HTML5 Security: Problem or No?

Recently the BBC published a short article with the frightening but vague title 'HTML 5 new target for cybercriminals', claiming that HTML5 opens browsers to new, and renovated old, 'cyber attacks'.

The article focused on HTML5 at first, but later addressed non-HTML5 security concerns -- smartphone-readable QR codes, for example.

The title tainted HTML5 a bit, in a normal mainstream journalistic (i.e., hyperbolic and semi-inaccurate) style, updating old cyber-sensationalist phrases ('because it is new, it is attractive to cybercriminals'), generalizations ('HTML5 makes some ripe for renewed exploitation'), and appeals to public decency ('I used one on a train station and it took me to a Russian porn site').

Annoying to the poor web developer, to be sure, but perhaps a bit more dangerous than earlier anti-web paranoia: HTML5 is breaking new ground in many disparate areas, and the BBC article directly attacked some of its most important advances ('much more data can be stored in the browser which means that criminals can now attack the browser to steal data').

All of which is quite unfair, says Martin Beeby:

I’m usually a fan of the BBC. They’re normally pretty insightful around technology. But this latest report pushed all my buttons. IMHO 90% of it is pure scaremongering while the other 10% is nothing new (or particularly interesting).

...

When you boil it down, the post makes just two points:

1. Because HTML5 allows the browser to store more information it’s ripe for abuse by ‘super cookie’ wielding criminals
2. Because it can integrate with GPS, it will allow nefarious types to pinpoint your location

Martin addresses both of these points, and also notes that the rest of the article locates HTML5-unrelated material misleadingly under an HTML5 headline.

Read Martin's full post for the full rant (as he calls it).

For more useful analysis of next-generation web security, however, check out this paper (which Martin also recommends).