James Delahunty
3 Dec 2011 8:23
HTML 5 will solve some security problems, and create new ones.
HTML 5 promises to allow the Internet to finally do away with plug-ins such as Adobe Flash and Java, which have been rife with security vulnerabilities over their lifespan. Plug-ins are used with browsers to add great functionality than is allowed by HTML, Javascrpt and so forth, such as embedding videos, games and other interactive content.
HTML 5 is built with such functionality in mind, and is being tinkered and developed with during the rise of Cloud services, which increasingly demand more from web browsers. Google's mail service, for example, uses HTML to allow users to perform tasks such as dragging and dropping files and contents into messages.
The emerging web standard also has a bright future in the mobile phone space. Adobe recently abandoned development of Flash for mobile devices, admitting that HTML 5 provided a much better solution and also enjoys industry-wide support.
However, HTML 5 also means that web browsers will be storing much more data than they currently do, and that gives cybercriminals every incentive to target it, according to James Lyne, director of technology strategy at Sophos.
"This is potentially going to be quite painful," he said. "It is more than a web language. Much more data can be stored in the browser which means that criminals can now attack the browser to steal data."
HTML 5 is also built with support for mobile features, such as GPS, and currently the permissions systems that govern who has access to this kind of data are "poorly defined." If a mobile browser has permission to access this data, then that could put location information at risk.
"Some sites, such as Google Maps, you might be happy to know where you are while others you wouldn't want to know your location."
QR codes are also becoming a target, as more consumers are using QR codes to obtain information. QR codes are posted in public (on movie posters, at train stations for time tables etc.) and cybercriminals are already using low-tech attacks, such as covering a legitimate QR code with a nefarious one.
"I used one on a train station and it took me to a Russian porn site," said Mr Lyne.
The use of NFC to pay for items also turns mobile phones into digital credit cards, according to Lyne, and therefore a very attractive attack vector.