I'll let people make up their own minds, of course, but I predict it will be a security nightmare.
A former colleague (and great friend) at Trend Micro, Bob McArdle, did a nice write-up of HTML5 called "HTML5: The Good, The Bad, and The Ugly": http://blog.trendmicro.com/trendlabs-security-intelligence/html5-thegood/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-bad/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-ugly/ He wins my award for presenting this at the most number of conferences in 2012. :-) Also: "HTML5 Overview: A look at HTML5 Attack Scenarios" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf All are worth reading. - ferg (not at Trend Micro anymore :-) On Tue, Dec 4, 2012 at 12:00 PM, Stephanie Daugherty <[email protected]> wrote: > As far as attack surface goes, the comparison between Flash and HTML5 really > isn't a comparison. > > I'll take the HTML5 pain if it replaces the black box of paper thin glass > that is Flash. > > > > > On Tue, Dec 4, 2012 at 2:08 PM, Jeffrey Walton <[email protected]> wrote: >> >> >> http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html >> >> Many of the broad family of specifications commonly grouped under the >> “HTML5” umbrella are scheduled to be completed in 2013, and with the >> release of Internet Explorer 10, the users of every major web browser >> flavor can enjoy rich Web apps written on the open web platform, with >> no need for plugins. >> >> Lots of people are excited about HTML5, but one group I don’t see as >> particularly excited are security experts, or perhaps they’re only >> excited in a rather cynical fashion. Full employment! Browser >> botnets! A lifetime of conference talks! And the malediction against >> HTML5 isn’t just coming from folks with a product to sell or a slide >> deck to submit – HTML5 has become a common boogeyman representing >> out-of-control complexity and vast attack surface for some of the very >> best analysts and researchers in the field. So, although developers >> are racing to embrace it, CISOs, CIOs and enterprise >> security decision makers as a group seem wary. >> >> Frankly this puzzles and distresses me, because from my perspective, >> HTML5 is a key part – perhaps the most important part – in one of the >> greatest security success stories in the history of computing. The >> story of the web browser over the last decade is the story of >> something completely unprecedented – a tremendous increase in >> functionality and use that happened side-by-side with a tremendous >> decrease in vulnerability and attack surface. Don’t believe me? >> Let’s go back a decade… >> >> ... >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
