EU Cybersecurity Agency ENISA Flags Security Fixes For New Web Standards

PRESS RELEASE

At a critical moment in the development of HTML5, ENISA today proposes important security fixes for 13 upcoming Web standards. ENISA has identified 50 security threats and proposed how they should be addressed. Banking, social networking, shopping, navigation, card payments and even managing critical infrastructures such as power networks – almost any activity you can imagine now takes place within a browser window.

"The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyberattackers," comments Udo Helmbrecht, executive director of ENISA.

To accommodate innovations in Web applications and their business models, and to enable more people to use the web, W3C (the Worldwide Web Consortium) is currently working on major revisions to its core standards.

ENISA has seized this opportunity to review the specifications and propose improvements to enhance browser security for all users. "Many of these specifications are reaching a point-of-no-return. For once, we have the opportunity to think deeply about security – before the standard is set in stone, rather trying to patch it up afterwards. This is a unique opportunity to build in security-by-design," says Giles Hogben, co-editor of the report.

"We welcome this very timely security review by ENISA. We have encouraged ENISA to report the issues they have identified to the relevant W3C Working Groups," says Thomas Roessler, W3C security lead.

The ENISA analysis reveals 50 security threats and issues including: unprotected access to sensitive information; new ways to trigger form-submission to attackers; problems in specifying and enforcing security policies; and potential mismatches with operating system permission management.

"An important conclusion of this study is that significantly less security issues were found in those specifications which have already undergone detailed security review. This demonstrates the value of in-depth security reviews of up-coming specifications," says Marnix Dekker, report co-editor.