Communications - January 2013

jacking stuff in the browser. But, again, all that work is separate from HTML5.

GN-N: What else concerns you about HTML5?

JG: Are you familiar with the use of session storage as an alternative to cookies? Basically, some Web programmers are starting to put actual executable JavaScript code into local storage in addition to data. That way, when the page loads, they can just eval that code directly rather than having to make a network call, because that gets them a performance win.

Of course, the bad guys find this attractive. If they cross-site script the site that loaded that code, they’ll be able to backdoor the application and thus enjoy permanent access to any client that thing happens to get loaded onto, since that backdoor code will always run.

GN-N: Stored procedures are a clever idea on a database, but they are a terrifying idea in a client.

JG: Even once you become aware of the exploit, backing out of it will be all but impossible. You certainly wouldn’t be able to override it from the server. So while the HTML5 guys will say they haven’t increased the attack surface, I don’t think they actually know yet what all the implications are going to be.

GN-N: This would really simplify the distribution of something that looks an awful lot like a virus.

JG: It really does, but that isn’t obvious yet since use of HTML5 in that way still isn’t particularly widespread. Give it a few years, though, and it will be everywhere, because it really is a lot faster.

GN-N: This tells me that the browser vendors ought to include a feature that lets you flush an application’s program space—perhaps not from the server, but the user ought to be able at least to flush a bad application. And now I’m suddenly picturing virus scanners that run in your browser.

JG: Oh, yeah, that’s definitely going to be the case.

BL: Even then, ensuring data integrity is not going to be easy. If you have complex data structures, who’s to say some of those haven’t been affected in some subtle ways?

JG: I think what the browser vendors have done—knowingly or unknowingly—is to turn the browser into a new operating system.

GN-N: Well, Chrome isn’t called Google Chrome OS for nothing, you know.

JG: That’s right. Actually, within that sandbox there’s not all that much security buffer between applications.

GN-N: We keep ripping on HTML5, but is there anything people might be able to do to provide for a better and safer user experience?

JG: Well, let’s be clear: if you are using any modern browser, you are going to end up using HTML5. There’s no way to turn it off in your browser since it’s not a feature. It’s HTML. You can’t turn off HTML in the browser.

GN-N: I wasn’t actually thinking in terms of turning off HTML5, although it’s an interesting notion. In any event, I don’t think the typical user ever turns off anything. It’s up to the client and server application developers to build things in such a way that, even in the face of a wide-open browser, the user won’t end up getting abused constantly.

JG: I can share how I try to protect myself and how I’ve instructed my mom to do it. Take two browsers—any modern browsers that have been updated will do. The important thing is to have two of them so you can compartmentalize risk. The first of these will be the primary browser, the one you use for all your promiscuous browsing—read the news, visit your favorite websites, click on the links in your Twitter feed, and whatever else you feel tempted to do. But don’t ever use the primary browser to do anything with online accounts you consider sensitive or important.

If you’re using Chrome or Firefox, you should also turn on ad blocking and tracker blocking as extensions in the browser. That’s not just for sanity purposes, but also to prevent a whole lot of malware, which often ends up getting propagated over advertising networks. Bonus points if you run in incognito or private mode. That might save you a little bit of privacy as well. Another thing you should do is to block plugins from playing by default. You can run them whenever you want to with a right click, but don’t let them automatically run. Generally, when you get infected with a virus or a piece of malware, it’s because of some invisible plugin that runs automatically.

Your secondary browser is the one
you want to fire up only when it’s time
to do online banking or online shop-
ping or anything involving a credit card
number, an account number, or any-
thing else you want to protect. Once
you have fired up that browser, get in
and do what you need to do quickly,
and then close that thing down.