Hongwen Zhang is president
and chief executive officer
(CEO) of Wedge Networks,
an innovative provider of
remediation-based deep
content inspection for high-performance, network-based
web security. Zhang has more
than two decades of high-tech leadership experience
and is the coinventor and
holder of several patents in
the area of computing and
networking.
Preparing for HTML5 Capabilities and Threats
The transition to HTML5 provides organizations
with a rich, responsive and standardized web
application environment that makes it possible to
have improved mobile access and dynamic cloud-based applications. Leading organizations and
browsers, such as Google, Facebook, You Tube and
Skype, have already begun to support the move
to HTML5. This movement is revolutionizing
the underlying structure of the web and how
the content is processed and delivered. HTML5
presents a new portfolio of functionalities
that includes richer media, increased online
responsiveness and offline operation. However,
with so many new features and protocols come
new potential threats on a larger attack surface.
Specifically, organizations should be advised of the
new WebSocket protocol and must understand
what security holes it opens up in traditional
network protection. This article highlights the
key risk factors of HTML5 to bring awareness
to business management, information security
practitioners, IT professionals, information
systems (IS) professionals, audit and assurance
professionals, and web developers.
databases, geolocation and local resource
access, resulting in new vectors for botnets,
data leakage and geoprivacy issues.
• WebSocket protocol—The introduction of a
two-way communication protocol—HTML5/
WebSocket—makes this version 5 of the
HTML specification truly revolutionary. The
new version brings enormous benefits that will
make the HTML5-fueled Internet more usable
and more friendly.
HTML5 WebSOCKe T beneFITS AnD SeCurITy rISKS
HTML5 WebSocket is a communication protocol
that happens to use the same network port used
by the familiar HTTP. Unlike HTTP, WebSocket
is a full duplex, asynchronous communication
protocol for delivering interactive web content.
According to WebSocket specifications, 1 this
asynchronous ability allows applications such as
Stock Ticker to be 500 times more efficient when
delivered in HTML5/WebSocket. With the new
Internet being defined by the large amount of
mobile devices generating tremendous dynamic
content that is piped back and forth to gigantic
cloud centers, WebSocket will be an enabling tool
for developing user-friendly applications.
Do you have something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
HTML5 rISK FACTOrS
HTML5 is likely to replace Adobe Flash and
Java Applets as the new industry standard for
content delivery. With the expansion of the
Internet’s reach and versatility come new security
challenges for which existing security solutions
are unprepared.
The introduction of HTML5 brings unique
risk factors, malware channels, and vehicles for
delivery and infections, including:
• Cross-site delivery/communication—Cross-site
resource sharing is dropping the incumbent
“same origin policy,” increasing the reach
of traditional cross-site scripting attacks
among domains.
• Javascript capabilities—Powerful client
scripting capabilities support threading,
asynchronous input/output (I/O), local
Figure 1—HTTP request/response
