WEB BROWSER MAKER Mozilla has rejected criticism by Microsoft that WebGL is insecure.
The organisation's VP of technical strategy, Mike Shaver wrote in a blog post that Mozilla is working to address bugs in the specification itself and Mozilla's implementation in Firefox, which has caused concern among a number of security professionals, including Context IS and Microsoft.
Shaver said that the web needs 3D capabilities and that all browsers either have an approach or are developing one. He gave the examples of Adobe's 3D for Flash project, codenamed Molehill, which will be similar to WebGL, and even Microsoft's own Silverlight 5.
He claimed that adding new capabilities to web browsers will initially expose parts of the application stack and that even improvements to existing capabilities could open up new threats. In other words, he's telling Microsoft to back off, as it's early days yet with WebGL and Firefox, and security holes are a natural part of new technology.
Shaver said that Firefox has a number of mitigations to WebGL threats, including a regularly updating driver whitelist, which he equated with a driver-blocking model used in Silverlight 5. He said Mozilla is also working on extensions to OpenGL to make it safer.
Instead of directly attacking Microsoft over its dismissal of WebGL, Shaver commended the company for its work on the D3D API used in Silverlight 3D, which he said is robust. He added that he believes that this technology could be carried over to a Microsoft implementation of WebGL, addressing the main concerns Microsoft had with it, which particularly related to low level things like OEM drivers.
Microsoft claimed that WebGL is so insecure it could be used to make consumer PCs the targets of Distributed Denial of Service (DDoS) attacks, and that it will therefore not pass its Security Development Lifecycle requirements.
Shaver said that all developers will need to weigh up the benefits of adding new functionalities to web browsers with the potential security risks involved. µ