[WEB SECURITY] "AJAX breathes new life into Web apps"

Lyal Collins lyal.collins at key2it.com.au
Tue May 24 21:26:47 EDT 2005


The reality is, I suspect, that both the client-side and server-side aspects
need to perform sanity checking on data received from the other, along with
trust assessments per message, not session-based confidentiality.

Further, I think it likely that the best way to implement AJAX capabilities
is to be include permanent client-side components to perform selected
security-relevant processes, capabilities that are complex to implement in
downloaded scripts or code-signed objects.

As a vendor with a browser plugin/component that offers client and server
authentication, robust user authentication, integrity, electronic
signatures, and some very limited code format enforcement, all without the
cost/complexity dmensions of PKI, this seems to be one obvious path forward.


In my experience, the hard thing is to try using 'open' models of trust,
since they (as in PKI-like models) don't work for the AJAX model in the face
of deployed client and server infrastructure.  Consequently, a new model
must emerge, but no one want to push anything other than mid-90's SSL, with
its recognised limitations.  

One of these limitations is that neither client and server get to have
consistently strong control over the authentication of the other entity, let
alone consiously choose to trust that entity on a per-transaction/message
basis.  

There are simply too many root CA certs embedded in servers and browsers,
and too much automation under the covers for human and commercial trust to
exist at the application layer (SSL and code-siging are network layer
solutions).

The challenge to the Ajax community:
Are we able to engender a new model for a new client-server framework, or do
we stick to the current generation of 'half good, half insecure solutions?

My 20 cents worth.

Lyal



-----Original Message-----
From: Nathan Tobik [mailto:nathan.tobik at vigilantminds.com] 
Sent: Wednesday, 25 May 2005 5:33 AM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] "AJAX breathes new life into Web apps"


I've read a bit about AJAX and it's a pretty cool technology.  What I'm
wondering is what are the security implications of using this within web
apps?  

Specifically I am thinking that since the pages use JavaScript what could
happen if a user were to use something like GreaseMonkey
(http://greasemonkey.mozdev.org/) in Firefox or something similar.  Does
Ajax open a server up to client side attacks with Javascript? 

OTOH is anyone using AJAX to enhance the security of their web apps?

Nate Tobik
(412)661-5700 x206
VigilantMinds

<snip>...
Subject: [WEB SECURITY] "AJAX breathes new life into Web apps"

An intro to AJAX article got posted to slashdot today
http://www.infoworld.com/article/05/05/23/21FEwebapp_1.html 

<...>

AJAX is the newly minted acronym encompassing a fresh vision of empowered
browsers: Asynchronous JavaScript and XML. Before AJAX, Web pages displayed
links, forms, and buttons. When a user clicked on a link or a button, the
browser sent a message to a distant server asking what to display next.
JavaScript would typically be used for nothing more than to check form
inputs. Web pages were as static as pages in a book. " - Infoworld

</snip>

---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list