ENISA flags security fixes for new web standards

At a critical moment in the development of HTML5, the new core standard for the web, ENISA today proposes important security fixes for 13 upcoming web standards. ENISA has identified 50 security threats and proposed how they should be addressed.

Banking, social networking, shopping, navigation, card payments and even managing critical infrastructures such as power networks – almost any activity you can imagine now takes place within a browser window.
To accommodate innovations in web applications and their business models and to enable more people to use the web, W3C (the World Wide Web Consortium) is currently working on major revisions to its core standards.

The 'point-of-no-return'
ENISA has seized this opportunity to review the specifications and propose improvements to enhance browser security for all users. “Many of these specifications are reaching a point-of-no-return. For once, we have the opportunity to think deeply about security – before the standard is set in stone, rather than trying to patch it up afterwards. This is a unique opportunity to build in security-by-design,” says Giles Hogben, co-editor of the report.

“We welcome this very timely security review by ENISA. We have encouraged ENISA to report the issues they have identified to the relevant W3C Working Groups,” says Thomas Roessler, W3C security lead.

The ENISA analysis reveals 50 security threats and issues including:

• Unprotected access to sensitive information
• New ways to trigger form-submission to attackers
• Problems in specifying and enforcing security policies
• Potential mismatches with Operating System permission management
• Underspecified features, potentially leading to conflicting or error-prone implementations.
• New ways to escape access control mechanisms and protection from “click-jacking” (tricking the user into clicking on dangerous links and buttons)

Source - enisa.europa.eu