A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation

Philippe De Ryck; Lieven Desmet; Frank Piessens; Wouter Joosen

doi:10.5220/0004049502570262

A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation

Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen

2012

Abstract

Over the past few years, a significant effort went into the development of a new generation of web standards, centered around the HTML5 specification. Given the importance of the web in our society, it is essential that these new standards are scrutinized for potential security problems. This paper reports on a systematic analysis of ten important, recent specifications with respect to two generic security goals: (1) new web mechanisms should not break the security of existing web applications, and (2) different newly proposed mechanisms should interact with each other gracefully. In total, we found 45 issues, of which 12 are violations of the security goals and 31 issues concern under-specified features. Additionally, we found that 6 out of 11 explicit security considerations have been overlooked/overruled in major browsers, leaving secure specifications vulnerable in the end. All details can be found in an extended version of this paper (De Ryck et al., 2012).

Download

Paper Citation

in Harvard Style

De Ryck P., Desmet L., Piessens F. and Joosen W. (2012). A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 257-262. DOI: 10.5220/0004049502570262

in Bibtex Style

@conference{secrypt12,
author={Philippe De Ryck and Lieven Desmet and Frank Piessens and Wouter Joosen},
title={A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={257-262},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004049502570262},
isbn={978-989-8565-24-2},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation
SN - 978-989-8565-24-2
AU - De Ryck P.
AU - Desmet L.
AU - Piessens F.
AU - Joosen W.
PY - 2012
SP - 257
EP - 262
DO - 10.5220/0004049502570262