For the uninitiated, WebGL is a rather revolutionary API developed by the nonprofit Khronos Group. It allows plugin-free hardware-accelerated 3D graphics in HTML5 web browsers. It’s a pretty big deal, as it allows for rich 3D in any openGL-supporting browser or OS platform. Google and Mozilla both love it; Chrome and Firefox come prepackaged with WebGL support(And there’s exactly what this article has to do with Chrome). It opens up a vast arena of new software innovations for software developers the world over, particularly video game devs. Angry Birds in Chrome, anyone?
What’s more, they aren’t the only ones. Context Information Security, an independent computer security firm, released a pair of reports calling out webGL on a number of design flaws and security issues. There’s actually some pretty serious stuff in those posts- The ease of stealing user information through a webGL-supporting browser, how malicious code could be used to overload a graphics card-causing a BSOD, DOS attacks…the list goes on and on. All in all, it’s rather disheartening for anyone looking forward to the prospects of WebGL. As if all this wasn’t enough, Microsoft itself has weighed in, stating that WebGL graphics technology is too dangerous for Windows.
The announcement, made Friday on the Microsoft Security Response Center Blog, was signed by MRSC engineering and posted by the Secure Windows Initiative Attack Team. For those of you who don’t know, this is the group responsible for the security architecture of Microsoft products. Basically, they’re the guys and girls who protect our computers from malicious code and attackers, patching up security holes where they find them. In this post, it’s very, very clear where Microsoft stands on the WebGL security issue- WebGL isn’t safe, and they refuse to support it in any fashion. They list three main reasons why they feel WebGL is a serious security threat:
- Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissiveThe security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern. We expect to see bugs that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks.
- Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experienceAs WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities.It is our belief that as configurations are blocked, increasing levels of customer disruption may occur. Without an efficient security servicing model for video card drivers (eg: Windows Update), users may either choose to override the protection in order to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled. Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process.
- Problematic system DoS scenariosModern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure.
Long story short, WebGL doesn’t meet Microsoft’s security requirements, and they’re not going to be endorsing it any time soon. While they do seem to have a list of valid concerns, there are a few folks who feel that there’s an ulterior motive to all of this- maybe the fact that both browsers which offer support for WebGL are direct competitors to Internet Explorer? Of course, it’s also worth considering that Microsoft is in the process of developing a tech that will function in a very similar fashion to webGL, as well-Silverlight 3D. More on that below.
To my knowledge, Google has yet to comment on the posts. On the other hand, Mozilla today responded to Microsoft with a rather scathing observation: Silverlight 3D opens the exact same security holes as WebGL does. If Microsoft could patch the security holes in Silverlight 3D, Khronos could do the same for WebGL. Michael Shaver, VP of Technical Strategy at Mozilla, had this to say:
Microsoft’s concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL’s standardization; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well. That Silverlight supports Mac as well, where these capabilities must be mapped to OpenGL, makes me even more confident. The Microsoft graphics team seems to have done a great job of making the D3D shader pipeline robust against invalid input, for example.
I think that there is no question that the web needs 3D capabilities. Pretty much every platform has or is building ways for developers to perform low-level 3D operations, giving them the capabilities they need to create advanced visualizations, games, or new user interfaces…
It may be that we’re more comfortable living on top of a stack we don’t control all the way to the metal than are OS vendors, but our conversations with the developers of the drivers in question make us confident that they’re as committed as us and Microsoft to a robust and secure experience for our shared users.
Mozilla’s not alone in their support of WebGL. Google, Opera, and even Apple have all jumped onto the WebGL bandwagon. Even Microsoft isn’t entirely united in their stance against OpenGL. Avi Bar-Zeev, one of Microsoft’s top system architects, feels that Microsoft should reconsider their stance on WebGL. He feels that, rather than simply shut out support for WebGL, Microsoft should start looking for ways to fix whatever security issues are raised by the API. After all, he concluded, if we don’t take risks, we’ll receive no rewards. Some degree of risk is necessary if we’re going to advance the technology of the web, instead of simply allowing it to stagnate.
What’s more, he continues, if Microsoft simply refuses to search for security to protect users of WebGL, well…it’s not Khronos that will be held accountable when difficulties with WebGL and Windows arise- It’s Microsoft. Steps need to be taken to prevent that.
So, is WebGL harmful? Yes and no. At the moment, it does have the potential to be. But as Mozilla stated, if Microsoft could fix Silverlight 3D, Khronos can fix WebGL. For the time being, it is slightly unsecure, and anyone who utilizes it should most definitely exercise more caution than they might usually demonstrate in their browsing practices. But that’s likely not going to last.It’s almost certain that Khronos (and all of the other companies who currently support WebGL) are working on security fixes for the software.
As for Microsoft’s stance on the whole thing, I’m with Mr. Bar-Zeev. Given how many companies are already offering their support for the new technology, it’s most certainly not going to go away.If Microsoft persists in their refusal to endorse the API, it could come back to bite them down the road. They could end up stubbornly standing alone, the only ones not offering support for an API that might well become the future of the ‘net.
“There is clearly only one direction forward for Microsoft and 3D on the Web. WebGL is the way.”-Avi Bar-Zeev.