

Microsoft tries to step on WebGL, stumbles on its own feet - Indyan
http://my.opera.com/haavard/blog/show.dml/31588372

======
tzs
> But since when did a security flaw mean that we throw the entire piece of
> technology out?

Maybe when that piece of technology involves taking large amounts of code
running at elevated privilege, and that was written by people who assumed that
it would NEVER be exposed to untrusted code, and exposing it to untrusted
code?

~~~
VMG
He is right though in his analysis that the users won't care. The browsers
that let you play shiny games will win, security be damned.

So market pressure will force everybody to do WebGL.

~~~
Locke1689
Apple has very successfully marketed OS X as being "virus free." When every
browser but IE is suffering serious vulnerability problems, IE will look very
good.

~~~
mbrubeck
...except that there are dozens of other sources of "serious vulnerability
problems" besides WebGL.

IE has had plenty of critical security holes in the past without WebGL, and
avoiding WebGL is not going to magically make them secure in the future. (Just
look at the history of the pwn2own contest, for example.)

------
kenjackson
_So, Microsoft, does this mean you are going to kill 3D support in
Silverlight, or does it mean you will add WebGL support to Internet Explorer?_

Or are you going to fix Silverlight? Oh, you already did? Umm... well, then I
guess we better get around to fixing our browsers, rather than putting our
feet in our mouths.

~~~
windsurfer
Microsoft has _reported_ that they fixed silver-light but haven't actually
released the fix (for the latest report that I'm assuming you're referring to
that was posted on HN yesterday).

~~~
kenjackson
Correct. Silverlight 5 is still in beta. They said that they had fixed the
issue and will be part of a future release -- of a product that is currently
in beta. You typically don't rush out fixes for beta versions of products.

~~~
bad_user
You're missing the point - if it's a fundamental architecture flaw that cannot
be fixed, then Silverlight in its current (beta) form suffers from the same
problems.

    
    
        You typically don't rush out fixes for beta 
        versions of products
    

You can find fixes of open-source projects as soon as they are committed.

Microsoft made a bold claim, people are curious about how they fixed
Silverlight if indeed they did that. If not a new Silverlight release, than at
least write some kind of blog post explaining what's different in Silverlight.

But I'd bet this is typical of Microsoft; right hand, meet left hand, please
communicate :)

~~~
Athtar
> _You can find fixes of open-source projects as soon as they are committed._

That might be relevant if it wasn't for the fact that Silverlight is not open
source. They are under no obligation to show/blog their fix until they
actually release. In fact, they would probably want to withhold it as long as
possible if their intent is to damage WebGL.

------
yaakov34
A [somewhat exaggerated] summary: "there are so many security holes in web
browsing already, why do you begrudge us a few more?". OK, I admit there is a
kind of madhouse logic to this which I can't refute. There is already a flood
of patches that I need to apply about every 5 minutes to something or other,
and that's just the vulns that got identified and reported.

I certainly agree that nobody will be able to stop this - developers want the
API, users want the games.

WebGL is currently turned on in Chrome 12, and the only way to turn it off is
to add -disable-webgl to the command line. Which essentially means you can
assume it's on everywhere, including on the computer of your bank's manager.
This is what people miss when they say you can turn it off for yourself.

The security aspects of WebGL seem like they were banged out in about 10
minutes. I encourage all to read the Khronos paper on security
(<http://www.khronos.org/webgl/security/>), and compare the level of
presentation to anything which gets accepted at a security conference.

I don't know why I keep returning to this. I certainly don't think that WebGL
is the end of the world. There will be some more holes and some more patches.
I just think this is another case of the web development world shirking its
responsibility to bring real security to browsing (what happened to all those
projects which used virtualization to isolate sessions, which I first heard
about 4 years ago?), and instead piling on more features without thinking the
implications through.

~~~
Deestan
> A [somewhat exaggerated] summary: "there are so many security holes in web
> browsing already, why do you begrudge us a few more?"

Alternative summary: A has X. B has X. It is inconsistent to bash A for X
while promoting B.

~~~
kia
Wrong. B has bug X in Beta and supposedly don't have it in final release. It's
easy to fix single implementation (Silverlight) in case of new bugs, but it is
difficult to fix the standard.

------
billybob
Summary:

"Microsoft's position is not entirely unreasonable... [But] the same
vulnerability exists in Silverlight 5... So, Microsoft, does this mean you are
going to kill 3D support in Silverlight, or does it mean you will add WebGL
support to Internet Explorer? A little consistency would be nice, you know?"

------
burgerbrain
I know this sounds nuts, but if we're going to have this crap one way or the
other, I'd prefer it stay in NSPlugins that already (appropriately) have a bad
name and are opt-in, not opt-out.

~~~
marshray
I see the logic in that but I wouldn't browse without Noscript either way.

WebGL is not something I would run without intentionally "trusting" the site
that was serving it. Which is not to say I wouldn't ever run it, only that I
would surf with it off.

------
varunsrin
The article linked within the post was much more insightful than the post
itself.

[http://www.realityprime.com/articles/why-microsoft-and-
inter...](http://www.realityprime.com/articles/why-microsoft-and-internet-
explorer-need-webgl)

It is however, incorrectly cited in the post as support for the author's
argument, which it is not. The Reality Prime article makes the case that it is
irrelevant how secure the platform actually is - it will likely come into
mainstream use, and Microsoft needs to support it, whether they like it or
not.

Also, the post fails to mention that there was an official Microsoft response
to the vulnerability report, which stated that the vulnerability had been
fixed in Silverlight 5.

------
zeddez
Apple has taken an interesting middle approach on WebGL. They are only
enabling WebGL to certified experiences in iOS. That happens to be ads for
now, but it would be easy to extend this to other apps distributed through App
Store.

That way developers have access to WebGL as an API for 3D, but Apple is not
exposing the WebGL attack surface to the entire Internet. As the spec matures,
GPU drivers are hardened, etc. they always have the option to open it up more.

------
sambeau
It wouldn't surprise me if MS dropped the Silverlight browser plugin all
together: it is becoming their mobile app technology and looks like it will
also replace WPF on the desktop. It makes sense for them to drop the plugin
and embrace HTML5 like they claim they are.

If they did, then where would the argument go?

~~~
StrawberryFrog
> It wouldn't surprise me if MS dropped the Silverlight browser plugin all
> together

It would surpise me if they dropped it any time soon. MS is big on backward
compatibility. Even if a MS technology is "dead" and "abandoned", that just
means that there aren't any new versions, but exisiting versions keep working
for quite a while.

