cross-origin communication standards such as CORS and XHR, standards for access to local data such as geo-location, and standards for local storage and widgets.

Increasing attacks

The browser now has a central place in the security world, ENISA argued, noting that the volume of web-based attacks increased by 93 percent in 2010 over 2009, with 40 million attacks per day recorded by Symantec for September 2010.

“(The browser) has become the channel through which most of our information passes. Banking, social networking, shopping, navigation, card payments, managing high value cloud services and even critical infrastructures such as power networks – almost any activity you can imagine now takes place within a browser window,” the organisation said in the report. “Even if the root cause is elsewhere, the browser is often in a position to protect the user – e.g. in combatting phishing and pharming.”

ENISA said the report’s goal is to highlight weaknesses in upcoming standards before they are set in stone.

“Many of these specifications are reaching a point-of-no-return,” said report co-editor Giles Hogben in a statement. “For once, we have the opportunity to think deeply about security before the standard is set in stone, rather than trying to patch it up afterwards. This is a unique opportunity to build in security by design.”

The threats include unprotected access to sensitive information, new ways to trigger form-submission attacks, problems in specifying and enforcing security policies and potential mismatches with operating system permission management, Enisa said.

The report also points out feature specifications that aren’t clear enough, which ENISA argued could lead to conflicting or error-prone implementations.

The World Wide Web Consortium (W3C)’s security leader, Thomas Roessler, said the body has encouraged ENISA to report the issues involved to the relevant W3C working groups.

“We welcome this very timely security review by ENISA,” Roessler stated.

Growing momentum

Upcoming standards such as HTML5 have introduced new security concerns for developers, even while the standard remains a work in progress.

Momentum has been growing behind HTML5, with for instance Google introducing a Flash-to-HTML5 conversion tool in July and Adobe this week rolling out a preview of its own HTML5 development tool.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago