WebGL security roundup

In place of the regular WebGL roundup, here’s an update on the state of play regarding the security issues that were raised last week. You might also like this post on ReadWriteWeb.

In our last episode, Context, a security firm, announced that in addition to the (fixed) cross-site image problems and potential for rogue shaders freezing WebGL browsers, they’d also found a way that could allow attackers to write pages that (on Mac OS X and Windows XP only) could view other parts of the user’s screen. A fix for this problem was made live in Firefox 5, released 21 June; for whatever reason, Context chose to announce this vulnerability five days before the scheduled release. Microsoft also chose the same day to weigh in with a blog post entitled “WebGL considered harmful“.

Now read on…

On 16 June, Microsoft Principal Architect and 3D expert Avi Bar-Zeev blogged “Why Microsoft and Internet Explorer need WebGL (and vice-versa)” — which shows that Microsoft (like any large organisation) has different people with varying views. He writes:

[i]f Internet Explorer does not support WebGL and WebGL nevertheless becomes the de facto standard for 3D on the web (which it will, IMO), then IE will be in an uncompetitive position to either help fix any problems and moreover retain or grow market share relative to other browsers. That would be sad, esp. given how long the product cycles are and how long it would take to course-correct. We could miss the boat entirely.

On the 20th, Mozilla’s Benoit Jacob submitted a bug report to Microsoft regarding a problem in Silverlight 5. Yes, you guessed it — there are “Problematic system DoS scenarios” (to quote Microsoft’s “considered harmful” post) in it. Now, Silverlight 5 is beta, and Microsoft say in their responses to the bug report that the problem has been fixed in their release candidate. But as Mozilla VP Mike Shaver points out, if it’s fixable in Silverlight then it will be fixable in WebGL; and Mark Callow points out on the WebGL developers list (oddly not showing in the archive) that having Microsoft’s weight behind fixing bugs in graphics drivers could be very useful

Finally, on 21 June, Gregg Tavares (who works for Google, but blogging in his personal capacity) posted a nice — if somewhat grumpy — explanation of the current situation, albeit claiming that Context were hired by Microsoft (which would be interesting if true, but I’ve not seen any evidence for it yet).

So, what’s the current situation? Well, Context have found two security holes and one possible Denial of Service attack in WebGL. The security holes have been fixed in the current releases of the two WebGL-supporting browsers. The DoS remains possible; however it’s also present in the Silverlight 5 beta and will fixed in the release version, so if it’s a “real” fix then something similar will get into WebGL implementations swiftly.

In the meantime, certain people at Microsoft are saying that WebGL is a bad thing; it would be easy to see this as a conspiracy of some kind, or an attempt by MS to create FUD about a technology they don’t control (and Tony Parisi, co-creator of VRML, makes an interesting argument for that case), but there’s no definite evidence — and it certainly seems like there are at least some people there who think that WebGL is the way forward.

You can leave a response, or trackback from your own site.

8 Responses to “WebGL security roundup”

  1. Meteor says:

    I like Firefox and Chrome. I don’t like IE.
    We need improve WebGL by ourself. Don’t put hope on Microsoft.
    Microsoft will no rescue us.

  2. giles says:

    Indeed. But Microsoft are complaining that WebGL has particular security flaws. Silverlight 5 beta has the same security flaws. So if they can fix the flaws in for the final release of Silverlight, which they claim they have done, then we can see what they’ve done and adopt a similar solution.

  3. Paul Brunt says:

    Great round up of the debate so far. I did find the silverlight bug report amusing, who says “To clarify the earlier statement”?! Unless they’re a lawyer :-) Still It seems like MS are actually letting their devs off the leash a bit, which is fantastic!

  4. OpiF says:

    I hope MS doesn’t plan on pushing it’s own technology instead of open standards _again_. We’ve all seen it happen before, and nothing good can come from this tactic.
    Besides, silverlight isn’t even all that popular, and even people working for microsoft tend to avoid using it (www.ageofempiresonline.com used to have two video players available for their teasers, the default silverlight, and flash via youtube, and since a while ago, they no longer have silverlight ;] ).

    IMO There’s nothing to gain here for MS if they choose not to support webgl, but there’s a whole lot of potential marketshare to loose. I don’t see myself developing for cross-browser compatibility in 3d graphics. I mean, I’m willing to go for a tweak or two, but if IE won’t have webgl support, I’ll just put a label on my websites: “best viewed in anything but IE”.

  5. IMHO, it seems as though MS is still acting as if we’re in the early ’90s and they can push their Web equivalent of DirectX down our throats. The fact is that the world has changed, and MS is just one player in a much broader scheme. This is only the next evolution of the Web, which virtually by definition requires an open, cross-platform standard. Trying to force out the “competition” is, I believe, going to backfire drastically — especially when one considers that developers everywhere can and will make use of compatibility layers, or simply flat-out require standards-compliant browsers.

    With that, I’ve started work on a fully standards-compliant WebGL compatibility layer designed specifically to help alleviate the IE issue. It is essentially a pure-JavaScript wrapper around Canvas2D, which is (thankfully) hardware accelerated in IE. My first experiment into this (a single rotating VBO-like object containing 20 triangles) yielded 42 fps in IE, where Chrome scored only 15fps.

    I know Chrome Frame does basically the same thing (and it’s faster too), but the hard part is getting IE users to install Chrome Frame — assuming they don’t have an IT department that outright prevents it. The JS library will default to WebGL if available, so using a JS layer as a last-ditch failsafe in the interest of interoperability couldn’t hurt.

    The project is largely experimental and just getting started at http://github.com/sinisterchipmunk/webgl-compat . Obviously, it’s a sizable project; if anyone’s interested in helping out, please feel free to fork the project, commit some code and send me a pull request.

  6. Lindsay Kay says:

    As far as I can tell OpenGL (and hence WebGL) is the ACM preference for various university degree programs, so it’s way more prevalent in 3D research than anything else.

    OpenGL is within VTK, OpenSceneGraph, rendering platforms used by Pixar, Weta etc.

    That gives me confidence in WebGL’s survival, and inconvenient as this MS fiasco is right now, I think due to of all this grassroots investment by some pretty big players, I’m not too worried about its longer-term effects.

  7. Lindsay Kay says:

    This looks interesting: http://iewebgl.com/index.html

    A plugin to add WebGL support to IE9.

  8. TheNut says:

    You can’t blame MS for trying. They have a history of security issues and have to demonstrate they take the situation seriously (albeit overly zealous IMO). If these issues existed in IE, it would make headlines and once again MS would be put in the spotlight. There is of course the other side as well. Silverlight, IE, D3D (to a small extent), and millions in investments risk losing market share, so that’s another front they have to protect.

    HTML finally caught up with technology. The possibilities with HTML 5 are evident, and web gaming has been brought to a level that surpasses present day plug-ins, notwithstanding Unity. I have no doubt that developers will continue to push this technology, with or without consent from MS. The ball is rolling and you can either roll along with it or get left behind. Avi Bar-Zeev blog post nails it down quite nicely. Unfortunately for MS, they cannot easily endorse WebGL given their history with OpenGL. They’re stuck between a rock and a hard place.

    The only thing remaining for WebGL is to secure its presence on the web, which at the time seems reserved to technologists and hobbyists. As more consumers engage in 3D gaming on the web (or even 2D gaming utilizing WebGL features), the demand will no doubt persist and grow exponentially. That will essentially put an end to the debate.

Leave a Reply

Subscribe to RSS Feed Follow Learning WebGL on Twitter