EU cybersecurity agency ENISA flags security fixes for new web standards

The EU's cybersecurity agency ENISA has proposed security improvements for 13 upcoming web standards to enhance browser security.

The EU's cybersecurity agency ENISA has proposed security improvements for 13 upcoming web standards to enhance browser security.

Many of these specifications are reaching a point-of-no-return, according to the European Network and Information Security Agency (ENISA), so now is the time to think deeply about security before the standards are finalised rather than trying to patch them at a later date.

These standards include HTML5, cross-origin communication standards such as CORS, and standards for access to local data such as geo-location.

"This is a unique opportunity to build in security-by-design," said Giles Hogben, co-editor of an ENISA report on next-generation web standards that identifies 50 security threats and proposes how they should be addressed.

The threats include unprotected access to sensitive information, new ways to trigger form submission to attackers, problems in specifying and enforcing security policies, potential mismatches with operating system permission management, and new ways to escape access control mechanisms.

Web browser security is critical

ENISA claims the security review is vital in the light of the fact that almost every online activity now takes place in the browser, including managing critical infrastructures.

"The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber attackers", said Udo Helmbrecht, executive director of ENISA.

The report notes that the volume of web-based attacks per day increased by 93% in 2010 compared with 2009 and the many complex threats as DDoS attacks using botnets rely on flaws in web browsers, which allow the installation of malware.

"Even if the root cause is elsewhere, the browser is often in a position to protect the user in combatting phishing, pharming, etc," says the report.

The Worldwide Web Consortium (W3C), which is currently working on major revisions to its core standards, has welcomed the security review by ENISA.

"We have encouraged ENISA to report the issues it has identified to the relevant W3C Working Groups," said Thomas Roessler, W3C security lead.

The ENISA report includes recommendations on controlling functionality, permission system design, user interface requirements, user policing, and the use of restricted contexts such as private browsing or sandboxes.

Register with Computer Weekly for more information on security:

> Whitepaper: From Secure Virtualization to Secure Private Clouds

> Top 10 tips to avoid the information commissioner’s wrath

> World IPv6 Day: Why it really matters

> CW+: Security: A Computer Weekly Buyer's Guide

> Booz&Co: The power of Web 3.0 – how to prepare

> Mobile is a top threat to business but security is lagging, says Sophos

> Whitepaper: SaaS (Software-as-a-Service) secures in uncertain times

Read more on IT risk management