Microsoft is right to label WebGL 'harmful'
While Firefox and Chrome browsers already support WebGL, along with development versions of Opera and Safari, Microsoft has said that it has no plans to make Internet Explorer support the 3D graphics software library, and branded it a 'harmful' technology.
Microsoft's right.
Note: Mozilla were the original authors of WebGL but the project is now handled by the not-for-profit consortium The Khronos Group.
Now don't get me wrong, you can do cool stuff with WebGL. Really cool, impressive stuff that allows web browsers to deliver 3D graphics along the lines of a computer game. But the problem is that while you can do some really cool stuff with WebGL, because the technology gives web sites direct access the to low-level hardware functions, bad things can be done with it too.
Microsoft has outlined its concerns over WebGL pretty clearly:
"The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before," Microsoft's engineer claims. "Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern.
These are all valid points. Driver security would be a major issue, and it's something that people haven't needed to worry about that much up until now. OEMs would need to significantly harden their drivers, while system using old, insecure drivers would need to be blocked from being able to make use of WebGL altogether until the drivers could be updated, or permanently if the hardware is end-of-life. Given the huge market share that Internet Explorer commands, and the wide array of platforms that the browser runs on, Microsoft is, I think, doing the right thing in playing it safe.
[poll id="641"]
But wasn't Microsoft the company that unleashed ActiveX onto unsuspecting Web users? Sure it was. Web-based ActiveX controls were a really bad idea, but I'd like to think that the company has learned from previous mistakes. There's no way that Microsoft would bake a technology like ActiveX into the browser given the current security pressures on the browser.
But how bad is WebGL? Security firm Context has found a number of issues with WebGL, two of which stand out:
- Document leakage via memory theft
- Denial of Service (DoS)
Pretty serious stuff. Overall, Context is pretty damning of WebGL, even critical of the mechanism designed to protect users from DoS attacks:
Furthermore, Context's research found that Khronos' recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose. First, only certain chipsets and operating systems (NVidia on Windows and Linux) support this feature. Moreover, this extension only offers mitigation, not a comprehensive solution to WebGL DoS issues.
While there are undoubtedly upsides to WebGL, the downsides are a major worry. WebGL security will undoubtedly improve as time goes on, bit for now Microsoft made the right choice to give it a wide berth.