Web Interactivity, AJAX and Security

Two items read online today raised interesting and potentially high impact points about the web. A News.com article talked about the security risks being introduced by highly interactive websites of the 2.0 variety, especially with respect to AJAX (Asynchronous Javascript And XML). The other item, a Tara Hunt post on HorsePigCow discussed the coming demise of web browsers.

"The Security Risk in Web 2.0" makes the point that for highly interactive websites built using AJAX, an important component of Web 2.0, "in the rush to add features, security has become an afterthought." Although AJAX isn't the only aspect of Web 2.0 sites which results in decreased security, it is one of the big contributors. In describing AJAX, the article says, "A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door."

Two general causes of security problems on the new, more interactive sites are website programmers lack of security focus and the inherent insecurity that comes with web interactivity. The twenty-something web programmers building the Web 2.0 sites are more focused on the features and interactivity of the site than they are on the security. They haven't had much experience programming sites where security was the most important attribute of the code. Many of them haven't had any formal training in secure coding (possibly no formal programming training at all) and many of the code examples they have learned from have not been optimized for security. Additionally, in many ways web interactivity is synonymous with insecurity. When a website is programmed to easily interact with legitimate users, it automatically becomes that much easier for a malicious visitor to misuse the site, especially if security wasn't the top concern when the site was designed.

Tara's post, "R.I.P. Browsers" discusses an interesting theory that should bring a smile to Steve Ballmer's face. Her premise is that browsers should soon become a thing of the past because of their design. For one thing, doing everything on the web with browsers (such as Gmail, Writely, Gspreadsheets, etc) means that when you're offline, by choice or by necessity, you likely have limited access to your info that is stored online. Also, using a web application like Gmail within a browser is recursive, running an application within an application (within another application if you want to consider a modern OS an 'application'). Instead of this situation, Tara suggests we should have "No more browsers. Just connected desktop apps." Read the list of points supporting her theory and see if you agree.

The 'net continues to evolve. Its nearly continuous innovation presents both opportunity and problems, bringing to mind the E. F. Russell phrase, "May you live in interesting times."

For a brief background of AJAX, read "AJAX breathes new life into Web apps" from InfoWorld.com.

Here's the initial weekly issues list for NEW NET's 01 Aug 2006 gathering:

• Big brother wants a window into VoIP at any cost http://arstechnica.com/news.ars/post/20060727-7372.html
• Feds Retrieve Google Records after Gmail Used for Hate Speech http://oraclewatch.eweek.com/blogs/google_watch/archive/2006/07/27/11852.aspx
• Google Talk Adds Voicemail And File Transfer http://googlesystem.blogspot.com/2006/07/google-talk-adds-voicemail-and-file.html
• The security risk in Web 2.0 http://news.com.com/2100-1002_3-6099228.html
• R.I.P. Browsers http://www.horsepigcow.com/2006/07/rip-browsers.html
• Windows In Your Pocket http://tomshardware.co.uk/2005/09/09/windows_in_your_pocket/
• Activism makes a difference in California copyright fight (Yoda!) http://arstechnica.com/news.ars/post/20060726-7359.html
• Verizon Limits Its "Unlimited" Wireless Broadband Service http://www.consumeraffairs.com/news04/2006/07/verizon_unlimited.html
• Quick Guide to TV on the Net (TV/IP) http://pulverblog.pulver.com/archives/005088.html
• Malicious toolbars and extensions hijack browsers (for honeypot?) http://arstechnica.com/news.ars/post/20060726-7360.html
• Open source at the National Education Computing Conference http://arstechnica.com/news.ars/post/20060727-7361.html
• Next Debian Release to Support AMD64 Chips http://news.yahoo.com/s/pcworld/20060725/tc_pcworld/126527
• Samsung Memory Boosts Vista PCs in a Flash http://news.yahoo.com/s/nf/20060727/tc_nf/44902
• Thoughts on MCE beta feedback (Windows Media Center Edition) http://mediacenter.mattgoyer.com/archives/2006/07/26/1157
• US cyber spies want more rights to snoop http://management.silicon.com/government/0,39024677,39160923,00.htm
• Ten DIY Mistakes (Building a Computer) http://www.extremetech.com/article2/0,1558,1994248,00.asp
• Good-bye, Pentium--hello, Core 2 Duo http://news.com.com/2100-1006_3-6099328.html
• Online storage service adding a terabyte a week http://news.com.com/2100-1015_3-6099336.html
• Microsoft's Current Situation: Like IBM in the 80s http://software.seekingalpha.com/article/14310
• TiVo Is Watching When You Don’t Watch, and It Tattles http://www.nytimes.com/2006/07/26/technology/26adco.html

*****