ENISA proposes security fixes for new web standards

Better to build security in from the start than to patch it afterwards, says European network and information security body

The European Network and Information Security Agency (ENISA) has proposed security fixes for 13 upcoming web standards.

ENISA has identified 50 security threats, and given details on how they should be addressed.

Professor Udo Helmbrecht, executive director of ENISA, explained that there are an increasing number of critical transactions taking place within a browser window, meaning it needs to be more secure than ever.

"The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber-attackers," he said.

Giles Hogben, co-editor of ENISA's security threat report, explained that the best time to provide advice on security is before standards are fully developed, and when they can still be amended in the interests of security.

"For once, we have the opportunity to think deeply about security - before the standard is set in stone, rather than trying to patch it up afterwards. This is a unique opportunity to build in security-by-design."

ENISA's input has been welcomed by the worldwide web consortium WC3.

"We welcome this very timely security review by ENISA. We have encouraged ENISA to report the issues they have identified to the relevant W3C Working Groups," said Thomas Roessler, W3C security lead.

The security threats identified by ENISA include:

- Unprotected access to sensitive information

- New ways to trigger form-submission to attackers

- Problems in specifying and enforcing security policies

- Potential mismatches with operating system permission management

- Underspecified features, potentially leading to conflicting or error-prone implementations.

- New ways to escape access control mechanisms and protection from "click-jacking" (tricking the user into clicking on dangerous links and buttons).