Lets see here. Of the "bad", iframe sandboxing is a straight up security technology, cross site scanning has been around since time began (<img src=' http://1.2.3.4:8123/foo.jpg"; onload=x onerror=y> and then check millis in x and y), web notifications are a slightly more usable window.open, geolocation is consent based in the way geolocation of IP addresses is not and can never be, and...form tampering? In what universe can JavaScript not alter forms?
On Tue, Dec 4, 2012 at 12:20 PM, Paul Ferguson <fergdawgs...@gmail.com>wrote: > I'll let people make up their own minds, of course, but I predict it > will be a security nightmare. > > A former colleague (and great friend) at Trend Micro, Bob McArdle, did > a nice write-up of HTML5 called "HTML5: The Good, The Bad, and The > Ugly": > > http://blog.trendmicro.com/trendlabs-security-intelligence/html5-thegood/ > http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-bad/ > http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-ugly/ > > He wins my award for presenting this at the most number of conferences > in 2012. :-) > > Also: "HTML5 Overview: A look at HTML5 Attack Scenarios" > > http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf > > All are worth reading. > > - ferg (not at Trend Micro anymore :-) > > > On Tue, Dec 4, 2012 at 12:00 PM, Stephanie Daugherty > <sdaughe...@gmail.com> wrote: > > > As far as attack surface goes, the comparison between Flash and HTML5 > really > > isn't a comparison. > > > > I'll take the HTML5 pain if it replaces the black box of paper thin glass > > that is Flash. > > > > > > > > > > On Tue, Dec 4, 2012 at 2:08 PM, Jeffrey Walton <noloa...@gmail.com> > wrote: > >> > >> > >> > http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html > >> > >> Many of the broad family of specifications commonly grouped under the > >> “HTML5” umbrella are scheduled to be completed in 2013, and with the > >> release of Internet Explorer 10, the users of every major web browser > >> flavor can enjoy rich Web apps written on the open web platform, with > >> no need for plugins. > >> > >> Lots of people are excited about HTML5, but one group I don’t see as > >> particularly excited are security experts, or perhaps they’re only > >> excited in a rather cynical fashion. Full employment! Browser > >> botnets! A lifetime of conference talks! And the malediction against > >> HTML5 isn’t just coming from folks with a product to sell or a slide > >> deck to submit – HTML5 has become a common boogeyman representing > >> out-of-control complexity and vast attack surface for some of the very > >> best analysts and researchers in the field. So, although developers > >> are racing to embrace it, CISOs, CIOs and enterprise > >> security decision makers as a group seem wary. > >> > >> Frankly this puzzles and distresses me, because from my perspective, > >> HTML5 is a key part – perhaps the most important part – in one of the > >> greatest security success stories in the history of computing. The > >> story of the web browser over the last decade is the story of > >> something completely unprecedented – a tremendous increase in > >> functionality and use that happened side-by-side with a tremendous > >> decrease in vulnerability and attack surface. Don’t believe me? > >> Let’s go back a decade… > >> > >> ... > >> _______________________________________________ > >> Fun and Misc security discussion for OT posts. > >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > >> Note: funsec is a public and open mailing list. > > > > > > > > _______________________________________________ > > Fun and Misc security discussion for OT posts. > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > > Note: funsec is a public and open mailing list. > > > > -- > "Fergie", a.k.a. Paul Ferguson > fergdawgster(at)gmail.com > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
![http://1.2.3.4:8123/foo.jpg"](http://1.2.3.4:8123/foo.jpg"){kind=link}