GeoRGe NeViLLe-NeiL
stored procedures
are a clever idea on
a database, but they
are a terrifying idea
in a client.
kinds of other crazy stuff. That’s huge
because plugins have proved to be
major sources of security vulnerabilities. The missed opportunity, though,
is that HTML5 fails to address some
long-standing Web security issues
such as cross-site scripting, clickjacking, and cross-site request forgery.
HTML5 developers just sort of punted
on all that.
Then they added the sandbox tag
as a kind of Band-Aid to be able to say
they had done their bit to provide for
Web security. I could go on. There are
many examples of how I think HTML5
is going to make browser security
much worse.
GN-N: My experience with cross-site
scripting and cross-site referral forgery
has been that the only real way to deal
with it is to handle it on the server. This
generally means drilling into the heads
of the people who are using the server-side code that what they need to be doing is to make sure those exploits don’t
happen again.
Clickjacking is something else altogether. Right now it’s probably the
exploit most likely to pay off in a big
way for the bad guys, whereas cross-site scripting and cross-site referral
hijacking are more what you would expect from someone who is just trying to
cause trouble.
Most of Facebook’s security effort is
expended on preventing clickjacking,
and it’s certainly not alone in that. In
fact, I think that’s really the new frontier, and I don’t think HTML5 is going
to address that.
JG: That could have been addressed, but as it stands, HTML5 has
no security model for safely incorporating third-party data or code into
your website. That model is supposed
to come later with something called
“cross-site security policy” or “
cross-site content security policy.” Even
then, it will still be separate from
HTML5.
As for Facebook, clickjacking is only
an issue because Facebook is looking
to track you around the Web. That aspect of clickjacking is going to remain
unfixable since what Facebook really
wants is to put Like buttons on everybody’s pages. You can always clickjack
something that’s meant to be framed.
On its own website, Facebook has already more or less fixed the clickjacking problem.
GN-N: Of course, it’s not just Facebook that’s looking to put some sort of
button everywhere.
JG: That’s right, and that’s why one
of the briefings at the most recent Blue-Hat conference described a new solution that involves putting anti-click-
PHOtOGRaPH COuRtEsy OF GEORGE nEVIllE-nEIl, tREatMEnt by bRIan GREEnbERG/andRIj bORys assOCIatEs
