Microsoft declares WebGL 'harmful' to security

0 favourites
From the Asset Store
Weblock Suite
$11.25 USD
25% off
Collection of security plugins for web/html5 export on construct 3
  • Anyone seen this report

    Latest news regarding WebGL ?

    http://news.cnet.com/8301-30685_3-20071726-264/microsoft-declares-webgl-harmful-to-security/

  • Bad news for C2. Does mean a Internet Explorer specific development for hardware aceleration?

  • I read about it on theRegister HERE. I've had WebGL disabled in my firefox for a while, seeing as I don't use C2 yet.

  • I've read about this and I'm a bit confused: java applets have always been able to use OpenGL, so these security concerns should be nothing new. If they're an issue, they should always have been an issue with Java applets, but nobody seems to have minded until now. Microsoft have been under pressure to implement WebGL, and they seem to have highlighted these concerns as reasons to not implement WebGL, when I guess the real reason is they don't want to support anything OpenGL related. This is frustrating, because obviously WebGL support would be great for Construct 2 - the exporter could match Classic's features, shaders and all, in a browser.

    Google have been working on JebGL (http://code.google.com/p/jebgl/) to bring WebGL support to Internet Explorer via a Java applet. We could use that, but then it defeats the whole point of having a plugin-free system. A quick Google showed that Java support is on about three-quarters of machines on the internet, so support is still OK. Surely there are going to be some compatibility issues though.

    It's still very early days so obviously we're still going to stick to good ol' canvas (which IE9 does very well), but in future we might develop a WebGL/JebGL exporter more as an experiment than part of the product, just to see how it works. For 2D games, WebGL doesn't add much more than just eye candy, and given the support isn't so good, it doesn't seem worth it right now.

  • I got a nasty virus through "WebGL".It's a worm virus which compromises any external hd's ,Basically you cannot access your external hd once the virus get's a hold of it.That is why i am staying as far away as i can from java or any web browser games.Luckily my gfx card wasn't affected.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • DravenX: Are you sure the virus came through WebGL and not some other browser flaw? How are you certain it was WebGL? I've never heard of such a serious bug in WebGL - most of the security articles state the worst it can do is reboot your computer or steal a screenshot.

  • I'd like to see Apple answer to that considering that they're strongly supporting HTML5/JS applications/games since they hate Flash.

  • This looks to me like Microsofts way of putting their fingers in their ears and going "lalalala I can't hear you".

    Did anyone, ever, really believe that Microsoft were going to back WebGL in any form or fashion? I sure didn't. If they did they could have chipped in and said "We know there are security issues, and we want to help fix them."

    This sounds really weird when most of us, including myself, sit on Windows systems, but why do we let Microsoft bully the entire web industry? I'm gonna say it again, we all knew they were going to try and push their own proprietary solution, instead of supporting WebGL. If everyone just waited for Microsoft to come along it would a) be futile because they won't and b) reinforce the idea that they control the market. Neither are good things.

    I'd liken it to releasing a game made in Construct Classic. I posed this question to myself. "If I released a game made in CC, I could only sell it to Windows users. Would that be profitable?"

    So I thought about that. There are three major OS'es. Windows, Linux and OSX. I know few games released on Linux. I know fewer people that actually game regularly on Linux systems, and even then it's mostly homebrew and emulators. So Linux didn't seem like much of a loss.

    What about OSX? Sure there are games to be had on OSX, but again they are few. If you bought a Mac you most likely didn't buy it for playing games. Going by that reasoning (which may very well be faulty, I'm no market analyst) I concluded that going Windows only would not be as bad as I originally thought. Not ideal, but a calculated loss at the least.

    Doing the same thing for browsers. The big ones are IE, Chrome, FIrefox and Safari. Of those four, IE is the only one without WebGL support. Microsoft likes to tout how big of a userbase they have with IE. They neglect to specify that the majority of that userbase is IE6 and below. And of that a substantial amount is companies using it on their company computers. Looking at it that way I'd say that IE would be a calculated loss for WebGL developers.

