WebGL faces rocky road with Microsoft but should survive

The WebGL video standard has had a rough time of late, with the world's leading browser vendor refusing to support it on the back of security fears. But opinion is divided on the veracity of Microsoft's case, and the effect of its ban.

The standard, launched in March by the non-profit Khronos Group, is similar to the OpenGL 2.0 graphics system, and enables much richer 3D imaging by using the computer's hardware more directly. It has been integrated into the Chrome and Mozilla browsers and is under development with Opera and Safari.

There have been prior concerns about some security aspects of the standard. A report by security researchers at Context Information Security (CIS) warned in May that WebGL had serious security issues, and US-CERT issued an alert shortly afterwards.

The fundamental problem CIS identified stems from the major benefit of WebGL, its direct line to the graphics systems. While this enables better graphics, it also opens up security loopholes, since video software isn't designed with hacking in mind.

CIS suggested that an attacker could hang a system, by forcing ever more complicated graphics to be rendered, or use the system for image theft. The Khronos Group looked into the problems and began working on solutions.

However, last week CIS released further information on security issues with the WebGL system, and said Firefox users were particularly at risk. In a blunt blog post entitled 'WebGL Considered Harmful' Microsoft disavowed WebGL on security grounds.

"We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective," said the Microsoft security response team.

The Khronos Group was quick to react, pointing out that the new data was based on outdated implementations and flawed assumptions. The problems were either fixed, or in the process or being so, and there was little new in the CIS report.

Mozilla's vice president of technical strategy Mike Shaver fired off a blog post shortly after Microsoft's announcement, pointing out that Redmond may not have its facts straight. While there were some risks in allowing graphics access via WebGL these were surmountable. Indeed Microsoft was already doing something similar with its Silverlight software, he said.

"Microsoft's concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL's standardisation; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well," Shaver wrote.