HTML5 security: Can HTML5 replace Flash to enhance Web security?

Although Flash is installed on all computers connected to the Internet (Adobe's problem with the constant Web Multimedia format), it seems that it will soon be replaced by the new standard HTML5. According to Adobe, "HTML5 is now widely supported by mainstream mobile devices and is the best solution for creating and deploying browser content for mobile platforms ."

For enterprise attackers, this is undoubtedly a bad news. In recent years, Flash has become the main target of malicious program hackers. According to Security research company WhiteHat Security Inc., Flash Player-related vulnerabilities accounted for about 14% of the Web application vulnerabilities they found.

Is the disappearance of Flash a good news of security? Does HTML5 replace Flash? If yes, can HTML5 security be defended against Flash? How Should security personnel prepare for deploying HTML5 Web content? Next, we will discuss these issues.

HTML5 is supported by many Internet giants, including Facebook, Google, and PayPal. In fact, it is becoming a future Internet video standard and will replace all non-standard formats, such as Flash and Microsoft's Silverlight. Flash is a binary multimedia content format. It adopts the object-oriented development language ActionScript and requires the installation of Adobe plug-in. On the contrary, HTML5 is an open-source markup language that can run applications without any plug-ins. After the private plug-in for video playback is deleted, common attack vectors are closed. Because HTML5 updates are implemented through browser updates, their update speed is much faster than the plug-in. However, HTML5 has more computer resource access permissions, including local data storage, and thus becomes a new potential attack target.

For HTML5, I am mainly worried that before developers fully understand its new features and security mechanisms, they will rush to add HTML5 features to their websites. For example, CORS allows the Web server to allow webpages with other domain names to access their own resources. CORS relaxed the Same-source access Rule (Same Origin Rule), which is one of the basic security measures built in Web browsers. Unless developers understand how CORS works, they can easily make incorrect assumptions so that attackers can access the shared content. HTML5 cross-document messages also have the same problem. If the message is correctly used, it is safe, but how developers do not ensure that the message comes from their own websites may send fraudulent and rogue messages to malicious code from other websites. The basic security principle is that data from browsers should be considered as untrusted data and must be verified. During Web application development, check the current verification process and filter, because the new HTML5 elements and attributes may produce some unexpected results. The whitelist-based filters built into the application are indeed more flexible.

If developers use technical methods to deviate from their original goals, any technology may have security vulnerabilities. For example, HTML5 Web storage standards provide developers with a more flexible way to store data on browsers instead of cookies. Of course, there are some risks in storing user sensitive data, which may be attacked by cross-site scripting (XSS). However, some websites already use this technology to store scripts, to speed up page loading. For example, to save time and bandwidth, the previous Web Service Apture uses a localStorage object to cache its application logic code, however, pages in the same domain as these scripts may have XSS vulnerabilities and may be exploited to inject malicious code into the cache. Using the Apture service, malicious code may turn the vulnerability into a persistent client XSS attack targeting all domains. Extracting data from a third party or scripts creates an implicit trust relationship. Developers must recognize this potential risk and understand how to review the content before it is put on the website.

If a technology is extended to its original applicability, other errors may occur. HTML5 is an asynchronous technology, but developers can use JavaScript to convert it into a synchronous technology. If a transaction must obtain a response before going to the next state, you must carefully check the business logic control mechanism to ensure that the transaction processing sequence is correct, such as database transactions.

The security team needs to use the WebSocket API, which can replace the browser and request the latest data from the Web server. The server sends data only when new data appears, reducing the traffic between the server and the browser. However, WebSocket can bypass many important network security control mechanisms, including traditional data headers. The firewall blocks suspicious traffic by checking the data headers. Credibility-based defense will also be affected. This increases the load of the firewall for deep content detection, because only deep content detection can process WebSocket traffic and check the content, structure, and usage of traffic. So again, the whitelist filtering efficiency is indeed higher.

HTML5 standards organizations and browser vendors have fully considered how to eradicate certain security and confidentiality issues. However, HTML5 has not yet become a formal standard. for developers who are not familiar with writing security code, it is certainly not an absolutely secure multimedia Web development technology. Even for developers who can write security code, they still need to face cyber fraud, malware, and denial of service attacks. Using HTML5 code to replace the original website application is a big change and there are always some problems. Before implementation, you must fully test the recovery process and run some important functions at the beginning. To further defend against various attacks, I recommend that you upgrade your website to HTTPS.

Penetration testing is required for any HTML5 development. In addition, you must use HTML5 to create a complex front-end to ensure that their running results meet the requirements. Attackers will certainly test new functions and new data formats implemented by browser vendors, such as their attributes, to find possible buffer overflow and other attack encoding errors. This means that security teams and developers must follow up with supplier updates to ensure that patches are updated and security vulnerabilities are fixed as soon as possible.

HTML5 means that developers can now use open standards to implement multimedia features on their websites. This is much more advanced than the previous third-party plug-in technology. As long as developers invest enough time to learn how to securely use various new features, the security industry is expected to achieve a richer and safer Internet. However, history shows that this is impossible, so we always need to implement strong boundary defense and penetration testing.