Tuesday Apr 17, 2007

Web 2 Uh Oh

This week I'm attending the Web 2.0 Expo here in San Francisco. Yesterday I attended two sessions, one about security (or the lack thereof) in Web 2.0 applications, the other about how Facebook redesigned their developer APIs to use a SQL-like language to help simplify things for their 3rd-party developers.

 Complicating matters is my chipped scaphoid bone in my left hand, thanks to a bike accident last week.X-ray of my left wrist
 Luckily I got my plaster splint off yesterday, which was replaced by a wrist brace, so I can type a little bit better, and can shower without a plastic garbage bag over my arm. I'd never had a cast before, and I can say that for the 4 days I had to wear it, it was more uncomfortable than I ever imagined.

Anyway, the first session, "Vulnerabilities 2.0 in Web 2.0: Next Generation Web Apps from a Hacker's Perspective" by Alex Stamos was quite interesting. It turns out that many of the same sorts of security problems that existed in older web apps are still present in Ajax-style applications, but are much more difficult to analyze and track down due to the nature of discreet HTTP sub-calls within a single page in an Ajax app. Some of the fundamental aspects of Web 2.0 applications, like mash-ups, and JavaScript proxies that run on the client browser, allow for many more vectors of attack from malicious users.

The fundamental problem appears to be the lack of standard security profiles on the client-side. All client browser security is handled ad-hoc by the browser vendors. For example, cookies are shared across multiple domains during a session, which means malicious sites could use security credentials embedded within a particular cookie along with the local JavaScript proxy APIs to do things like transfer money from your bank account to another without your knowledge. Unlike phishing, this requires nothing more than simply visiting a site or opening a spam email from a webmail account. Ooops.

It'll be interesting to see how these problems are addressed, or if we will see a migration away from Ajax apps for more security-critical actions.

The second session was less interesting to me. I mostly attended "The Story Behind Facebook's APIs: From REST to FQL" to see what they had to say about REST (it turns out, not much). The story mostly seemed to be about how to design an easy-to-use API, and how they eventually decided to use a SQL-like query language to deal with the data available through their API. I suppose this is a good model for opening an API and the underlying data for a site like Facebook. I particularly liked the discussion of the confusing method names in Flickr's APIs, and the fact that they implemented their conversion to FQL (Facebook Query Langauge) in less than 2 months. But implementation details are sort of uninteresting to anybody not currently implementing anything.

About

I am a writer on the Java EE team at Oracle, primarily working on the Java EE Tutorial. My areas of expertise are enterprise beans, Java Persistence, web services, and the case studies.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today