HTML5 security – new target for lazy reporting by the BBC

Are you scared? Well you should be according to the BBC. Right now cybercriminals are targeting you through frightening new developments in HTML5. Be afraid. Be very afraid.


I’m usually a fan of the BBC. They’re normally pretty insightful around technology. But this latest report pushed all my buttons. IMHO 90% of it is pure scaremongering while the other 10% is nothing new (or particularly interesting).

The idea in the article is that because HTML5 is new, ‘it is attractive to cybercriminals’. From there it’s happy to peddle hypothetical generalities. But that’s ok, because someone from Sophos (no vested interest there) is happy to oversimplify and remove the entire context.

When you boil it down, the post makes just two points:

1. Because HTML5 allows the browser to store more information it’s ripe for abuse by ‘super cookie’ wielding criminals

2. Because it can integrate with GPS, it will allow nefarious types to pinpoint your location

HTML5 gives us a number of new ways to store user data and techniques like the Ever Cookie are of course an issue for privacy. However, this is an issue regardless of HTML5, since there are so many different places data can be stored. Using In-Private stops the Ever Cookie exploit above working.

There is also an assumption in point one that none of us in the browser community have thought of this or done anything to increase security. This is ridiculous. No matter whether it is us at Microsoft, the Opera guys, Google, Mozilla or Apple you can be sure that security is at the top of all our agendas. Everyone knows the painful flak Microsoft took over IE6. No one is going there again.

The second point is true to the degree that HTML5 can integrate with GPS. What it fails to mention is that the user has to give permission for this to happen. So if they get duped (and of course the article makes no mention of what this would actually mean in the real world) then that would have little to do with HTML5 itself and more to do with the skills of the scam-artist.

And as for the other points the post makes:

  • Adobe Flash – nothing to do with HTML5
  • QR pornography – nothing to do with HTML5
  • Crime packs – nothing to do with HTML5 (notice the pattern?)

Really? Can’t the BBC do just a little better?


Many of the Ideas presented in the article are articulated far better in a paper created by the European Network and Information Security Agency. This goes into real detail about some of the issues around HTML5 and the surrounding standards. It’s an excellent read.

Of course there are issues with security, there are with every technology. But the BBC article steers the reader into thinking that there is something fundamentally insecure with HTML5... and there isn’t.

Comments (6)

  1. Jason Grant says:

    The biggest issue here is that if a criminal is going to be exploiting any of these matters that BBC pointed out, they will either have to know HTML local storage which is more like rocket science and therefore they would be better off getting an IT contract and making much more money doing that for living.

    The other option is for them to try and make money of the back of my local stored web pages about HTML5 local storage and how to code for it since it's rocket science. That's not highly monetisable material. 🙂

  2. thebeebs says:

    @jason Good point... I agree it is pretty complicated. There are quite alot of libraries though that make it easier.

  3. Ian Devlin says:

    Technically the integration with GPS (via Geolocation) also has nothing to do with HTML5, so your relevance list is down to just the one point!

  4. Jason Grant says:

    Ah libraries!

    There' a library few minutes walk away from where I live, but I never use it. 😉

  5. thebeebs says:

    @Ian Devlin true but for the purposes of conversation the HTML5 umbrella term has caught on so I'm not going to knock the BBC for that.

  6. Willwander says:

    That's the BBC for you, lazy is too kind a word.

Skip to main content