Enisa Details HTML5 Threats

ENISA, the European Union’s cyber-security agency, has published a report detailing 51 security threats in upcoming web standards, including HTML5 issues such as disabling click-jacking protection and tampering with forms.

The report covers HTML5, cross-origin communication standards such as CORS and XHR, standards for access to local data such as geo-location, and standards for local storage and widgets.

Increasing attacks

The browser now has a central place in the security world, ENISA argued, noting that the volume of web-based attacks increased by 93 percent in 2010 over 2009, with 40 million attacks per day recorded by Symantec for September 2010.

“(The browser) has become the channel through which most of our information passes. Banking, social networking, shopping, navigation, card payments, managing high value cloud services and even critical infrastructures such as power networks – almost any activity you can imagine now takes place within a browser window,” the organisation said in the report. “Even if the root cause is elsewhere, the browser is often in a position to protect the user – e.g. in combatting phishing and pharming.”

ENISA said the report’s goal is to highlight weaknesses in upcoming standards before they are set in stone.

“Many of these specifications are reaching a point-of-no-return,” said report co-editor Giles Hogben in a statement. “For once, we have the opportunity to think deeply about security before the standard is set in stone, rather than trying to patch it up afterwards. This is a unique opportunity to build in security by design.”

The threats include unprotected access to sensitive information, new ways to trigger form-submission attacks, problems in specifying and enforcing security policies and potential mismatches with operating system permission management, Enisa said.

The report also points out feature specifications that aren’t clear enough, which ENISA argued could lead to conflicting or error-prone implementations.

The World Wide Web Consortium (W3C)’s security leader, Thomas Roessler, said the body has encouraged ENISA to report the issues involved to the relevant W3C working groups.

“We welcome this very timely security review by ENISA,” Roessler stated.

Growing momentum

Upcoming standards such as HTML5 have introduced new security concerns for developers, even while the standard remains a work in progress.

Momentum has been growing behind HTML5, with for instance Google introducing a Flash-to-HTML5 conversion tool in July and Adobe this week rolling out a preview of its own HTML5 development tool.