Has Microsoft made WebGL Secure? How?
Microsoft has dropped strong clues, without saying it explicitly, that Internet Explorer 11 in Windows 8.1 will support WebGL, a DirectX-like standard for fast gaming on the web. The biggest clue came in a video posted on Vine. Others have found direct evidence in leaked builds.
It's not hard to see why Microsoft would want to support WebGL. Everyone else does. However, the company spelled out the reasons it hadn’t so far in a Security, Research and Defense blog post two years ago.
The blog post essentially calls WebGL unsecurable by design: "Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements".
It goes on to list many problems with the design, but you really don't have to go past the first one, which is that it puts a heavy security burden on the authors of graphics drivers, a group with a long, historical reputation for quick-and-dirty programming.
I asked Microsoft about this. The company a) wouldn't formally acknowledge that it was supporting WebGL in IE11 (although obviously it is doing so). This pre-empts the need for it to go on to b), explaining how it gets around the significant security problems it previously identified.
I can't believe the Microsoft of today would simply brush them aside. Therefore I will posit a theory: At the cost of some performance, Microsoft will create a virtual driver layer with sufficient verification checks to satisfy the SDL, at least as an option and set as the default. This may make no sense to someone with closer knowledge of WebGL, but clearly something here makes no sense.
I guess we will find out how -- or if -- Microsoft has made WebGL secure when we get our first proper look at the new browser in the Windows 8.1 Preview, due for release later this week.
Image credit: Wayne Williams