November 16th, 2010

HTML5: What’s the catch, and are you ready for it?

You’ve undoubtedly heard about the power and enhanced functionality of the new HTML5 web standard, but are you aware of the serious privacy concerns with which web designers, developers and users will have to contend?

HTML5 offers unparalleled sophistication for web technology, and with Microsoft’s upcoming Internet Explorer 9 supporting the HTML5 and CSS3 web standards, it is likely more websites will use it. Unfortunately, while HTML5 can be used to implement some truly eye-popping designs and functions, serious risks may be lurking behind-the-scenes.

What security problems could HTML5 create? Read more to find out.

Background

The web has evolved from static to increasingly active and interactive. Early websites were unchanging, collections of pages simply to be viewed. Then they became entities that could grow and change, as with blogs. Now, the web is a destination for people to interact (with sites like Facebook) and accomplish (as in online office suites and financial management sites).

HTML stands for Hyper Text Markup Language; it is the central web programming language used to create and implement websites of any stripe. The ability of HTML4 – the current predominant version – to support the increasing demand is limited, whereas HTML5 can enrich sites in a number of ways:

  • Significantly boosted functionality. As one example among many, with HTML5 Google Docs can enable simple drag-and-drop tools. (1)
  • Powerful visual and design features. To illustrate, Brad Neuberg demoed beautiful, browser-based, 3-D slides at the Future of Web Apps conference in London earlier this month. (2)
  • As an alternative to buggy, insecure and proprietary web technologies. HTML5 can replace most of the functionality currently enabled by Adobe Flash and Microsoft Silverlight.

The new web standard opens the door to power and polish previously reserved solely for desktop applications. Web designers and developers alike will have a plethora of exciting new tools to use.

Supercookies
Unfortunately, power – as always – is a double-edged sword. In the words of Pam Dixon, Executive Director of the World Privacy Forum, “HTML5 opens Pandora’s box of tracking in the Internet.” (3)

As if to prove this point, California hacker Samy Kamkar used HTML5 to create what he calls an “Evercookie,” which The New York Times dubbed a “Supercookie.” (4) Like current cookies, which store basic information for websites like user name and preferences, these supercookies comprehensively track a user’s web habits. Additionally, supercookies are:

  • Potent surveillance tools that can be employed by marketers and third-parties
  • Highly functional instruments that can gather an array of personal data about web usage
  • Extremely difficult to remove, as the data is stored in multiple locations on a person’s computer

Concerns Overblown?

It remains to be seen how HTML5 will affect the security landscape of the web. According to developers and representatives of the World Wide Web Consortium, they take privacy and security fears seriously and make a proactive effort to balance them with the speed and power afforded by HTML5. (5)

It should also be noted, privacy concerns are nothing new. Facebook is plagued by them daily. Most browsers come with inadvertent built-in vulnerabilities that must be patched continually. Plus, the current generation of web technology – like Flash – suffer from their share of security worries.

So, is the concern over HTML5 overblown? Share your thoughts in the comments.

REFERENCES
(1) Simon Mackie, “Why HTML5 Web Apps Are Going To Rock Your World,” http://gigaom.com/collaboration/why-html5-web-apps-are-going-to-rock-your-world/
(2) Brad Neuberg, “Internet Explorer 9 Platform Preview Fact Sheet,” http://blog.codinginparadise.org/2010/10/3d-slides-built-with-html5-css3-and-svg.html
(3) Tanzina Vega, “New Web Code Draws Concern Over Privacy Risks,” http://www.nytimes.com/2010/10/11/business/media/11privacy.html
(4)   Ibid.
(5)   Ibid.
blog comments powered by Disqus