What are the security challenges for HTML5?

JavaScript can have a wide variety of uses. Amongst all sectors, one in particular is emerging where JavaScript is becoming increasingly more relevant – Broadcast and Media, specifically within television networks and video streaming services.

Using Flash for video is a trend that goes back nearly two decades. Flash requires greater battery and processing power compared to HTML5 video though and has been plagued with major security vulnerabilities for years. More and more CDNs (Content Delivery Networks) have dropped Flash, meaning it will have all but disappeared in 2017. HTML5 video will take over from Flash, being more lightweight, faster, more secure and compatible. It’s also Open Source, which is a big plus for many users.

Broadcasters across Europe are having to make the switch from legacy systems over to HTML5-EME as browser vendors demand changes to video player formats. 2016 heralded the news that browser makers were going to drop support for Flash and remove plugin updates. Earlier this summer we saw Adobe Primetime closing a deal with Channel 4, a partnership that will see the broadcaster transition from Adobe Flash-based video players to HTML5.

>See also: Why bet365 isn’t going mobile first

The broadcaster had been using Flash player to power its All 4 Internet service for many years and made the switch to HTML5 to reflect browser demand changes for both its Video on Demand (VoD) service and simulcast services.

The transition to HTML5 video players (rather than Flash) will bring about its own set of security challenges and also embraces associated services embedded in video players, such as Video Watermarking, User Behaviour Analytics, Codecs and Account Login protection.

As HTML5 and JavaScript continue to gain traction and more apps, games and websites are being built with client-side JavaScript, companies are increasingly realising that they are essentially exposing their client-side app to their competitors and potential attackers.

This is a big problem for almost every industry, including broadcast and media. As organisations operating in all these industries run into the problems outlined earlier, they are increasingly turning to JavaScript protection as the solution.

>See also: AI: an untapped technology for UK businesses

A primary motivation for using client-side solutions to protect the video player is to prevent the theft of code and subsequent reuse. The application may have intellectual property even if the owner might not be fussed that competitors are stealing and reusing code that was so hard (and perhaps costly) to develop. It is currently very easy to steal JavaScript as it is in Cleartext.

By applying the protection features of the correct security solution, the resulting JavaScript is not only very hard to copy and build upon, but will only execute properly in the specified environments.

So then, what are the challenges for those companies offering streaming services with respect to HTML5?

Precious IP can be stolen by competitors – a loss of competitive advantage

These companies invest a lot in making their HTML5 players the best on the market. This takes a lot of effort, for the following reasons:

• They have to shrink the size of the files as much as they can.
• They need to boost performance to the maximum – especially as they move to higher resolution content such as 4K.
• They have to support a plethora of devices.
• They have thousands of users and they need to make sure that no user is left out of the service – this hurts revenue streams.

>See also: AI is no longer an academic demonstration

If the end result (their player) is good, this will have a huge impact on their businesses, seeing as issues with playback is probably a number one reason for users switching over to other streaming services.

The major broadcasting and streaming players protect their source code because that is an effective deterrent for competitors intent on stealing IP – no competitor would want to build upon heavily obfuscated code, as carrying out the most basic modifications would be extremely painful, if even successful at all. Thus, using the correct protection can mean having a competitive advantage all in itself.

Potential abuse

Some of the more advanced users may develop ways to abuse the players by modifying their behaviour without the media streamer consent. Browser extensions or injected scripts can in some cases even remove some of the nags that media streamers put in place to convince users to upgrade. Unauthorized use of the service may consume resources like bandwidth, memory and CPU, ultimately representing a cost to the media streamer. By protecting the code, the ability to extend or modify this code becomes severely hampered or unpractical, thus preventing users from even trying to abuse it.

>See also: 5 challenges of intelligent automation at scale

Liability issues

Protecting the code is also protecting the copyrighted content. Media streamers need to do all that they can to ensure that their players are not leaking content. That might be a losing battle these days, but if they don’t do the bare minimum to fight back, then they might be open to liability issues and ultimately get into trouble with the copyright owners. Protecting the code could be a relatively easy option and certainly this approach can contribute to get them out of trouble.

As a final thought, whilst a typical user of streaming services is not trying to hack the service, by preventing other users from abusing the system and network, resources are saved and therefore streaming becomes faster for legitimate users.

Slower or more unreliable streaming service levels are obvious problems for companies operating in the broadcasting and media environment. These days users are more demanding than ever and expect the very best viewing experience possible. It is clear that HTML5 is here to stay, which makes security a critical factor for all those involved.


Sourced by Pedro Fortuna, CTO of Jscrambler

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics