I wrote about browser evercookie privacy back in January of this year (2011). This got me thinking about HTML5 and whether there are any privacy and security issues we should be aware about. Plugins like Flash, ActiveX and Silverlight to name but three may not stand the test on performance and security grounds. Roll in HTML5.
HTML5 allows for some smart interactivity within the browser in particular Web video and animations (anyone at Adobe worried about this development?), so what about the privacy and security concerns? Here are some security and privacy issues worth thinking about:
- Evercookie worm – gathers client user surfing habits. These cookies are stored in over a dozen places throughout a system. This means that a user cannot just find and clean/remove every cookie in one browser folder.
- HTML5 will also allow e-commerce websites to detect your user online activity from shopping carts – in affect more data about your surfing behaviour. This will be stored in the ‘key-value database’ – so expect more data to be collected about your surfing habits.
- Some/all of this data will be stored in Web Storage APIs – a cross site scripting (XSS) threat comes to mind here.
- ‘Allow-origin’ allows for domain sharing – cross domain will be a file vulnerability. The tech people among you will understand what I’m saying.
- Browser bugs will be common place – i.e. spoofing a URL using the ‘Origin List’. Spoofed headers also open the door to new attack vectors. Cannot help but think about browser plugins here 🙁 Will it be the same with HTML5? Most likely.
- Buffer overflows and security bypassing are two possible problems. HTML5 stores more data in the browser and in most instances it will assume that the content from the domain is always legitimate – well, let me tell you, hackers will look to exploit this vector!
- Cache polling is also another issue – this allows for a hacker to retreive a persons last location, including time and geolocation cache API.
- Malware will scan not just the hard disk but the browser stores – more user experience will inevitably lead to exposure of personal identifiable information being exposed.
- Attackers will look for the buffer overflows and coding bugs to exploit with their malware. HTML5 remote services are registered as content handlers, so I believe users should be warned by the browser about this service immediately.
TIP: If you use Firefox, then I’d suggest you use the TrackerBlock add-on if you want to manage and control the HTML5 supercookies on your system. Once installed, click on the HTML5 storage TAB and click ‘Remove All Objects’ which will delete the HTML5 cookies.
The European Network and Information Security Agency (ENISA) recently created a 61 page PDF ‘A Security Analysis of Next Generation Web Standard‘ – this is worth a read if you are interested in learning more about the security issues surrounding HTML5. They identified 50 security flaws with HTML5!
Safe surfing folks!