Mozilla rebuts Microsoft's concern over WebGL 3D

Mozilla has answered Microsoft's concern that WebGL raises too many security risks with the observation that Microsoft itself has accepted the same risks with 3D interface technology coming with its own Silverlight browser plug-in.

WebGL, a new standard from Khronos Group, lets Web programmers add hardware-accelerated 3D graphics to the Web with an interface that mirrors the OpenGL ES 2.0 standard used among other places in Android and iOS devices. WebGL opens up online possibilities such as virtual worlds and graphically rich games, and it's built into Mozilla's Firefox and Google's Chrome today.

Microsoft, though, is worried that it's too insecure because it exposes new low-level interfaces to downloaded code, especially given that responsibilities for closing security holes lies in part with graphics hardware makers who lack experience in the area. "We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities," Microsoft said. "In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."

In a response, Mike Shaver, Mozilla's vice president of technical strategy, observed that the new Silverlight 5 plug-in from Microsoft manages to pull off the feat, even with a cross-platform design that extends to Mac OS X. Underneath the covers, Windows uses the Direct3D interface for accelerated 3D graphics, but Mac OS X uses OpenGL.

Microsoft's concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL's standardization; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well. That Silverlight supports Mac as well, where these capabilities must be mapped to OpenGL, makes me even more confident. The Microsoft graphics team seems to have done a great job of making the D3D shader pipeline robust against invalid input, for example.

Shaders are one variety of graphics code that 3D graphics hardware can execute, and screening invalid input means keeping away badly written or malicious code that could be used to mount some sort of attack.

Shaver acknowledged that there have been security problems with WebGL--security firm Context Information Security has pointed some out and advised against WebGL use. But, he argued, the problems are being fixed, and they aren't showstoppers.

I think that there is no question that the web needs 3D capabilities. Pretty much every platform has or is building ways for developers to perform low-level 3D operations, giving them the capabilities they need to create advanced visualizations, games, or new user interfaces...

It may be that we're more comfortable living on top of a stack we don't control all the way to the metal than are OS vendors, but our conversations with the developers of the drivers in question make us confident that they're as committed as us and Microsoft to a robust and secure experience for our shared users.

Mozilla initiated the WebGL project before beginning work with the Khronos Group to standardize it. As a browser-centric organization, it's a strong ally of the idea that Web programming should become more powerful.

Alternatives to WebGL include the traditional technology of native software running on Windows or other operating systems; Microsoft's Silverlight 5; and Adobe Systems' upcoming Flash Player revamp that adds the "Molehill" 3D interface.

Mozilla has some notable allies in the browser world: Google signed up with support, deciding to build a higher-level Web graphics 3D interface atop WebGL. Opera is building WebGL into its next-generation browser. Apple, too, apparently wants to enable use of WebGL for its iAds advertising technology for the forthcoming iOS 5.

And even one researcher at Microsoft is on Mozilla's side. Avi Bar-Zeev, a principal architect at Microsoft who also happened to found the company Keyhole that became the Google Earth project, raised objections on his personal blog to Microsoft's anti-WebGL stance.

"Operating systems and security mitigation are what Microsoft is known for. It's our bread and butter," Bar-Zeev wrote. "Why would we run away from that challenge with such an alarmist attitude of 'shut it off, shut it off, it might hurt me!' I think we would face these potential threats head on, as we've always done."

Bar-Zeev also said that engineers must accept risks to advance the Web, as Microsoft itself showed with its ActiveX plug-in technology, which let Internet Explorer run native code from sources to which the user extended privileges.

It was Internet Explorer's pioneering work with plug-ins (specifically ActiveX controls) that help build the rich interactive web as it exists today. Plug-ins created capabilities not found in browsers, even to this day...

ActiveX controls were, at one point, the primary vulnerability for browser-borne attacks on your PC. They are, after all, native code with hardware access that could run malicious operations, perform disk writes, read your personal data and plant viruses. Indeed the MSDN site on ActiveX controls begins with "An ActiveX control can be an extremely insecure way to provide a feature."

Yes, indeed.

Somehow we survived the existential threat of native code plugins taking over our PCs, or at least we made it through alive.

Microsoft needs to engage with the WebGL world, to ensure that it works well and that Microsoft doesn't end up with the blame when problems arrive, he argued. A very important 3D is coming, "tying the real world to the information space that surrounds us in our everyday lives," Bar-Zeev said, and WebGL is the only to offer that "in a cross-platform, stable, browser-based way."

"There is clearly only one direction forward for Microsoft and 3D on the Web," he said. "WebGL is the way."