Coffeehouse Thread

48 posts

Microsoft -- Why no WebGL?

Back to Forum: Coffeehouse
  • User profile image
    evildictait​or

    Or this one, which still crashes my NVidia graphics drivers (part of which run in ring0, and hence Chrome's sandbox it just window dressing).

    https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html

  • User profile image
    Bass

    @evildictaitor:

    Or you can just run NoScript. Blocks Flash, all JavaScript (JavaScript itself is a liability), Java, Silverlight, and more! With a whitelist of course for sites you trust.

  • User profile image
    evildictait​or

    , Bass wrote

    @evildictaitor:

    Or you can just run NoScript. Blocks Flash, all JavaScript (JavaScript itself is a liability), Java, Silverlight, and more! With a whitelist of course for sites you trust.

    That's backwards. Why should I have to install a plugin to remove a feature that I never wanted from my browser and which reduces my security, instead of having to install it when I want to view a site running WebGL?

  • User profile image
    Bass

    Because all the things I mentioned are insecure. Hell, I actually somehow got rootkit'ed from a Java applet exploit once. Yes, really. Rootkit. From visiting a website as a non-admin. No f**king idea how that worked, to be honest.

    And JavaScript's data acquisition model itself is full of unfixable vulnerabilities even today. Forget about XSS? Guess what still a problem! It can be used for identity theft not just DoS attacks.Basically, people who truly care about their cyber security use a JS whitelist.

  • User profile image
    evildictait​or

    , Bass wrote

    Because all the things I mentioned are insecure. Hell, I actually somehow got rootkit'ed from a Java applet exploit once. Yes, really. Rootkit. From visiting a website as a non-admin. No f**king idea how that worked, to be honest.

    And JavaScript's data acquisition model itself is full of unfixable vulnerabilities even today. Forget about XSS? Guess what still a problem! It can be used for identity theft not just DoS attacks.Basically, people who truly care about their cyber security use a JS whitelist.

    What you're really saying to me is that Microsoft should somehow block Java applets from the Internet zone as well. I should really go and mention that to some of the IE guys and see what they say. Maybe they can shim it into Metro or something. That would be good.

    Also XSS doesn't install rootkits. If the server pushes down some script for you to run because the server is broken, well that's the fault of the server, not the fault of IE. That's not an exploit from the point of view of IE.

     

    Oh, and also you chose to install Java, because it's a plugin - hence you at least got to choose to make your browser insecure. Everyone using Google Chrome didn't choose to install WebGL, because it's not a plugin. I have absolutely no problem with WebGL being deployed as a plugin. I have a problem with my browser letting russian malware sites talk to my insecure graphics drivers by default and without asking.

  • User profile image
    Bass

    XSS can steal your identity. I think that's worse than crashing your browser or some crap like that. That's not even considering that JavaScript implementations have historically been full of real security holes (like buffer overflows or privilege escalation holes) that could let malware through quite easily. And there is nothing magical about how JS engines are written today that would prevent this. Quite frankly, having a web browser with JavaScript is a serious security liability. I'm a little too lazy for NoScript (although I did use it for awhile, back when disabling JS for 99% of the sites didn't break half the Internet) but I still run with FlashBlock. No Flash for me unless I explicitly authorise it.

    But we must balance security with functionality (you can't truly have both). As long as computers can do things, they can do malicious things. They can't easily tell the difference between them.

    Everything new is going to have untested security problems, that does NOT mean we shouldn't ever do anything new.

  • User profile image
    Bass

    Oh and you choose to install Chrome. Lets say WebGL comes to IE (which it should), you choose to use IE, or install Windows. You COULD use Lynx on OpenBSD, which is a good option if you want to be really secure. Nobody is forcing you to use any software. So I don't buy this argument.

  • User profile image
    evildictait​or

    , Bass wrote

    XSS can steal your identity. 

    Only if I give my identity to a website that is vulnerable to XSS. That's like saying people can steal my credit card details by hacking into my bank. That's not a problem with my security - it's a problem with theirs.

    If someone wants to break into a server that I use, good luck to them. But when they try and break into my machine to steal my documents and credit cards, that's when I get angry that applications like Google Chrome are putting my security at risk.

  • User profile image
    evildictait​or

    , Bass wrote

    And there is nothing magical about how JS engines are written today that would prevent this.

    At least javascript was built with security in mind, bugs in javascript are actively patched by browser vendors, and in the event that they are exploited, they only get execution in low-integrity.

