Coffeehouse Thread

48 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Microsoft -- Why no WebGL?

Back to Forum: Coffeehouse
  • User profile image
    IDWMaster

    Earlier Microsoft made its infamous decision that WebGL is inherently insecure because it allows access to your GPU. Why then; is Silverlight secure? Silverlight 5 gives web pages the same type of access. It should also be pointed out that Canvas2D is now GPU-accelerated in Windows anyways; if an attacker mis-used even a 2D context based on your theory it could then be used to compromise a system via a DOS attack in the same way that it could supposedly be compromised in an attack on a WebGL implementation. Security is not usually an issue within a specification of a technology, but is usually an issue within its particular implementation. If Silverlight can be implemented "securely", why can't WebGL? I do encourage you do read this argument about enabling WebGL. Although someone strongly worded, he does explain how WebGL can be implemented securely. It's also sad to see that Windows 8's Metro browser has absolutely no 3D support of any kind; including Silverlight. For a company claiming to support HTML5 and use it to innovate the web, it is not a good idea to pick and choose only a small subset of HTML5 features. Other browsers such as Chrome and Firefox are known for their frequent updates, which actually add new features to the browsers on a regular basis. I do hope that Microsoft chooses to reverse some of its business decisions regarding these matters; and your browser, and your new OS would become much more popular among consumers.

  • User profile image
    figuerres

    well for a start try this out:

    WebGL is a way to call OpenGL calls from a web page.

    Silverlight  is a high level language that indirectly calls the host system.  on Windows it calls DirectX

    *BUT*  the Silverlight app  does not make *DIRECT* calls to DirectX

     

    so while Silverlight can create graphics it is not the same.

     

    Honestly IMHO  if you need to do a lot of animated graphics should it be a web page ?

    if for example it's a game I would rather have a native app that runs w/o a browser in the middle.

    that's just one example.

  • User profile image
    Ray7

    A web page having direct access to your hardware.

    *shivers*

     

  • User profile image
    fanbaby

    @IDWMaster: I used to care, but really, who cares? You got all the other browser makers supporting it. You can use it and teach it. This isn't 2000-2007-ish where the web was IE you know, and thank the universe for it.

  • User profile image
    AndyC

    Again? Really?

    1. Silverlight is a plugin, which means that to all intents and purposes it's a native code executable. There is no point trying to prevent native code executables from calling native code, it just can't be done. Any security flaw in a native executable, be it Silverlight, Flash, Acrobat or any .exe is as risky as any other. This is why modern browsers allow you not to load executable code from iffy websites or, better yet, ban it entirely. By contrast, WebGL would be right inside HTML, there is no opt-in choice. Any power you grant to WebGL is granted to the entire web.
    2. WebGL doesn't solve real web problems, it's about graphics card manufacturers wanting to be able to sell high-end hardware to people who just want to surf the web. This is why blindingly obvious functionality like being able to put arbitrary HTML content on 3D surfaces is entirely ignored, because getting that working and usable is far harder than just exposing a stripped down portion of OpenGL.
    3. The spec itself contains security issues. Not purely implementation ones due to bugs, but fundamental security design problems, which are far harder (maybe even impossible) to resolve down the line. When pointed out to the Khronos group, the "fix" was to add more functionality to OpenGL instead to try and mitigate them (it didn't BTW). That's like discovering a design flaw in DirectX and suggesting you can fix it by changing GDI. It's just stupid.

    For far more involved discussion, see the six and a half billion other threads on why WebGL is a mess.

  • User profile image
    Blue Ink

    , IDWMaster wrote

    For a company claiming to support HTML5 and use it to innovate the web, it is not a good idea to pick and choose only a small subset of HTML5 features.

    For the umpteenth time: Kronos is not the W3C; the fact that they self proclaimed WebGL a "web standard" doesn't make it part of HTML5. Thank the universe for it.

  • User profile image
    evildictait​or

    , AndyC wrote

    1. Silverlight is a plugin, which means that to all intents and purposes it's a native code executable. There is no point trying to prevent native code executables from calling native code, it just can't be done.

    Silverlight is a plugin, and IE makes no attempt to secure it as you rightly point out. On the other hand, Silverlight webapps are not native programs. They are sandboxed by Silverlight in much the same way that Javascript is sandboxed by IE. That's not to say that bugs in the sandbox don't prevent websites from getting native code execution - after all, that's what an exploit is, but let's be clear that Silverlight really should be trying to prevent web sites from calling native code, because I really don't like the idea of a website asking Windows to write a file to disk and CreateProcess it.

  • User profile image
    evildictait​or

    , figuerres wrote

    if for example it's a game I would rather have a native app that runs w/o a browser in the middle.

    ++. For one the game would be able to spend it's time loading content and drawing graphics for me using it's highly optimised C code for me to play with rather than spending time constantly jitting javascript into poorly optimised assembly code with every index into every array getting checked, no types to help the compiler out and the bulk of having a full web-browser bolted on to what I actually just want to be an internet connected game in an executable.

  • User profile image
    Bass

    I think they probably think WebGL will give OpenGL some legitimacy they don't want it to have. Because if more people use OpenGL, that's less reason to use Windows because OpenGL runs everywhere.

    Microsoft is a company that still relies on "proprietary standards" to make their own platforms more appealing. Consider that even a lot of Linux fans run dual boot so they can play games.

  • User profile image
    evildictait​or

    , Bass wrote

    I think they probably think WebGL will give OpenGL some legitimacy they don't want it to have. Because if more people use OpenGL, that's less reason to use Windows because OpenGL runs everywhere.

    It's because it's a not a standard - it's a shim between javascript and OpenGL. It's like me deciding to introduce pinvokes into javascript, calling it WebPinvoke and trying to force vendors to support it.

  • User profile image
    magicalclick

    Simply put, it is a ActiveX where you have no way to disable it or not knowing it is enabled by default, and not knowing how insecure you are when you run this ActiveX control.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    Bass

    @evildictaitor:

    It's a Khronos Group-backed standard, which is a member-funded standards consortium that represents a wide swath of the technology industry. Microsoft remains the only major web browser vendor that is not onboard with WebGL development or implementation.

     

  • User profile image
    evildictait​or

    , Bass wrote

    @evildictaitor:

    It's a Khronos Group-backed standard, which is a member-funded standards consortium that represents a wide swath of the technology industry. Microsoft remains the only major web browser vendor that is not onboard with WebGL development or implementation.

    That's because it's not a standard. It's a shim to OpenGL. Microsoft would probably back it they did a proper security job like they did with the <video> tag in HTML5 - by seriously locking down the number of codecs that are available and saying speed is important when playing a video, so let's not use javascript to draw everything and have direct lines of communication between websites and the graphics driver.

    If there were some hypothetical 3D for web (let's call it Web3D) that was built from the ground up with security in mind, was all sandboxed, and was written in such a way that you could do stuff fast and securely, then maybe Microsoft would get on board.

    But as it is, it's just bolting OpenGL to the side of a browser and then hoping that the guys that wrote OpenGL and the guys that wrote the graphics drivers that have to run the geometry and shader pipelines built it securely enough to cope with russian malware domains throwing dodgy bytes at them.

  • User profile image
    Bass

    @evildictaitor:

    I wonder where all these Microsoft security people were when Silverlight 5 was released with shader support.

     

  • User profile image
    PaoloM

    @Bass:Probably doing a much better job at understanding the issue.

    You can disable/uninstall Silverlight and you have to install it when a website uses it. WebGL is just there, opening a nice comfortable path for anyone wanting to inject code on your system. Can you see the difference?

    Besides, it's not a standard.

  • User profile image
    Bass

    , PaoloM wrote

    @Bass:Probably doing a much better job at understanding the issue.

    You can disable/uninstall Silverlight and you have to install it when a website uses it. WebGL is just there, opening a nice comfortable path for anyone wanting to inject code on your system. Can you see the difference?

    I don't really see the difference, especially considering by Microsoft's own estimates 60% have Silverlight installed. Flash supports accelerated 3D with shaders, and really how many people don't have Flash installed? If it was a major security problem it would have manifested itself by now.

    Besides, it's not a standard.


    It's not just a standard, it's a web standard. Go ahead and and try to convince all the browser makers outside of Redmond as well as the Khronos Group otherwise.

  • User profile image
    evildictait​or

    @Bass: Not me. I don't have Silverlight installed because I don't want websites running shaders on my poorly written NVidia drivers.

    Sadly though, I do have WebGL because Google Chrome installed it without asking me, I have no intention of ever using it, and it makes my entire system much more vulnerable to russian exploit sites - and hence makes me much more likely to lose my credit card details.

    At least if I lost my credit card details to Silverlight I'd have actually chosen to install it.

  • User profile image
    evildictait​or

    , Bass wrote

    If it was a major security problem it would have manifested itself by now.

    You mean like this one: http://www.kitguru.net/software/security-software/carl/webgl-exploit-opening-browser-users-to-serious-attacks/

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.