Report from the InfoSec World Conference: Game-Changing HTML5 Will Alter Browser Security

browser
Facebooktwittergoogle_plusredditpinterestlinkedinmail

I spent much of last week at the InfoSec World conference. (Here’s a tip: Never go to Orlando during school spring break…)

InfoSec is for security professionals. Most of the attendees work for large organizations and are responsible for protecting digital assets for their companies. They have a tough, tough job.

When I first got into computing in the late 1960s, digital information security mostly meant keeping unauthorized people out of the glass-walled computer room. The mainframe computers sat in air-conditioned comfort, and the main threat was someone could steal a reel of tape with customer lists, or whatever.

The “terminals” were nothing but screens and a keyboard, and were hardwired directly to the computer over leased phone lines.

Think of what these people are up against now. Any Army Private can (allegedly) download half our country’s secrets and walk out with them on a Lady Gaga CD. A retail chain can get hacked via wifi from the parking lot and lose 45 million credit card numbers. Laptops with huge amounts of confidential information are forever getting lost or stolen.

And then we have the Internet. That wondrous facility that cross-connects practically every person and every computer on the planet, offering endless opportunities for subterfuge.

How do you know who, or what, is at the other end? How do you prevent the theft of information or corruption of your operations (think Stuxnet and Iran)? Or even someone bringing down the entire Internet?

Amidst all this, the most entertaining speaker was Marcus Ranum. Besides having a delicious sense of humor, he also has been around long enough to have an interesting perspective and draw illuminating parallels.

Marcus started off making this point: “We are still suffering from two decisions made in the 1980s.” One was to distribute processing off the mainframes, which have very robust security, onto remote servers (called minicomputers at the time), which were, and still are, far less secure. The other was to rely on Windows for “personal computing,” which had no security whatsoever at the time. Microsoft has been scrambling ever sense to retrofit security, but we are all still suffering from the original weakness.

However, that is just a metaphor for the much more serious problems which we will experience in the next ten to fifteen years, when we will have to deal with our current practices and decisions, such as:

  • Outsourcing: Critical data is in far away, poorly paid hands.
  • Having so much critical information on highly insecure mobile devices.
  • Less-vigorous software development and testing methodologies.
  • Decentralized databases, which are inherently less secure than the old glass-walled computer center.

And here are two quotes — one scary, one funny — from Marcus’ presentation:

  • Scary quote: “As systems become more complex, our ability to understand what will happen if something goes wrong approaches zero.”
  • Funny quote: “Evolution is a ridiculously inefficient mechanism for progress. In order for it to work, billions have to die.”

The Dark Side of HTML5

Ming Chow, Lecturer in the Department of Computer Science, Tufts University, gave a very interesting presentation on HTML5. HTML is the primary language for developing websites, and Version 5 will be released shortly. He demonstrated some of the cool things that can be done in HTML5, but then started on the dark side.

HTML5 changes the game. It is now a full-fledged programming language, with incredible power. It takes HTML way beyond making websites look pretty.

For example, with HTML5, a website can now store large amounts of data on your device, including as SQL databases.

Most of us are just understanding what simple cookies can to do us in terms of being tracked, and we ain’t seen nothin’ yet…

Challenging Web Browser Security

HTML scripts run in browsers, just like programs run in operating systems. One of the functions of an operating system is to make sure that programs can’t do anything they are not supposed to do, either intentionally or unintentionally.

Well, what is happening now is that HTML5 has changed the role of browser from a simple web navigation tool into an operating system. But browsers were never intended to have the security protections that an operating system needs. And it is very hard to retrofit security as an afterthought — just ask Microsoft, which has spent hundreds of billions trying to shore up security on Windows.

With HTML5, do you realize that every time you visit a website, you are potentially ceding control of your laptop, tablet, or phone to someone else? Frankly, I think no one knows what that will mean and where it will lead.

Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Kent Lawson

Kent Lawson is the CEO & Chairman of Private Communications Corporation and creator of its flagship software PRIVATE WiFi. He combined his extensive business and technical experience to develop PRIVATE WiFi in 2010. The software is an easy-to-use Virtual Private Network (VPN) that protects your sensitive personal information whenever you’re connected to a public WiFi network. Follow Kent on Twitter: @KentLawson.

5 Responses

  1. James Tait says:

    Correction to this article: I didn’t present the HTML5 session at InfoSec World. I was orginally supposed to present but was required to cancel.

    • Kent Lawson says:

      Apologies to James Tait. I took the presenter’s name from the conference program, and did not catch the change in presenters, because I arrived at the session a few minutes after it started.

  1. May 9, 2011

    […] couple weeks ago I attended the InfoSec conference, and one session was entitled “Things That We Trust That We Shouldn’t”, by Chris McNab, […]

  2. August 15, 2011

    […] I attended the InfoSec conference, there was one particularly insightful session — “Things That We Trust That We […]

  3. December 5, 2011

    […] As I mentioned in my piece on the InfoSec World Conference, HTML5 is indeed a game […]

Leave a Reply to James Tait Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.