HTML 5 Now “Feature Complete”

December 20, 2012

Earlier this week, the World Wide Web Consortium [W3C] announced that the definition of HTML 5  and the accompanying Canvas 2D graphics specification are now “feature complete”.

The World Wide Web Consortium (W3C) published today the complete definition of the HTML5 and Canvas 2D specifications. Though not yet W3C standards, these specifications are now feature complete, meaning businesses and developers have a stable target for implementation and planning.

This means that the set of capabilities to be provided is now, essentially, frozen.  These definitions are not yet official Web standards, but they now have “Candidate Recommendation” status; the focus of work going forward will be on testing and checking inter-operability.  Web developers would, ideally, like to have a set of standards that is implemented equally in all browsers.  Having a feature-complete standard means that all the browser makers have a common target to aim for.

During this stage, the W3C HTML Working Group will conduct a variety of activities to ensure that the specifications may be implemented compatibly across browsers, authoring tools, email clients, servers, content management systems, and other Web tools. The group will analyze current HTML5 implementations, establish priorities for test development, and work with the community to develop those tests.

Innovation and creativity on the part of browser makers has helped drive the development of the Web; having standards helps avoid a chaotic mess of incompatible implementations.

Strict Transport Security Adopted as Web Standard

November 23, 2012

Most Web users are familiar with the secure version of the basic HTTP protocol, denoted by https: at the start of a URL,and typically marked by a small padlock icon in the browser.  The secure protocol provides for identification of the site, using a cryptographic certificate, and encrypts all communications between the user’s browser and the server.   This helps assure the user that (s)he is interacting with the desired site, and not an impostor; it also provides protection against session “sniffing” (otherwise trivially easy on wireless networks) and man-in-the-middle attacks.  Many sites, from banks to Facebook, offer HTTPS connections.  But people still have to use them, although some sites (GMail, for example)  allow the user to set a preference to always use HTTPS.

Another step in the direction of better security has just been taken, according to an article in the Australian publication, Computer World.  The Internet Engineering Task Force, a group responsible for setting Internet technical standards, has just approved a standard [RFC 6797] for HTTP Strict Transport Security (HSTS).  

This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS).

Essentially, the standard allows a site to declare that it will only allow secure connections, and a method for browsers to conform to that policy.

The new standard fixes some loopholes and bad design choices in the original HTTPS standard.  For example, when a browser attempts to set up an HTTPS connection, it will generally issue a warning message if there is some problem with the site’s cryptographic certificate; but the user can choose to proceed anyway.   In many cases, this is OK; the certificate problem is not serious.  Unfortunately, though, sometimes the problem really is serious; this is a Bad Thing if users have become accustomed to just clicking “OK”.  With HSTS, the browser will just refuse to make the connection.   This may seem draconian, but users are typically not well qualified to evaluate certificate problems, so this approach amounts to “better safe than sorry”.  The new standard also addresses a variety of other security issues.

At present, not many sites have support for the new HSTS standard (though PayPal, Twitter, and some Google sites do).  I hope that, with the adoption of the formal standard, more sites will provide support for a mechanism that can significantly improve security.

This Time’s for Real: IPv6 Day

January 21, 2012

Last year, the Internet Society organized World IPv6 Day, in order to provide the first global test of the Internet infrastructure changes needed to support the new IPv6 [Internet Protocol, version 6] addressing scheme.   The test was conducted on June 8, 2011, and included several major Internet companies, including Google, Yahoo!, Facebook, and Akamai.  Some minor glitches occurred, but on the whole the test was reasonably successful.  Although the IPv6 changes have been on the Internet standards track for more than a decade, and the reason it is needed is all too clear (the supply of old-style IPv4 addresses is effectively exhausted), uptake of the new standard has been slow.

An article at Ars Technica  reports that another IPv6 Day has been scheduled for June 6, 2012.  Once again, many of the large Internet services will participate: Google, Microsoft’s Bing, Yahoo!, and Facebook.  In addition, several large ISPs are participating this year, including Comcast, Time-Warner Cable, and AT&T, as well as Free Telecom in France, and XS4ALL in the Netherlands.  Cisco/Linsys and D-Link will also begin enabling IPv6 by default in their home routers.  But the most important difference in World IPv6 Launch is that, this time, it’s not just a test.  The participants will permanently enable IPv6 for their sites and networks.

There will, inevitably, be some configuration errors and other problems that will surface once IPv6 connectivity is being used on an ongoing basis.  But forcing the issue is probably the only realistic way to get people to change.  And, as Ars points out, the Web itself, and  the HTTP protocol, are relatively tolerant of a mixed environment; other services, however, such as Skype, really need to move to IPv6, but have not done much so far.  So there will probably be some inconveniences along the way, but there really is no practical alternative to making the change.

%d bloggers like this: