Linked by David Adams on Tue 21st Jun 2011 15:36 UTC, submitted by fran
3D News, GL, DirectX "Mozilla's VP of Technical Strategy, Mike Shaver has rejected Microsoft's criticism of WebGL in which it said it would not implement the 3D graphics standard because of security issues in the design. Shaver says that "there is no question that the web needs 3D capabilities" to enable developers to create "advanced visualisations, games or new user interfaces" and points at Molehill (Adobe's 3D for Flash) and Microsoft's Silverlight 3D which are offering just those capabilities." One discussion of Microsofts WebGL criticism can be found here.
Thread beginning with comment 477992
To read all comments associated with this story, please click here.
I was suprised
by CaptainN- on Tue 21st Jun 2011 16:01 UTC
CaptainN-
Member since:
2005-07-07

I was pretty surprised at how easily the tech reporting crowd (even normally good ones, like arstechnica) swallowed and propagated the idea that WebGL is insecure by design. There's nothing insecure about it's design - only implementations that expose low level, unhardened APIs are insecure - but that's just an implementation problem.

Microsoft knows that, and their PR department proved adept at exploiting the fact that so few other know what they are talking about.

Reply Score: 3

RE: I was suprised
by gus3 on Tue 21st Jun 2011 16:58 in reply to "I was suprised"
gus3 Member since:
2010-09-02

I was surprised, too: at Microsoft, for making such a bold claim. The only credibility they might have for making it, comes from a "look, now we're being SERIOUS about security!". Which is just so much BS.

One only needs to look at Microsoft (later Rational) Visual Test, to see how one program could use the Windows API to abuse another running program. It was designed that way. I should know; I used Visual Test for a while, as the primary duty of my job.

Microsoft's criticisms don't pass Hanlon's Razor; calling them "disingenuous distractions" is giving them too much credit.

Reply Parent Score: 3

RE: I was suprised
by Timmmm on Tue 21st Jun 2011 20:11 in reply to "I was suprised"
Timmmm Member since:
2006-07-25

I don't think Microsoft ever said the design was flawed. They just pointed out that the implementation is usually very flawed, because it is written by nVidia, AMD and they aren't very good at producing bug-free drivers, even for trusted code!

That said, Flash exposes exactly the same drivers, and MS don't seem to have a problem with that (not that they have much choice).

Reply Parent Score: 5

RE[2]: I was suprised
by CaptainN- on Tue 21st Jun 2011 20:40 in reply to "RE: I was suprised"
CaptainN- Member since:
2005-07-07

Just because Flash or MS or Mozilla, etc. uses a low level API (and they all use a lot of low level APIs, including for their JIT systems), doesn't mean they are "exposing" an API. That's the problem with the entire argument.

The only thing valid in what they said is that exposing a low level API like that would be a security problem. That doesn't mean you MUST expose low level APIs to implement another 3D API.

Reply Parent Score: 2

RE: I was suprised
by lucas_maximus on Tue 21st Jun 2011 22:11 in reply to "I was suprised"
lucas_maximus Member since:
2009-08-18

Microsoft are in a damned if they do and damned if they don't scenario.

1) If they don't implement it ... they will be accused of vendor lock-in, FUD etc.

2) If they backtrack and do implement it, they will either be opening up Windows to a massive security risk (if what they say is true) or they will have seen to be doing number 1) at this time.

Reply Parent Score: 1

RE[2]: I was suprised
by CaptainN- on Wed 22nd Jun 2011 14:33 in reply to "RE: I was suprised"
CaptainN- Member since:
2005-07-07

1) They deserve that, cause it's true.

2) There is no security risk if it's implemented properly.

If Microsoft dislikes hard spots, they should stop putting themselves in one.

BTW, watch for it: Microsoft will announce a new 3D API based on it's "familiar" Direct 3D technology, built with "security in mind from the ground up" and "for the modern web" or something similar.

Then you'll get WebGL-Ex or something similar, which will be a WebGL wrapper library written in JavaScript to convert WebGL calls (and translate shaders) to whatever API Microsoft runs with. Google might release a shim. It'll be the same as it has been for the last 15 years. You don't need to worry about that. ;-)

Reply Parent Score: 1