Are you scared? Well you should be according to the BBC. Right now cybercriminals are targeting you through frightening new developments in HTML5. Be afraid. Be very afraid.
I’m usually a fan of the BBC. They’re normally pretty insightful around technology. But this latest report pushed all my buttons. IMHO 90% of it is pure scaremongering while the other 10% is nothing new (or particularly interesting).
The idea in the article is that because HTML5 is new, ‘it is attractive to cybercriminals’. From there it’s happy to peddle hypothetical generalities. But that’s ok, because someone from Sophos (no vested interest there) is happy to oversimplify and remove the entire context.
When you boil it down, the post makes just two points:
1. Because HTML5 allows the browser to store more information it’s ripe for abuse by ‘super cookie’ wielding criminals
2. Because it can integrate with GPS, it will allow nefarious types to pinpoint your location
HTML5 gives us a number of new ways to store user data and techniques like the Ever Cookie are of course an issue for privacy. However, this is an issue regardless of HTML5, since there are so many different places data can be stored. Using In-Private stops the Ever Cookie exploit above working.
There is also an assumption in point one that none of us in the browser community have thought of this or done anything to increase security. This is ridiculous. No matter whether it is us at Microsoft, the Opera guys, Google, Mozilla or Apple you can be sure that security is at the top of all our agendas. Everyone knows the painful flak Microsoft took over IE6. No one is going there again.
The second point is true to the degree that HTML5 can integrate with GPS. What it fails to mention is that the user has to give permission for this to happen. So if they get duped (and of course the article makes no mention of what this would actually mean in the real world) then that would have little to do with HTML5 itself and more to do with the skills of the scam-artist.
And as for the other points the post makes:
- Adobe Flash – nothing to do with HTML5
- QR pornography – nothing to do with HTML5
- Crime packs – nothing to do with HTML5 (notice the pattern?)
Really? Can’t the BBC do just a little better?
Many of the Ideas presented in the article are articulated far better in a paper created by the European Network and Information Security Agency. This goes into real detail about some of the issues around HTML5 and the surrounding standards. It’s an excellent read.
Of course there are issues with security, there are with every technology. But the BBC article steers the reader into thinking that there is something fundamentally insecure with HTML5... and there isn’t.