    Let's just ignore the big internet bully!

  • They neglect to specify that the majority of that userbase is IE6 and below.

    Not any more - it's mostly IE8. You can check browser stats at StatCounter global stats. It's changing relatively rapidly (for the industry - i.e. over a period of months) these days.

    There's no point exporting to WebGL when you could export to Canvas like C2 does already and also get IE9+ users covered (who will be the majority of IE users at some point in the future). So that kind of makes WebGL not very useful compared to Canvas, for us. I suppose we could still add a WebGL exporter, but who would make a large project in WebGL when it could reach more people as a Canvas?

    I think the best thing to do would be to somehow edit a Canvas and WebGL project in parallel, and if a platform supports WebGL it will use that, but if not it will fall back to Canvas. That means your game would also have to work with Canvas-only features though (e.g. no colour tint, no shaders, no Z elevation or 3D stuff, etc...) which means extra work supporting both featuresets in your project.

    I think that's the best plan to go for in future...

  • Not any more - it's mostly IE8. You can check browser stats at StatCounter global stats. It's changing relatively rapidly (for the industry - i.e. over a period of months) these days.

    Aw =/ (according to that, there are fewer people that use Linux than there are people that use something other than Win/Linux/OSX. O.o )

    Two of the things I'd want to do once C2 is work-ready (almost there it seems like though)

    would need z-elevation.

  • Damn it, Microsoft, don't make half-assed excuses. We know you're still trying to force everyone to do things your way. It's not working as well as it used to.

  • [quote:15zmrric]@DravenX: Are you sure the virus came through WebGL and not some other browser flaw? How are you certain it was WebGL? I've never heard of such a serious bug in WebGL - most of the security articles state the worst it can do is reboot your computer or steal a screenshot.

    Well i played a sonic type web browser game thing that used webgl and the next day when i tried to acces my external hd i was locked out ,I did a system check and the virus was inside my internet's temp files,The file that was infected was indeed that sonic type game.Thats what i saw on my antivirus logfile anyway.It was a .js file that was infected.

    Remember a virus begin's as a small thing rebooting pc's etc.. but it evolves all the time and get's more malicious as hfye@ck3rs add to the code.But i don't think anything is secure as far as the internet goes.Anyone can create malicious apps these days even if it is illegal to do so.

    The virus i had was called sophos.js.Or at least that file got infected somehow.It then created an exe file disguised as a recycle bin which gives the intruder full admin rights over the external HD.It was easy to remove it manually ,Every time my antivirus tried to delete the file it made another copy of itself when the pc was restarted.I had to delete it's registry entries etc... to get it off.So anything that that has javascript or webgl won't work on my pc anymore because im not taking that risk of knowing that it could harm my gfx card or cpu the next time it comes around.

  • The jebgl sounds like it might solve a few things, but C2 will probably be in the final stages before its stable.

    One thing to remember is Canvas has a lot of other features such as drawing shapes, and splines so that kind of lessens the blow of no distort maps.

  • so if you start making a project in HTML5, you won't be able to choose a different runtime/exporter later?

  • so if you start making a project in HTML5, you won't be able to choose a different runtime/exporter later?

    You will be able to change exporters with existing projects. Going from Canvas to a WebGL exporter should be totally seamless, because WebGL supports all of Canvas' features and more, but going the other way would need some work on your project.

    Someone from Mozilla responded to Microsoft's remarks today:

    http://shaver.off.net/diary/2011/06/17/ ... -platform/

    In short, they seem to say: adding new features always exposes new components to possible attack - WebGL is nothing special, and it can be made robust against attacks over time anyway. (Also, they point out D3D support is in Silverlight so would have the same security problems in theory!)

    I'm more convinced Microsoft are just reluctant to support OpenGL.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)