> But since when did a security flaw mean that we throw the entire piece of technology out?
Maybe when that piece of technology involves taking large amounts of code running at elevated privilege, and that was written by people who assumed that it would NEVER be exposed to untrusted code, and exposing it to untrusted code?
Flash won the early online game battle against ActiveX. We all know how flash is positioned these days. It's not a question of regard, but market penetration.
Apple has very successfully marketed OS X as being "virus free." When every browser but IE is suffering serious vulnerability problems, IE will look very good.
...except that there are dozens of other sources of "serious vulnerability problems" besides WebGL.
IE has had plenty of critical security holes in the past without WebGL, and avoiding WebGL is not going to magically make them secure in the future. (Just look at the history of the pwn2own contest, for example.)
I don't buy this at all. First of all, the GPU is a sandboxed environment. I don't know of way to successfully go from shader code on the GPU to actually take over a machine and get elevated privlidges.
Secondly, Flash (and I believe Silverlight) will also be allowing users to provide shaders that flash will compile to native languages for GPUs. Which WebGL implementation currently out there do also, they compile the shaders first, check them and test them. (Check out the Angle project). While none of these things eliminate the risks, they are steps in securing the technology and more work is being done to make WebGL as safe as it can be.
The fear that shaders provided by the server can lock up your gpu en in effect crash your computer are also something that is being addressed. There was an article by Gregg Tavares that explained how on Windows, it's possible to time the operation on the GPU and reset the GPU if it takes too long to respond.
As far as running code at elevated privileges. I don't see how that's true. First of all, the browser is running this code in a process that has no access to the file system, other process etc. Drivers are mostly user space with a little bit of kernel space code. I'm sure the risks do exists that that level but again, securing this level should already be something Microsoft be working on and forcing Nvidia/ATI/Intel to do the same. And this isn't exactly an easy hack to do regardless, you have to code stuff for a wide range of drivers to make your hacks effective and also manage to get a lot of people to visit your site.
The worse case here is Intel graphics that use the CPU for some of the work. In this case a bug could be used to execute abitrary code and hack the machine.
I hope I don't sound like I'm saying that the security issues don't exists. What I'm trying to say is while they are there, there is work to fix them and render WebGL safe. WebGL just came out, if in 2-3 years it turns into the hell that ActiveX was then I'll agree it was a bad idea but so far I don't see this getting anywhere close to that level.
So, Microsoft, does this mean you are going to kill 3D support in Silverlight, or does it mean you will add WebGL support to Internet Explorer?
Or are you going to fix Silverlight? Oh, you already did? Umm... well, then I guess we better get around to fixing our browsers, rather than putting our feet in our mouths.
Microsoft has reported that they fixed silver-light but haven't actually released the fix (for the latest report that I'm assuming you're referring to that was posted on HN yesterday).
Correct. Silverlight 5 is still in beta. They said that they had fixed the issue and will be part of a future release -- of a product that is currently in beta. You typically don't rush out fixes for beta versions of products.
You're missing the point - if it's a fundamental architecture flaw that cannot be fixed, then Silverlight in its current (beta) form suffers from the same problems.
You typically don't rush out fixes for beta
versions of products
You can find fixes of open-source projects as soon as they are committed.
Microsoft made a bold claim, people are curious about how they fixed Silverlight if indeed they did that. If not a new Silverlight release, than at least write some kind of blog post explaining what's different in Silverlight.
But I'd bet this is typical of Microsoft; right hand, meet left hand, please communicate :)
> You can find fixes of open-source projects as soon as they are committed.
That might be relevant if it wasn't for the fact that Silverlight is not open source. They are under no obligation to show/blog their fix until they actually release. In fact, they would probably want to withhold it as long as possible if their intent is to damage WebGL.
If it's typical for Chrome, a web browser with a hefty market share, and we're discussing Silverlight, a web technology, it seems highly relevant. If Google can release frequent beta updates to a web technology product with potential GPU-related security holes, why not Microsoft?
A [somewhat exaggerated] summary: "there are so many security holes in web browsing already, why do you begrudge us a few more?". OK, I admit there is a kind of madhouse logic to this which I can't refute. There is already a flood of patches that I need to apply about every 5 minutes to something or other, and that's just the vulns that got identified and reported.
I certainly agree that nobody will be able to stop this - developers want the API, users want the games.
WebGL is currently turned on in Chrome 12, and the only way to turn it off is to add -disable-webgl to the command line. Which essentially means you can assume it's on everywhere, including on the computer of your bank's manager. This is what people miss when they say you can turn it off for yourself.
The security aspects of WebGL seem like they were banged out in about 10 minutes. I encourage all to read the Khronos paper on security (http://www.khronos.org/webgl/security/), and compare the level of presentation to anything which gets accepted at a security conference.
