Microsoft says WebGL isn't secure enough
In the spirit of the famous article by Edsger Dijkstra, Microsoft says, in a piece entitled "WebGL considered harmful", that the 3D technology is not secure enough for its products. The blog post lists three reasons for this conclusion: first, browser support for WebGL gives web applications direct access to hardware; second, there could be security flaws in third-party software (such as in graphics drivers); and finally, Microsoft says that operating systems do not currently offer any protection against denial-of-service attacks on graphics cards. "We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective." However, Microsoft itself plans to access graphics card hardware directly in the upcoming Silverlight 5. In other words, the criticism of WebGL may stem not only from security concerns, but also from marketing interests.
WebGL implementations are currently only available in Firefox and Chrome. The technology is intended to make 3D graphics usable on the web by drawing on the capabilities of modern graphics cards. A number of vulnerabilities have, however, already been detected. A specially crafted web site can overload hardware, causing the computer to crash. Another hole, which only affects the Firefox implementation, allows attackers to make screenshots of any window. The attacks are partly possible because WebGL, like Silverlight, executes code directly on the graphics card and a browser running a web application with WebGL can provide that code.
In May, the Khronos Group, which handles the standardisation of WebGL, responded and pointed out that the browser implementations have not yet been completed. The firm also said that a new mechanism would provide protection from DoS attacks, but the protection requires support from the graphics driver. In its criticism of WebGL, Microsoft also points out that many of the drivers in question are only updated once a year, and it is up to users to install the new version. The software company says that the schedule is too lax in light of the threat from web applications. Khronos proposes that WebGL be switched off completely when the required security functions are lacking, but Microsoft argues that this workaround would confuse users.
Apple has also adopted a wait-and-see approach to WebGL, according to an email which stated that the technology will not be publicly available in the upcoming iOS5. Instead, it will only be available to iAd developers.
- GDC: 3D in your browser – WebGL 1.0 is finished, a report from The H.