funsec mailing list archives
Re: In Defense of HTML5
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 5 Dec 2012 19:29:29 -0500
On Wed, Dec 5, 2012 at 7:05 PM, Michal Zalewski <lcamtuf () coredump cx> wrote:
WebSockets are a concern to me. An attacker almost always wants to egress data (otherwise, what's the point?), so WebSockets are an addition to the attacker's war chest. In addition, WebSockets make it really convenient to setup reverse proxies (emphasize convenient).Marginally so... there is a lot of web apps that handle low-latency, interactive streaming in a variety of situations, and they don't need WS for that. WS is slightly more convenient where supported, indeed, but it doesn't really enable anything that wasn't perfectly possible (and done) before.
So, I think what it boils down to (for me): under pre-HTML5, we could create policies and perform code reviews that enforced the policy. There were no built-in mechanisms, and code was banned as required. Under HTML5, the egress point is built into the protocol, and we can't remove it. Code will still be banned. The code is likely going to be more terse (since the protocol offers native support) and possibly harder to identify. Plus, its going to be portable so any malicious or questionable code is going to run everywhere. Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- In Defense of HTML5 Jeffrey Walton (Dec 04)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Dan Kaminsky (Dec 04)
- Re: In Defense of HTML5 Paul Ferguson (Dec 04)
- Re: In Defense of HTML5 Michal Zalewski (Dec 04)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Michal Zalewski (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Jeffrey Walton (Dec 05)
- Re: In Defense of HTML5 Stephanie Daugherty (Dec 04)