html5 security features at app sec usa

speaker: Johannes Ullrich

HTML 5 risky business or security toolchest at app sec usa

HTML 5 is

  • Collection of JavaScript APIs
  • Features to enable modern desktop like applications or support mobile devices
  • Your browser supports HTML 5 even if you don’t use it [well, pieces of it]


  • Inclusive authentication – proof of identiy of user
  • Exclusive authentication – disprove the identify of the user – for example, IP address isn’t for authentication bu can be second level such as making sure in network after log in. Similarly can use GPS
  • Half factor – password or token – attack whichever is weaker

[I missed the part about local storage because I was focused on trying to connect to the internet – remember humans can’t really multi-task]

Login with touch

  • Circle fpart of image. Don’t circle faces. Everyone does that.
  • Android has connect the dots where you pick the pattern. Most people pick a common pattern ike the leter C


  • Can do videoconferncing with just HTML5
  • Could use faes, hand signals/gestures or fingerprint
  • Not there yet. Hard to use when insufficient light
  • Can only reognize about 100 different patterns right now for faces
  • Apple not giving access t fingerprint reader yet
  • Ok as second factor, but not ready for primary use. More of a gimmick than an authentication feature right now


  • Can detect camera moving
  • Too much noise for authentication. Too hard to make same pattern repeatedly
  • Better for detecting whether walking or if on phone


  • Only Safari has push notifications with browser closed
  • Local notifications widely supported. Good for finding out if have mail
  • Could use like SMS messages for security. “Someone else logged in as you”. Proactively notify users of security events.
  • Often have to accept acount sharing. Let user decide what to do

URLs: – what browser support which features – has demo

My take
The client side hash is really interesting. It would be nice if browsers would help with/encourage that.

Leave a Reply

Your email address will not be published.