    WebGL on the other hand allows attacks on bits of my system that were never built with security in mind, are almost never prompty patched for security holes, and in the event that they are exploited they are already running as kernel and hence can load arbitrary drivers on my system without having to break out of a sandbox.

    I'm all for balancing security with functionality. I just don't think wizzy graphics in my browser are worth the ring-zero exploits that I have to pay to get them.

  • User profile image
    evildictait​or

    , Bass wrote

    Oh and you choose to install Chrome.

    When I installed Chrome WebGL hadn't been invented yet. WebGL silently appeared in Chrome without ever asking me.

    And if WebGL is unturnoffable and installed by default in Chrome, IE and Firefix as you so dearly want, then there will be no choice but for me to give up on my vain hope of having some control of what ring0 code lives in my system whenever I dare to fire up a browser.

  • User profile image
    Bass

    @evildictaitor:

    Well it could be prevented if you just disable JS. XSS needs JS to work, you know.

  • User profile image
    Bass

    @evildictaitor:

    , evildictaitor wrote

    *snip*

    At least javascript was built with security in mind

    JavaScript was built by a guy in a week to make a language that "looks like Java". True story. There wasn't much thought into producing it at all, anything on top of JavaScript has always been a series of hacks to get around limitations in the language. It's not your security teams favourite language, that's for sure.

  • User profile image
    evildictait​or

    , Bass wrote

    @evildictaitor:

    Well it could be prevented if you just disable JS. XSS needs JS to work, you know.

    It also needs you to put your identity into the webpage for it to steal it. A ring-zero exploit in WebGL needs no such user-interaction. It can just install a driver and steal all of your keystrokes and files directly to the russian hackers that installed it.

  • User profile image
    evildictait​or

    , Bass wrote

    @evildictaitor:

    *snip*

    JavaScript was built by a guy in a week to make a language that "looks like Java". True story. There wasn't much thought into producing it at all, anything on top of JavaScript has always been a series of hacks to get around limitations in the language.

    Microsoft's implementation of Javascript wasn't. And neither was Google Chrome's or Firefoxes. Just because the syntax was bad, doesn't mean the implementation was.

    Unfortunately WebGL, no matter how good the implementation, is still all about shoving attacker controlled data directly up to your ring-zero drivers that are not built by the security teams of Microsoft, Google and Mozilla who understand the risks of russian malware sites. They are built by the graphics teams of Intel, NVidia and ATI who care rather more about how many polygons they can draw per frame, because that's how you sell GPUs.

  • User profile image
    Bass

    @evildictaitor:

    You still have to take a lot of the problems with JavaScript with you if you build a compatible runtime.

     

  • User profile image
    PaoloM

    , Bass wrote

    It's not just a standard, it's a web standard.

    Now you're just making s*it up. What the hell is a "web standard"?

    It's either supported by a standards organization or it's not. And no, the Kronos Group or even the w3c are NOT standards organizations. For that look at ISO, ECMA, DIN, etc... everything else is just boys playing with sticks.

  • User profile image
    Bass

    @PaoloM:

    Read the website I linked to, it's specifically advertised as a "web standard" and is underwritten by pretty much all the browser makers in that manner.

    If you want to pop off on me about that, go right ahead. I don't care. The fact is WebGL is advertised as a web standard, and that's what I am going to call it.

     

  • User profile image
    AndyC

    , evildictaitor wrote

    *snip*

    Silverlight is a plugin, and IE makes no attempt to secure it as you rightly point out. On the other hand, Silverlight webapps are not native programs. They are sandboxed by Silverlight in much the same way that Javascript is sandboxed by IE.

    Well more like Flash code should be sandboxed by the Flash runtime, it's a slightly different thing (which is not to say Silverlight shouldn't sandbox things). The minute you click "Yes, I want to let this ActiveX control run on this page", you might as well be clicking a "Yes I want to download and run this .exe file". And that's what seperates plugins, with all their flaws, from things like WebGL which are basically baked right into HTML.

     

    If you want to pop off on me about that, go right ahead. I don't care. The fact is WebGL is advertised as a web standard, and that's what I am going to call it.

    Thankfully the rest of the world doesn't follow such a dumb principle. Otherwise Flash would be advertised as "a web standard" and so would ActiveX, PDF, Quicktime, Angry Birds.... ad inifinitum

    Something doesn't get to be a standard just because the group who thought it up decide to declare it one.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.