In Defense of HTML5

[Jeffrey Walton <noloader () gmail com>]

http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html

Many of the broad family of specifications commonly grouped under the
“HTML5” umbrella are scheduled to be completed in 2013, and with the
release of Internet Explorer 10, the users of every major web browser
flavor can enjoy rich Web apps written on the open web platform, with
no need for plugins.

Lots of people are excited about HTML5, but one group I don’t see as
particularly excited are security experts, or perhaps they’re only
excited in a rather cynical fashion.  Full employment!  Browser
botnets! A lifetime of conference talks!  And the malediction against
HTML5 isn’t just coming from folks with a product to sell or a slide
deck to submit – HTML5 has become a common boogeyman representing
out-of-control complexity and vast attack surface for some of the very
best analysts and researchers in the field.  So, although developers
are racing to embrace it, CISOs, CIOs and enterprise
security decision makers as a group seem wary.

Frankly this puzzles and distresses me, because from my perspective,
HTML5 is a key part – perhaps the most important part – in one of the
greatest security success stories in the history of computing.  The
story of the web browser over the last decade is the story of
something completely unprecedented – a tremendous increase in
functionality and use that happened side-by-side with a tremendous
decrease in  vulnerability and attack surface.   Don’t believe me?
Let’s go back a decade…

...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.