Preparing for HTML5 Capabilities and Threats 

 
Download Article Article in Digital Form

The transition to HTML5 provides organizations with a rich, responsive and standardized web application environment that makes it possible to have improved mobile access and dynamic cloud-based applications. Leading organizations and browsers, such as Google, Facebook, YouTube and Skype, have already begun to support the move to HTML5. This movement is revolutionizing the underlying structure of the web and how the content is processed and delivered. HTML5 presents a new portfolio of functionalities that includes richer media, increased online responsiveness and offline operation. However, with so many new features and protocols come new potential threats on a larger attack surface. Specifically, organizations should be advised of the new WebSocket protocol and must understand what security holes it opens up in traditional network protection. This article highlights the key risk factors of HTML5 to bring awareness to business management, information security practitioners, IT professionals, information systems (IS) professionals, audit and assurance professionals, and web developers.

HTML5 Risk Factors

HTML5 is likely to replace Adobe Flash and Java Applets as the new industry standard for content delivery. With the expansion of the Internet’s reach and versatility come new security challenges for which existing security solutions are unprepared.

The introduction of HTML5 brings unique risk factors, malware channels, and vehicles for delivery and infections, including:

  • Cross-site delivery/communication—Cross-site resource sharing is dropping the incumbent “same origin policy,” increasing the reach of traditional cross-site scripting attacks among domains.
  • Javascript capabilities—Powerful client scripting capabilities support threading, asynchronous input/output (I/O), local databases, geolocation and local resource access, resulting in new vectors for botnets, data leakage and geoprivacy issues.
  • WebSocket protocol—The introduction of a two-way communication protocol—HTML5/WebSocket—makes this version 5 of the HTML specification truly revolutionary. The new version brings enormous benefits that will make the HTML5-fueled Internet more usable and more friendly.

HTML5 Websocket Benefits and Security Risks

Figure 1HTML5 WebSocket is a communication protocol that happens to use the same network port used by the familiar HTTP. Unlike HTTP, WebSocket is a full duplex, asynchronous communication protocol for delivering interactive web content. According to WebSocket specifications,1 this asynchronous ability allows applications such as Stock Ticker to be 500 times more efficient when delivered in HTML5/WebSocket. With the new Internet being defined by the large amount of mobile devices generating tremendous dynamic content that is piped back and forth to gigantic cloud centers, WebSocket will be an enabling tool for developing user-friendly applications.

WebSocket achieves its efficiency by using several clever tricks. Unfortunately, these tricks also invalidate some key assumptions of today’s conventional network defense system:

  • WebSocket overrides HTTP port. This makes firewalls unable to differentiate WebSocket from HTTP traffic.
  • WebSocket is asynchronous, not a request/response-based protocol, confusing web proxies.
  • WebSocket payload does not contain URL or application headers (see figure 1 and figure 2). This makes reputation-based defenses helpless.
  • WebSocket payload is masked (see figure 2). This introduces big obstacles for packet-inspection-based network security solutions.

Figure 2A security solution capable of addressing HTML5 content must be able to tackle new content packaging, transmission protocols and the rising number of outlets used to deliver malware. Without a network protection conscious of HTML5 WebSocket content, an organization is susceptible to malicious codes transmitted through this channel. According to Forrester Research, “Firms are using more consumer-style web applications…with 84 percent of firms increasing their use of web applications.”2

Organizations must take back control of the web infrastructure with a scalable, real-time solution that provides information-scanning techniques and enables optimal network performance.

Research Appropriate Security Solutions

In addition to existing best practices for web security, such as better coding of web pages, vulnerability management and timely patching of IT assets, organizations must implement a network security solution that is capable of deep content inspection (DCI) in order to preserve the benefits that HTML5 offers. DCI scans and understands the intent of web traffic, from simple coded threats to advanced malware hidden in volumes of data. A comprehensive DCI solution scans through content that is packed in both existing and new standards in the network, applying advanced threat signature matching and heuristic threat analysis to detect noncompliant content and stop malicious content from sneaking in or confidential information from leaking out, thus significantly lowering the end user’s risk. As a result, regardless of where end users are and what they click on, their devices of choice are completely secure.

For an organization, the most important and convenient feature of HTML5 is the WebSocket payload. WebSocket allows organizations to transmit data for any application with any payload without a well-formed URL or HTTP headers. Although convenient, WebSocket also creates a new delivery route for malware. With the adoption of DCI solutions to the WebSocket payload, users are protected against malicious attacks. The optimal security solution extracts, scans and stops threats found in WebSocket protocols, blocking the transmission of data for any application.

Conclusion

Compared with previous versions, HTML5 is a safer and more effective tool for delivering today’s rich web content; however, it also introduces several security risk factors. Organizations need to understand these risk factors and deploy effective tools that scan and understand the intent of all web traffic, regardless of protocol. This ensures that content packed into both existing and new standards, with an emphasis on the increased two-way concurrent traffic found in HTML5, will be understood and that security services can be applied to remediate against any threats.

To maintain network security without disabling the many improvements that HTML5 brings, organizations must adopt deep content inspection to stop the harmful code from infecting their devices and servers and to stop confidential information from being stolen.

Endnotes

1 WebSocket, www.websocket.org/index.html
2 Forrester Research Blogs, “The Consumerization of IT Proceeds Unevenly, From Growth In Tablets To Anemic BYOPC Adoption,” http://blogs.forrester.com/frank_gillett/11-03-24-the_consumerization_of_it_proceeds_unevenly_from_growth_in_tablets_to_anemic_byopc_adoption

Hongwen Zhang is president and chief executive officer (CEO) of Wedge Networks, an innovative provider of remediation-based deep content inspection for high-performance, network-based web security. Zhang has more than two decades of high-tech leadership experience and is the coinventor and holder of several patents in the area of computing and networking.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.