I don't know why I keep returning to this. I certainly don't think that WebGL is the end of the world. There will be some more holes and some more patches. I just think this is another case of the web development world shirking its responsibility to bring real security to browsing (what happened to all those projects which used virtualization to isolate sessions, which I first heard about 4 years ago?), and instead piling on more features without thinking the implications through.
Wrong. B has bug X in Beta and supposedly don't have it in final release. It's easy to fix single implementation (Silverlight) in case of new bugs, but it is difficult to fix the standard.
Oh, and since people misunderstood me in the previous thread, let me add that I am not a Microsoft/Silverlight supporter. Frankly, I do not wish success to Silverlight. It's another technology that nobody really asked for, and it brings its own set of security holes, and it doesn't run on a lot of the platforms I want to use. As a user, I also don't like the whole experience of "plugins" or "applets", whether it's Flash or Java or anything else.
"there are so many security holes in web browsing already, why do you begrudge us a few more?"
I think this is a valid argument.
You see a lot of arguing about things online where something being slower, more expensive, harder to use, less secure, more radioactive etc. is presented as a case-winning argument, without anyone bothering to quantify the problem or put it in context.
The world isn't build on absolutes, unless you can guesstimate how much less secure or more radioactive something will be (a banana worth or a chernobyl worth) then why should I care? If we're really taking the absolutist stance that nothing that introduces a potential security issue (or the slightest additional radioactivity) is allowed then we might as well abandon all technology and go back to living in caves.
At least try to make a case that WebGL, if not strangled at birth, will create a noticeably less safe web than would exist in a world with all the current issues, all the ones associated with Silverlight and Flash using GPUs, and all the new issues from whatever other features are added to browsers, computers or smartphones over the same timeframe.
There is also such a thing as opportunity cost. Web browsing, and the online world in general, is execrably insecure. A day doesn't pass without a high-profile target being owned by some attention-seeking script kiddie. I can only imagine what serious malware syndicates, who don't advertise themselves to the whole world, have been up to.
And what does the web development world want to do? It wants WebGL and a bunch of other shiny new APIs. As a user, I am just annoyed by this. I also work on stuff that needs to be secure, and if I wanted to add bells and whistles and dancing monkeys and make security worse instead of fixing it, I'd be told "no." Actually, I would never propose it. Now I realize that the complaint is directed at no one in particular, but I still can't help being annoyed.
Now, this WebGL thing in particular has every security researcher saying "don't expose GPU drivers to this." And the web developers' response is essentially "nyah nyah, you're getting this anyway and you can't stop it". Or "what are you, a Microsoft stooge? They are doing it too." Or just "go away and stop harshing my mellow" (around here, the way of doing that is with a downvote). Well, OK, enough out of me on this subject.
"Microsoft's position is not entirely unreasonable... [But] the same vulnerability exists in Silverlight 5... So, Microsoft, does this mean you are going to kill 3D support in Silverlight, or does it mean you will add WebGL support to Internet Explorer? A little consistency would be nice, you know?"
I know this sounds nuts, but if we're going to have this crap one way or the other, I'd prefer it stay in NSPlugins that already (appropriately) have a bad name and are opt-in, not opt-out.
I see the logic in that but I wouldn't browse without Noscript either way.
WebGL is not something I would run without intentionally "trusting" the site that was serving it. Which is not to say I wouldn't ever run it, only that I would surf with it off.
It is however, incorrectly cited in the post as support for the author's argument, which it is not. The Reality Prime article makes the case that it is irrelevant how secure the platform actually is - it will likely come into mainstream use, and Microsoft needs to support it, whether they like it or not.
Also, the post fails to mention that there was an official Microsoft response to the vulnerability report, which stated that the vulnerability had been fixed in Silverlight 5.
Apple has taken an interesting middle approach on WebGL. They are only enabling WebGL to certified experiences in iOS. That happens to be ads for now, but it would be easy to extend this to other apps distributed through App Store.
That way developers have access to WebGL as an API for 3D, but Apple is not exposing the WebGL attack surface to the entire Internet. As the spec matures, GPU drivers are hardened, etc. they always have the option to open it up more.
It wouldn't surprise me if MS dropped the Silverlight browser plugin all together: it is becoming their mobile app technology and looks like it will also replace WPF on the desktop. It makes sense for them to drop the plugin and embrace HTML5 like they claim they are.
> It wouldn't surprise me if MS dropped the Silverlight browser plugin all together
It would surpise me if they dropped it any time soon. MS is big on backward compatibility. Even if a MS technology is "dead" and "abandoned", that just means that there aren't any new versions, but exisiting versions keep working for quite a while.
I don't think they will do this anytime soon, but they might introduce extra restrictions on where Silverlight can run, like they have with ActiveX. They are still promoting in-browser Silverlight for internal business apps.
Maybe when that piece of technology involves taking large amounts of code running at elevated privilege, and that was written by people who assumed that it would NEVER be exposed to untrusted code, and exposing it to untrusted code?