Q: “I’ve heard some web experts mention something called HTML5. I know that HTML is the code used to build websites, but I don’t know anything about HTML5. Some people have said it’s vastly different from older versions of HTML. Can you tell me more about it and any security risks it may pose?”
A: As I mentioned in my piece on the InfoSec World Conference, HTML5 is indeed a game changer.
Marc Andreessen, who helped invent Netscape, the first successful web browser, says, “HTML5 is a major step forward.”
While HTML5 can do things never before possible on the web, the security holes have not been fully addressed, so it’s important to know how you might be at risk with this new technology. Before we get into that, I want to give a little background on both HTML in general and HTML5 specifically.
HTML — and Why HTML5 Is So Different
HTML (Hypertext Markup Language) is the backbone of almost every site on the Internet.
It is a programming language that uses structural semantics to distinguish different types of text, such as paragraphs, headings, links, quotes, along with other items you would find on a web page. HTML4 has been tweaked and stretched way beyond its initial scope to bring high levels of interactivity and multimedia to websites through plugins like Flash, Silverlight, and Java.
HTML5 is the next major revision of HTML.
HTML5 adds many new features and streamlines functionality so that add-ons are no longer unnecessary for many common functions. Also, websites will be able to use the same content across all devices, including smartphones, e- readers, tablets, and laptops.
So what will HTML5 do for you? With HTML5, uploading videos to YouTube or finding a store on your smartphone will be easier. You will be able to have a rich Internet experience on a lightweight, portable platform. You won’t have to worry about installing another plugin just to listen to a song embedded in a blog or watch a video.
HTML5 is also a big deal for iPhones and iPads, which don’t support Flash.
New HTML5 Features
Let’s dig a little deeper into these new functionalities of HTML5:
New Audio and Video Elements: HTML5’s most touted features include audio and video playback. Until fairly recently, what you could view with your web browser was limited to static text and static images. Flash, created by Adobe, changed everything by allowing browsers to display rich, dynamic and interactive audio and video content. The rise of Flash over the last few years has largely been an attempt to overcome limitations of what previous versions of HTML allowed. But Flash only works with plug-in applications. But HTML5 could change all that. HTML5 lets sites directly embed media with simple HTML tags: and . While there currently is a lot more functionality that can only be created in Flash, HTML5 does not need any plug-ins to function.
Offline Web Functionality: HTML5 allows you to interact with web applications and documents even when you are not using a network connection. For example, you would be able to access email locally without having to connect to the Internet, or create a Google document while offline. These would automatically sync the next time you go online.
Geolocation: Your IP address used to be how websites figure out your location. With HTML5’s geolocation feature, websites can now use wifi towers and GPS to determine your location.
That last one sounds a little scary, right? Let’s look at some of the security concerns with HTML5.
Security Vulnerabilities of HTML5
As HTML5 takes over the web, security experts have warned that it will bring new vulnerabilities.
For example, some researchers have argued that because any website using HTML5 can access a user’s computer without the user’s explicit permission, a hacker could create a fake log-in page to a social networking or e-commerce site, and then use this page to seal the user’s login information. Also, some of the new features come up with huge security holes. Before HTML5, an attacker had to steal cookies off a user’s machine and decode them before accessing a user’s Gmail account. With HTML5, the hacker only needs to gain access to the user’s web browser, where Gmail stores a copy of the user’s inbox.
Likewise, with geolocation, an attacker can determine your location without your knowledge.
While browser security experts are attempting to fix these vulnerabilities, whether they can do enough to secure HTML5 remains to be seen. In truth, it could be years before the security implications of HTML5 will fully be known.