Web developers accountable for HTML 5 security

Whether HTML 5 will introduce new security threats is less an issue than the need for Web developers to be able to effectively mitigate any potential risk borne from the pending programming standard, advise industry observers.

Jeremiah Grossman, CTO of WhiteHat Security, told ZDNet Asia: “With a specification as large and as powerful as HTML 5, implementation should be taken with the upmost concern toward security.”

Currently still a working draft, Hypertext Markup Language version 5 (HTML 5) is the latest revision of the Web language–used to describe Web pages–and boasts several new advancements. These include data storage on a local computer which allows Web applications to run offline, as well as native support for rich Web applications and interactions which was previously only possible by installing third-party, proprietary plugins such as Adobe Flash and Microsoft Silverlight.

In an e-mail interview, Ian Jacobs, communications head of the World Wide Web Consortium (W3C), stressed the need for HTML 5 to be adopted particularly because its last official update, HTML4, was in 1999.

The consortium is the official standards body responsible for overseeing HTML 5′s development.

As the Web evolves from “a Web of documents to a formidable platform of networked applications”, facilitating the sharing of information and services over the Internet, Jacobs said there is a significant demand for open standards that allow the creation of rich Internet applications.

Heightened security threats
However, with its promise to deliver new richer functionalities, HTML 5 has also sparked much discussion among security experts whether the increased capabilities could bring along added security vulnerabilities.

Paul Roberts, security evangelist from Kaspersky Labs, said in a blog post last month that while Web security professionals agreed HTML 5 encompasses security enhancements, they also expressed concern that the new Web language will “greatly increase the attack surface of HTML” and provide more avenues on which malicious codes can be delivered.

Hon Lau, senior security response manager at Symantec, said: “Increased functionality often brings with it increased risks.”

Lau explained in an e-mail that HTML 5 includes “around 45 new markup tags”, such as the and tags, to enable rich multimedia functions. “[The possible] attack surface is increased due to the sheer volume of changes undergone,” he added.

WhiteHat’s Grossman also pointed to another potential security threat where users could face an amplified risk of data loss due to the massive amount of data in local storage.

He explained that in the past, Web developers could only save small snippets of data in the form of cookies on the browser. With HTML 5, however, they can store “many megabytes of data” on the user’s computer and this will most likely include sensitive data to allow Web applications to be used offline, he said.

Naveen Hegde, market analyst at IDC’s Asia-Pacific software research group, said the conventional motive for attacks has been gaining access to sensitive data and hackers would launch cross-site scripting and SQL injection attacks in a bid to steal confidential user information.

Developers obligated to address risks
According to Hegde, developers looking to build on HTML 5 should first evaluate whether it is “beneficial” to deploy the platform’s new features which could “end up facilitating Web attacks” on a user’s machine.

Lau echoed a similar view, noting that while changes in the Web standard may introduce new security risks, the onus is still on developers to mitigate these threats.

He suggested that developers practise and build more security coding principles to reduce potential security risks, such as improved error handling, validating inputs and ensuring boundary checks to avoid buffer overflows.

Grossman also advised developers to create backups and save large volumes of potentially sensitive information contained in end-users’ PCs.

“Care should be taken by developers not to…assume it cannot be manipulated by someone with local or remote access to the machine,” he cautioned.

He concluded that since HTML 5 vulnerabilities are expected to appear at some point in the future, HTML 5 designers and implementers “should be prepared to respond quickly” whenever new issues or vulnerabilities arise.

Jacobs from W3C, too, emphasized the importance of designing and building Web applications “with sensitivity to user privacy and security needs”.

Lau said: “From a security standpoint, the issues with HTML in the past were a result of poor and inconsistent implementation of features described in the HTML specification, and also the non-practice of security coding principles within browser engines and the plugins used by them.”

He described HTML 5 to be “a reaction to the current state of the Web space and the evolution that has taken place over the past decade”. “[It is a] public standard that aims to address many shortcomings in the functionality provided by previous versions,” he added.

Despite its security risks, WhiteHat’s Grossman acknowledged that “HTML 5 has arrived”. “Security, as a discipline, must help enable technology and business applications, not inhibit them,” he said.

Echoing similar sentiments, W3C’s Jacobs said HTML 5 may only still be a working draft, but browser vendors are already deploying its features, allowing W3C to revise its drafts. “This way, the final standard can transparently inform implementers where they need to pay close attention to security and privacy issues,” he noted.

PHP and MySQL For an Effective Web Hosting

The use of PHP and MySQL in web hosting is a great way to create dynamic web pages that will interact with your site browsers. While HTML can make useful and well formatted web pages, without PHP and MySQL, your audience will not be able to appreciate your site. If PHP and MySQL are incorporated in web hosting then, this will create a dynamic web pages that will interact with your visitors.

PHP is a scripting language is often used with HTML to add functions since HTML alone cannot do it. With PHP, it allows to collect, process and use data to create desired output. In simple words, it will let you interact with your web pages. Additionally, PHP is able to perform number of tasks like printing data, making numeric calculations, making comparisons and the like. And because of these functions, it will make your pages generate more specialized data.

MySQL on the other hand, is a database system used to store information.

It can store different types of data ranging from a single character to as big as complete files and graphics. MySQL can only be accessed with most programming languages, it should be coupled with PHP as they work together with ease. The information stored in MySQL database when hosted on a web server can be accessed in any part of the world with the use of computers. And this is a good way also to store information that you can change over time and accessed over the net.

With the use of PHP and MySQL, it becomes a better combination for a good website. PHP can collect data and MySQL in turn will be able to store the information. PHP can do calculations and MySQL provides it with variables. Although this two can work independently, when you integrate them, they can open limitless opportunities for your site.

Since Internet is becoming popular in generating information that the browsers need, you should keep up with the demands of your audience and make your site more interactive and dynamic by using PHP and MySQL to deliver information just in time.

Websites today should be content rich and from time to time need to be updated.

If your site is difficult to cope with change with some other reasons, then this is a serious problem. This problem is true for those sites that are plainly made of plane HTML. But with PHP and MySQL problems on updating content are easily resolved as they provide content management section where you can update your site even without HTML knowledge.

The other good thing about PHP and MySQL database driven site is it separates content and designing part. In this way, you can update your contents and the rest depends on the system. PHP is free to use and costs you nothing, neither running nor upfront fees. They create dynamic pages. PHP is a language which is easy to use and can be easily embedded into page HTML hence no need for separate coding. So for better performing website, consider PHP and MySQL in web hosting to create dynamic pages.