WebGL Security: The Backlash

24 Jun 2011 | By Alex Young | Tags webgl security

Web developers, like all developers, need good 3D support, and — as with Flash and Silverlight — browser implementers will need to be careful and thoughtful about how to expose that functionality securely on all operating systems.

- Mike Shaver

Last week, Microsoft voiced concerns over WebGL security on the Microsoft Security Research & Defense blog. Since then prominent Mozilla and Microsoft employees have joined the discussion. The press tried to make this sound like an exciting backlash from Mozilla, but from what I’ve read the response was well-tempered.

Avi Bar-Zeev had this to say, in Why Microsoft and Internet Explorer need WebGL:

Operating systems and security mitigation are what Microsoft is known for. It’s our bread and butter. Why would we run away from that challenge with such an alarmist attitude of “shut it off, shut it off, it might hurt me!”

And:

WebGL will be running on my PC and yours, one way or another. Microsoft will need to deal with it.

Elsewhere, Mozilla VP of Engineering Mike Shaver wrote A Three-Dimensional Platform, in which he states:

Microsoft’s concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL’s standardization; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well.

However, the Mozilla Security Blog does contain this interesting bug report: WebGL graphics memory stealing issue

This issue allows attackers to capture screen shots of private or confidential information.

Although deliciously ironic, this is based on further research by James Forshaw. He wrote the post that was the epicentre for the WebGL security debate: WebGL – A New Dimension for Browser Exploitation.


blog comments powered by Disqus