Welcome!

Cloud Security Authors: Elizabeth White, Stackify Blog, Peter Davidson, Nishanth Kadiyala, Liz McMillan

Related Topics: Cloud Security, Machine Learning , Agile Computing

Cloud Security: Article

Discoverer of JSON Recommends Suspension of HTML5

Douglas Crockford: "The HTML5 proposal does not attempt to correct the XSS problem."

"There is much that is attractive about HTML5," says Douglas Crockford, known to millions of developers as the discoverer of JSON (JavaScript Object Notation), the widely used lightweight data-interchange format.

"But ultimately," Crockford continues, "the thing that made the browser into a credible application delivery system was JavaScript,
the ultimate workaround tool." The problem is that there is what he calls "a painful gap" in the specification of the interface between JavaScript and the browser. The result? XSS and other maladies. The responsible course of action, Crockford contends, is to correct that defect first before pushing ahead with HTML5.



In an email exchange with Jeremy Geelan, here is what Crockford (pictured above) says, in his own words...

"The most serious defect in web browsers is the incorrectly named Cross Site Scripting (XSS) vulnerability. XSS enables an attacker to inject code into a web page that runs with the authority of the site that issued the page. The rights granted to the attacker include the right to interact with the server, the right to scrape data from the page, the right to modify the page, the right to dialog with the user, the right to load additional scripts from any server in the world, and the right to transmit the data it obtained from the server, the page, and the user to any server in the world. This is dangerous stuff.

XSS is misnamed for two reasons. First, it is not necessary for a second site to be involved. Sites that can reflect user generated content can be attacked without the participation of a second site. But more importantly, XSS suggests that cross site scripting is a bad thing. In fact, cross site scripting is a highly beneficial thing. It is what enables mashups. Cross site scripting enables Ajax libraries, analytics, and advertising. The problem is that the browser's security model did not anticipate mashups.

The XSS problem comes from two fundamental problems. The first is that the language of the web is unnecessarily complicated. HTML can be embedded in HTTP, and HTML can have embedded in it URLs, CSS, and JavaScript. JavaScript can be embedded in URLs and CSS. Each of these languages has different encoding, escapement, and commenting conventions. Statically determining that a piece of text will not become malicious when inserted into an HTML document is surprisingly difficult. There is a huge and growing set of techniques by which an attacker can disguise a payload that can avoid detection. New techniques are discovered all the time, and usually the attackers find them first. The web was not designed as a system. Instead it was a sloppy cobbling, and that sloppiness aids the enemy.

The second problem is that all scripts on a page run with the same authority. The browser has a better security model than desktop systems because it can distinguish between the interests of the user and the interests of the program (or website). But the browser failed to anticipate that there could be other scripts that represent additional interests. As a result, the browser is confused, treating all scripts as equally trusted to represent a site, even when it has loaded scripts from different sites.

This problem first appeared 15 years ago in Netscape Navigator 2. Those developers could be forgiven for having not foreseen the way that browsers would ultimately be used. But to have this problem incorporated into web standards and left in place for 15 years is intolerable. This problem must be fixed.

The HTML5 proposal does not attempt to correct the XSS problem and actually makes it worse in three ways:

1. HTML5 is huge and bloated. It is likely that this bloat will create new opportunities for malicious script injection.

2. HTML5 adds powerful new capabilities (such as local database and cross-site networking) that become fully available to the attacker.

3. HTML5 is a large effort. The solution of the XSS problem may have to wait until HTML5 is completed, which could be years away.

The fundamental mistake in HTML5 was one of prioritization. It should have tackled the browser's most important problem first. Once the platform was secured, then shiny new features could be carefully added.

There is much that is attractive about HTML5. But ultimately the thing that made the browser into a credible application delivery system was JavaScript, the ultimate workaround tool. There is a painful gap in the specification of the interface between JavaScript and the browser, and that is a source of XSS and other maladies. The responsible course of action was to correct that defect first.

That course is still available to us. My recommendation is that we suspend the current HTML5 activity. We start over with a new charter: To quickly and effectively repair the XSS vulnerability. Then we can mine the bloated HTML5 set for features that have high value and which do not introduce new security vulnerabilities.

HTML5 has a lot of momentum and appears to be doomed to succeed. I think the wiser course is to get it right first. We have learned the hard way that once an error gets into a web standard, it is really hard to get it out.

What do you think? Add your feedback below.

More Stories By Douglas Crockford

Douglas Crockford, an architect at Yahoo!, is an AJAXWorld regular. A technologist of parts, he has developed office automation systems, done research in games and music at Atari, and been both Director of Technology at Lucasfilm and Director of New Media at Paramount. He was the founder and CEO of Electric Communities/Communities.com and the founder and CTO of State Software, where he discovered JSON. He is interested in Blissymbolics, a graphical, symbolic language, and is developing a secure programming language.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 21st Int\ernational Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their ...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists looked at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deliver...
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), provided an overview of various initiatives to certify the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldwide re...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
The Internet giants are fully embracing AI. All the services they offer to their customers are aimed at drawing a map of the world with the data they get. The AIs from these companies are used to build disruptive approaches that cannot be used by established enterprises, which are threatened by these disruptions. However, most leaders underestimate the effect this will have on their businesses. In his session at 21st Cloud Expo, Rene Buest, Director Market Research & Technology Evangelism at Ara...
When growing capacity and power in the data center, the architectural trade-offs between server scale-up vs. scale-out continue to be debated. Both approaches are valid: scale-out adds multiple, smaller servers running in a distributed computing model, while scale-up adds fewer, more powerful servers that are capable of running larger workloads. It’s worth noting that there are additional, unique advantages that scale-up architectures offer. One big advantage is large memory and compute capacity...
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...