Sophos Cloud Optix
Do you remember what happened on the night before Christmas in the last year of the last millennium?
That’s right!
HTML 4, or (to be more precise) the HTML 4.01 Specification, was published.
Nearly fifteen years later, the name has jauntily shed its space, and HTML5 has finally reached official status with the publication of HTML5 – A vocabulary and associated APIs for HTML and XHTML.
It was just 18 months ago that we were singing, “It was twenty years ago tonight/That Sir Timbo brought the web to light” (to the tune of Sgt. Pepper’s Lonely Hearts Club Band).
That was our celebration of the twentieth anniversary of the Word Wide Web.
So, of the 21.5 years that the WWW has been going strong, 15 have been spent getting from HTML 4 to HTML5.
That’s quite a journey!
The new standard, which carries a the very uncombative designation of Recommendation, runs to an impressive half-a-million words, or just over 1% of the length of the last-ever print edition of Encyclopaedia Britannica.
Of course, many of us have happily and openly considered ourselves HTML5 developers, publishers and users for many years; now we can not only claim this status officially, but be held to account if we are not truly compliant.
As the press release of the World Wide Web Consortium (W3C) puts it:
HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML); annotations important for East Asian typography (Ruby); features to enable accessibility of rich applications; and much more.
In theory, at least, the audio, video and graphics canvas capabilities of HTML5-plus-JavaScript should be the final nail in the coffin of Java in your browser.
Indeed, HTML5 ought also to be the beginning of the end of Flash, too; if you still have Flash installed in your browser, you might want to try uninstalling it and seeing whether you can live without it.
Given that HTML5 is part of your browser anyway, with any security risks that might imply, getting rid of browser Java and Flash altogether just means two fewer products to update, and two fewer fruitful sources of vulnerabilities that crooks love to exploit.
The W3C admits in its release that “HTML5 has been in use for years,” not least because an official definition was published nearly two years ago.
However, the W3C also points out that the new Recommendation now includes a series of tests that can help developers stick to a truly cross-platform standard, as well as commitments to royalty-free licensing for many of the technologies embraced by HTML5.
Indeed, the latest Recommendation is touted as the way to achieve:
[T]he "write once, deploy anywhere" promise of HTML5 and the Open Web platform.
Write once, run anywhere?
Now where have we heard that before?
Learn more about the differences between Java and JavaScript in our Techknow podcast
(Audio player above not working? Download or listen on Soundcloud.)
Learn more about browser-based threats in the Sophos Threat Report
The HTML5 logo is available under the CC BY 3.0 licence.
“embraced by HTM5.” ..Typo I guess?
Thanks! Fixed.
“if you still have Flash installed in your browser, you might want to try uninstalling it and seeing whether you can live without it.”
Hehe, we might still have to wait for a bit. Tons of sites are still using Flash for whatever reason, but I have noticed sites slowly switching over to HTML5, so it shouldn’t take too long.
I’ve found a number of sites that use Flash if it’s there – because my “click to play” Flash warning dialog comes up – but then work fine anyway even if you don’t click the “Allow flash” option.
In other words, even if I confuse the site by letting it think I have Flash, but then never let the Flash run, it falls back (falls forward?) on HTML5 and therefore would have worked even with Flash uninstalled.
(Flash “click to play” is a handy middle ground for when you have a few sites that either need or work better with Flash, but you don’t want Flash to run whenever a website feels like it.)
So an honest question from an IT Manager who can’t keep up with all the threats and responses we face everyday:. To what degree will HTML5 be more secure than Java and Flash? Perhaps you could write a follow-up article entitled something like, “{random #} aspects that makes HTML5 more secure than Java and Flash”
Good idea!
I guess one of big issues here is what I alluded to in the article – you are going to be stuck with any HTML5-related security risks in your browser *anyway*, because that’s the way the world is now.
So, if HTML5 does indeed fulfil its remit of replacing Java browser and Flash, you might as well turn the last two off and reduce your so-called attack surface to the all-singing, all-dancing web rendering component you are going to have whether you like it or not…
“if you still have Flash installed in your browser, you might want to try uninstalling it and seeing whether you can live without it.”
There is a sound… a screaming sound… as computers across corporate infrastructure break everywhere.
Paul, did you even think before you wrote this? There are only BILLIONS (if not trillions) of lines of mission-critical code written for Java and Flash all across the corporate Intranets of the world.
There are millions (thankfully, almost certainly not billions) of corporate computers still running XP, too. And you will hear me shouting…bellowing, even…over the screaming sound to tell you that you should be turning them off π
Try turning off Flash and browser Java.
You might be pleasantly surprised. For example, you might find that the vendors of those legacy web apps of yours have HTML5 alternatives that you can use instead. You might find that your delivered-into-the-browser Java applets can be replaced with locally-installed Java *applications* that have equivalent functionality. You might find that things “just work,” or that you really can live without Flash, because only a few office workflows really need it and therefore you aren’t affected.
Or you might not, but then at least you will know where Java or Flash really *are* needed (not merely desired) and you can plan your security arrangements around that. (For example, you might consider allowing Flash scripts and Java applets from a handful of known servers inside the company, but not from outside.)
There are quite a lot of smokers left around the world, including many who would still smoke on planes, in coffee shops, or during movies, if only they could.
