Relax everybody, HTML5 is much securer than you think

Conference Day - 21. Mai

10:45

Anwendungssicherheit
Raum Rheinauen

Basic

Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has lead to a general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is highly unfortunate, as the current generation of new Web APIs expose a level of security sophistication, which is unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow, for the first time, to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices.

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases.

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternative" (spoiler: HTML5 wins).

Dr. Martin Johns

SAP Research

Dr. Martin Johns is a Senior Researcher in the Security and Trust group within SAP Research, where he leads the Web application security team. Currently, he is coordinator and scientific lead of the EU FP7 Project WebSand. Furthermore, he serves on the board of the German OWASP Chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau.