Web security: EU cyber-security Agency ENISA flags security fixes for new web standards
August 2011 by ENISA
At a critical moment in the development of HTML5, the new core standard for the web, ENISA today proposes important security fixes for 13 upcoming web standards. ENISA has identified 50 security threats and proposed how they should be addressed.
Banking, social networking, shopping, navigation, card payments and even managing critical infrastructures such as power networks – almost any activity you can imagine now takes place within a browser window. “The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber-attackers,” comments Prof. Udo Helmbrecht, Executive Director of ENISA.
To accommodate innovations in web applications and their business models and to enable more people to use the web, W3C (the World Wide Web Consortium) is currently working on major revisions to its core standards.
ENISA has seized this opportunity to review the specifications and propose improvements to enhance browser security for all users. “Many of these specifications are reaching a point-of-no-return. For once, we have the opportunity to think deeply about security – before the standard is set in stone, rather than trying to patch it up afterwards. This is a unique opportunity to build in security-by-design,” says Giles Hogben, co-editor of the report.
“We welcome this very timely security review by ENISA. We have encouraged ENISA to report the issues they have identified to the relevant W3C Working Groups,” says Thomas Roessler, W3C security lead.
The ENISA analysis reveals 50 security threats and issues including:
Unprotected access to sensitive information
New ways to trigger form-submission to attackers
Problems in specifying and enforcing security policies
Potential mismatches with Operating System permission management
Underspecified features, potentially leading to conflicting or error-prone implementations.
New ways to escape access control mechanisms and protection from “click-jacking” (tricking the user into clicking on dangerous links and buttons)
“An important conclusion of this study is that significantly fewer security issues were found in those specifications which have already undergone detailed security review. This demonstrates the value of in-depth security reviews of up-coming specifications,” says Marnix Dekker, report co-editor. For background: Digital Agenda for Europe, (2.3, Trust and Security).