The WebGL Battle in the Great Browser Wars
"WebGL has security implications, but Microsoft complaining about web security after the ActiveX debacle is like an arsonist warning you about your home's fire safety," said Hyperlogos blogger Martin Espinoza. "Sure, they might know what they're talking about, but you get a creepy feeling listening to them either way."
Jun 27, 2011 5:00 AM PT
Even on the sunniest, most peaceful days here in the Linux blogosphere, it's a pretty safe bet that the Great Browser Wars are still being waged somewhere, whether or not we can actually overhear the particular skirmish of the moment.
Last week, however, the din of the battle roared loud enough for all to hear as Microsoft and Mozilla come to blows.
There was Mozilla's declaration that it doesn't care about enterprise users, of course -- which Microsoft seized with glee as an opportunity to promote Internet Explorer.
Even before that, though, the drumbeats were already signaling trouble brewing on the topic of WebGL.
"We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities," Microsoft asserted in a blog post on its Security Research & Defense site. The post was based largely on research conducted by Context Information Security.
"In its current form, WebGL is not a technology Microsoft can endorse from a security perspective," Microsoft proclaimed.
'An Alarmist Attitude'
WebGL, of course, is a standard used to deliver 3D graphics within the browser. It's used by both Mozilla's Firefox and Google's Chrome but -- you guessed it -- not Microsoft's Internet Explorer.
Not, mind you, that IE itself is immune to comparable problems.
"Microsoft is doing something similar with Silverlight 5, where they're bringing XNA Graphics to Silverlight 3D," noted Mike Shaver, Mozilla's vice president of technical strategy, in a blog post soon afterward Microsoft's proclamation was delivered.
There was even a rebuttal to Microsoft's purported concern from none other than one of Redmond's own -- principal architect Avi Bar-Zeev -- on his own personal blog.
"Operating systems and security mitigation are what Microsoft is known for," Bar-Zeev wrote. "It's our bread and butter. Why would we run away from that challenge with such an alarmist attitude of 'shut it off, shut it off, it might hurt me!'"
Bottom line? No end of discussion down at the blogosphere's Broken Windows Lounge.
'Like an Arsonist Warning About Fire Safety'
"WebGL has security implications, but Microsoft complaining about web security after the ActiveX debacle is like an arsonist warning you about your home's fire safety," Hyperlogos blogger Martin Espinoza told Linux Girl. "Sure, they might know what they're talking about, but you get a creepy feeling listening to them either way."
Security patches for Silverlight seem to be issued "on a regular basis," Espinoza noted, so "I can only assume that Microsoft is attempting to stall WebGL until they can come up with an incompatible alternative which has all the same security implications, which they will nonetheless claim is more secure."
Indeed, "this is why Microsoft should have been paying attention to privilege escalation exploits instead of just remote like the rest of the OS world," consultant and Slashdot blogger Gerhard Mack agreed. "If WebGL is a security nightmare on Windows then so is silverlight."
'At Least We Have the Source Code'
"Microsoft's crying wolf about WebGL being 'bad' is just a knee-jerk response to their market lock slowly slipping away," Hoogland asserted.
"If 3D can move into the browser (and thus cross platform), their closed source DirectX will become less relevant," he explained. "If DirectX becomes less relevant, so does the need for PC gamers to be running Windows."
In the end, "WebGL can't possibly have any more loopholes than the commonly used, closed source Adobe flash -- which is exploited all the time," Hoogland concluded. "At least with WebGL we have source code to find the bugs before they are exploited."
'The Usual Opinions for Hire'
Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site, questioned the authority of Context, the company whose data essentially started the whole debate.
"How much faith can I put in a company that says, 'the company was founded in 1998 with the aim of providing holistic security services,' but only got a web site 2 years ago; whose 'Our clients' page doesn't name a single client; and whose 'Our people' page doesn't list a single human being?" Hudson pointed out.
"None, zero, nada," she said. "They sound too much like the usual 'opinions for hire.'"
Context's claims, meanwhile, focus on the fact that "neither Chrome nor Firefox passed the 144 Khronos conformance tests for WebGL, including a number that are directly related to security," Hudson pointed out.
"Big deal -- absolutely nobody expected full conformance in an initial developmental release," she added. "Even they admit as much."
In other words, "current implementations of WebGL perform as expected," Hudson concluded. "Film at 11."
Of course, that's on top of the fact that "a security endorsement from Microsoft is a red flag that your software is 'ready-to-p0wn-2.0 compliant,'" she added.
'A BAD Idea'
Slashdot blogger hairyfeet agreed with Microsoft's take on WebGL.
The technology is a "bad, bad, BAD idea," he began.
"First of all, what is the buggiest driver on ANY system? Why the graphics driver, of course," he pointed out. "What driver is the most likely to NEVER be updated? Why again graphics of course!
"So here you have the device with the least stable drivers (which equals ease of buffer overflows and other bug attacks) and the least likely to get updated, so all they need is ONE working exploit to own literally tens of thousands to hundreds of thousands of machines," hairyfeet told Linux Girl.
'The Pot Calling the Kettle Black'
Blogger Robert Pogson, however, took a more measured view.
"WebGL is risky business, just like downloading any content from the web with that other OS," Pogson pointed out. "There may be uses for WebGL, but I can get away without it and do everything I need/want to do on the web."
For those who do want 3D content from the web, "it is a risk they are willing to take," he noted. "Make it optional and secure it as best you can. Get on with it."
The fact remains, however, that Microsoft "has done far more risky stuff in the past," Pogson pointed out. "They are the pot calling the kettle black."