[Security] HTML5 Web security 2011

Currently, the Hypertext Markup Language version 4.01 (HTML 4.01) is the markup language, specified by the World Wide Web Consortium (W3C) in 1999, which is the current standard for HTML [1]. This standard specifies how HTML should be used for defining web pages. XHTML 1.0 and XHTML 1.1 have basically the same functionality as HTML 4.01, except of some exclusions and extensions to HTML, but were reformulated to the Extensible Markup Language (XML) instead of the Standard Generalized Markup Language (SGML) [2]. The Hypertext Markup Language version 5 (HTML5) [3] is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 [4]. The browser manufacturer Apple Computer, Inc., Mozilla Foundation and Opera Software ASA founded the Web Hypertext Application Technology Working Group (WHATWG) in 2004 with the intension to develop and extend new web technologies, firstly under the label Web Application 1.0 and later with the name HTML5. One of the main reasons the WHATWG was founded was because these browser manufacturers were increasingly concerned about the W3C's concept of XHTML2 [5]. The W3C was developing the XHTML2 standard during this time but stopped working on XHTML2 in 2009 to accelerate the process of HTML5 [6]. Since then the W3C and WHATWG are working both on HTML5 but maintain their own version of the specification which differ slightly in some points [7]. However, the main author, Ian Hickson, is working on the WHATWG version. Because the development of HTML5 is mainly defined by WHATWG some criticize that HTML5 is too much influenced by the browser manufacturers and too little by those who are using the web [8]. This may affect web security as well as shown in the subsequent document.

The current status of HTML5 is "Living Standard" (WHATWG) [9] respectively "Working Draft" (W3C) [3] and several browser manufacturers have already implemented numerous HTML5 features (February 2011). The candidate recommendation is planned for 2012 and the recommendation for 2022 [5]. It is possible to test which HTML5 features a browser supports using websites such as [10]. However, a W3C official said that HTML5 is not ready to be used in modern web applications because of interoperability reasons (October 2010) [11]. Because of this, the points described in this thesis may change and conditions under which an attack or countermeasure is described have to be carefully considered. Changes in the HTML5 specification may mitigate these attacks or introduce new vulnerabilities.

HTML5 provides new features to web applications but also introduces new security issues. One famous example of misusing HTML5 features is the ever cookie [12] which was discussed publicly in security news tickets [13]. This ever cookie tries to correlate user sessions using the combination of several technologies; beside the use of cookies new HTML5 technologies such as Web Storage are used for storing unique identifiers on the client browser. These security issues need to be considered as well as the new features when discussing the implementation of HTML5 web applications.

Download: HTML5_Web_Security_v1.0.pdf


Popular posts from this blog

[Hack crack] Tổng hợp Google Dork

[Security] Internet blackout scheduled in protest of SOPA