Over a million developers have joined DZone.

McAfee Makes HTML5 and Chrome OS Look Scary

DZone's Guide to

McAfee Makes HTML5 and Chrome OS Look Scary

· Web Dev Zone ·
Free Resource

Jumpstart your Angular applications with Indigo.Design, a unified platform for visual design, UX prototyping, code generation, and app development.

Many web users and developers think that the HTML5 spec was long overdue when browsers first started using it.  Web standards for audio, video, and other dynamic web apps are desirable for many in the online community.  In stark contrast to those sentiments, McAfee's recent "2010 Threat Predictions" describe HTML5 as if it were a form of cancer.  To the not-so-web-savvy, the predictions may seem like an indictment of the HTML5 spec and Google's Chrome OS, which was another focus of the threat rundown.  McAfee says, "HTML 5 will blur the line between desktop and online applications.  This, along with the release of Google Chrome OS, will create another opportunity for malware writers to prey on users."  BusinessWeek took McAfee's statements
and ran with it, spreading more concern over Chrome OS and HTML5.

When you dive deeper into McAfee's threat predictions, there's no hard data or explanation behind the broad assertions they make:

"With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.” HTML 5 holds all the promises that today’s web community seeks—primarily blurring and removing the lines between a web application and a desktop application. HTML 5–based attacks will become even more tempting once the Google Chrome Operating System is released. (It’s scheduled for second half of 2010.) Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich Internet experience, but also offline applications."

It's true that the Chrome OS will be geared towards web applications, so conceivably it might be more vulnerable to malware via the internet.  However, many of the major browsers already support HTML5, meaning the threat is not just a Chrome OS problem.  BusinessWeek's article makes HTML5 seem like a peripheral technology, and Chrome is the only thing mentioned in association with it: "The Web-based operating system, dubbed Chrome, relies on a technology known as HTML 5 that's designed to help Web applications behave like PC software."  The McAfee document mentions the other browsers that use HTML5, but it uses the wide adoption of the spec as another reason for concern: "Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers."  What could be the most alarming aspect to an internet layman is BusinessWeek's other statement: "The HTML 5 technology intended to power Google's forthcoming computer operating system can access a PC online or off."  The sub-headline might lead someone to believe that with HTML5, their computer is now vulnerable at all times, which may not be the case.

McAfee might be referring to vulnerabilities in HTML5's client-side storage solution, but we can't really be sure without more explanation by them.  An old white paper shows that there are some security issues surrounding the client-side storage in HTML5:

"First of all, due to the absence of the ability to set an expiration date, if a session storage object is saved on the user’s machine, not being deleted when necessary, and the user continues to surf on the Internet using the same window, that object will be recoverable many hours or even days after it has finished its usefulness… The freedom in global storage to set the domain name and access the storage data could cause an unwanted leak of data.
It’s quite obvious with the passage of time that the attack surface for web applications will grow.  HTML 5 structured client-side storage is a powerful instrument for web developers, but introduces new relevant risks."

Some of the risks in the white paper were:
  • Attack Automation: HTML5CSdump
  • Cross-directory Attacks
  • Cross-domain and Cross-port Attacks
  • Client-side SQL Injection Attacks
  • One Shot Attacks

Users reading McAfee's document and BusinessWeek's article might want to stay away from HTML5, but some might not realize that it's already here.  There's a lot of motivation for browsers to implement more of the HTML5 spec as it evolves.  Non-standard technologies like Flash Player can be just as vulnerable.  The attack surface is growing for web applications in general, not just for Chrome OS.

Take a look at an Indigo.Design sample application to learn more about how apps are created with design to code software.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}