But collectively we managed, in most developed (and many developing) countries, to say, “For the greater good of all, sorry chaps. There’s a nice rainy street out there you can use instead.”
Actually that screaming sound is probably your laptop fan.
But as Paul wrote, “The W3C admits in its release that “HTML5 has been in use for years,” not least because an official definition was published nearly two years ago.”
It seems to me that programmers/scripters have had, at the very least, two years to develop an HTML5 solution to replace “mission-critical code written for Java and Flash.”
When you consider that Java 7 alone has had 71 updates to address what I presume were security flaws, it only seems logical to jump to HTML5 without hesitation.
You are confused by Oracle’s meaningless Java numbering system. There have only been 23 or 24 updates to Java 7 in the more than 2 years since its initial release. That is an average of about once every 2 months, so they are doing quarterly Java updates, plus two more per year for extra high priority security updates. This is fairly normal for any software of this size, complexity and such wide distribution. I find Adobe and Flash updates far more bothersome, but then I keep the Java plugin disabled for most sites.
Can someone translate this article for me? The headline grabs, but the text is uninterpretable.
HTML5 is out, after a lonnnnnnnnng time.
In theory, this means you don’t need Java and Flash in your browser any more.
Of course, in practice, you might find things don’t yet work well if you turn them off – but why not try it and see what happens?
(I think you knew that and were being curmudgeonly. But you’re welcome anyway.)
The headline probably says it all, for most users anyway. BIG news that will probably pass unnoticed by the vast majority of users as it’ll just happen. Still deserves a mention though.
When does YouTube switch over?
Most YouTube content seems to play fine without Flash. Try it and see…
I know I should update XP, but don’t have the time and energy for it. And maybe not the expertise to be sure to do it correctly. But I have not had any security issues so far.
Anyway, does HTML5 work on XP?
I mainly use Firefox, and when I have to, IE8. Too bad I can’t update the latter, but I compromise with the addon IETab, which isn’t perfect.
Firefox will give you a modern browsing experience, including security updates and HTML5 support.
I would suggest that if you have the time, energy and expertise to install Firefox and to deploy IETab, then you have more than enough expertise to install a more recent version of Windows.
Thanks. Installing Firefox (years ago) and IETab were easy compared to what I’d have to do to update the OS. And reinstall programs. Someone with more knowledge than me said it took a full day to do it.
Think of it as spring cleaning. One day every ten years isn’t that much π
I tried to view a gif in IE8 and got the message:
Sorry, you don’t have HTML5 video and we didn’t catch this properly in javascript. You can try to view the gif directly:
[link deleted]
Does this mean IE8 does not support HTML5?
I was using it because Reddit does not work with IETab.
Y’know, if you moved on from XP (doesn’t even have to be to another Microsoft OS) all your questions would answer themselves π
HTML5 support is a matter for the browser. Internet Explorer 8 is that most up-to-date version of Internet Explorer that will run on Windows XP and it needs a lot of extra support bolted on to websites for it to get along with HTML5 – all of which is delivered at the expense of download time.
With IE8 usage down in single figures you’ll find a lot of sites will stop bothering with it. I think Firefox supports XP with SP3 and I believe Chrome and Opera support XP for now too. All 3 have been using as much HTML5 as they can for years.
I’m telling you this so that you can research the best way to ditch XP from the comfort of a reasonably good browser ; )
Yes, if you can do everything you need to do with XP then it still works fine, without any (new) security issues that are apparent. I recently switched to one of the popular versions of Linux and it’s a doddle (if you can pop a DVD into a DVD drive, know where in the world you live and which language you read). Deciding which old docs, spreadsheets, piccies, etc I wanted to save and take across took a lot longer but a clearout was overdue anyway. It just works, whereas XP will get to the stage where it works, just (e.g. IE8)
I uninstalled Java 7, but I see there is something called JavaFX 2.1.1
Do I leave this? I’m not quite sure what it does, as I actually never noticed it before and am assuming it was installed in some previous Java update.
If you want to get rid of Java altogether (a more aggressive step than simply turning it off in your browser if it isn’t already), then I recommend you remove JavaFX as well. (Not sure what it does, if anything, on it’s own. But your goal is to be rid of Java, so…that sounds like the death knell of JavaFX to me π
I’ll get rid of it and then watch to see. If there is something that needs it, asks for it, I can decide if I really need what’s asking for it.
The constant updates have been annoying me so much I’m up for seeing if I can do without it altogether.
So it should only take Microsoft another decade to get around to making IE HTML 5 compliant. Though they never did get HTML 4 compliance right…
Sad but true. Case in point:
“HTML5 brings to the Web video and audio tracks without needing plugins”
That’s technically a lie, because HTML 4 already did that, or rather, tried to. It provides a standard method for embedding video and audio that almost nobody uses or even knows about because IE doesn’t support it, and if IE doesn’t support it, it might as well not exist in the standard.
Java and Flash will be sticking around for a while longer, I’m afraid.
HTML5 *does* provide well-defined audio and video capabilities without plugins.
The fact that this might have been possible with earlier standards doesn’t make that statement a lie, technically or otherwise.
I think he meant the “HTML5 brings to the web …” part. He was saying it was already there. (But, I agree, 5 does a much better job of it. It really does bring something new to the table: the ability to do it RIGHT.)