Meet the new flaws, same as the old flaws..

While cosmologists explore a universe which exists independently of them or, except at the quantum level, their choices as to what to observe and how, things are rather different for those of us who study what is happening on the Internet.

For although the physics of electronic circuit design and the mathematics of signal processing provide some boundaries to the possible and force engineers into ever more inventive approaches to getting more processing cycles per second or bits per square centimetre, much of the design and implementation of the network architecture is a matter of choice.

Twenty-five years ago Vint Cerf and Bob Kahn made decisions as to how the Internet Protocol worked, specifying the ways packets were made and sent over the network. They could have done it differently and indeed many other people working on networks at the time did do it differently.

TCP/IP, the set of networking standards that Cerf and Kahn developed, became dominant through a combination of technical advantage, geopolitical expediency and good fortune. It was not inevitable.

Yet it has served us well, as the billion or so Internet users around the world will testify, and may continue to serve us for years to come if work to move from version four to version six comes to a successful conclusion.

Similarly, the choices made by British physicist Tim Berners-Lee when he invented the World Wide Web in the late 80’s were freely made.

He chose to use a very simple method for sending information between web servers – the programs that hold all those exciting pages – and the browsers running on people’s computers.

He chose to make the Hypertext Markup Language, HTML, as simple and small as possible so that it would be easy to learn.

The Web was a great success, partly due to its simplicity. I first saw a web page in the winter of 1993 and was creating my own site within days.

However Tim’s  Web could not do some things very well at all, and since the first Web software was released fifteen years ago many have attempted to ‘fix’ what was wrong.

As a result we have the world-wide multimedia web of today, with exciting sites like YouTube for online video, Flickr for our photos and even MySpace, an online community where millions of people live part of their lives.

Unfortunately these new developments have created their own problems.

Again and again security flaws have shown up with the way the web works, problems that have allowed viruses to propagate, malicious software to wreak havoc on the contents of websites and users to hand over their passwords and on many occasions their money.

And now it seems the newest generation of web developers are making an old set of mistakes.  Amidst all the attention being paid in the media to ‘Web 2.0’ a number of security experts have pointed out that the new castle is built on sand.

One of them, the online security site Help Net Security, has just published a list of the ‘Top 10 Web 2.0 Attack Vectors’ identified by security expert Shreeraj Shah, and there are certainly many more vulnerabilities jockeying for position in the ranking.

Web 2.0 is one of those technology terms that can mean almost anything, but for me it describes those websites that get away from the idea that a website is made up of lots of separate pages stored on a server to be delivered to a browser.

Sites like Google Maps, Hotmail and Flickr  are more like services, letting the user interact with them in the way that they might use programs running on their computers. Go to Google Maps and you can scroll around, add overlays and do all sorts of cool stuff.

It works because instead of using Tim Berners-Lee’s old web technology, many Web 2.0 sites use something called AJAX – one of the many new acronyms, abbreviations and bits of jargon scattered around the network at the moment.

The X in AJAX stands for XML, a way of wrapping up information to send it from computer to computer that is infinitely more flexible and powerful than old HTML ever was.

But XML has to be interpreted at either end of the connection, and here’s where the problems start. Some of the people building cool Web 2.0 sites are making unwarranted assumptions about the information they are sending around, assumptions that could easily be exploited by an unscrupulous hacker to break into a web site or even steal data from a user’s computer.

Many blogs and news sites, including the BBC, offer RSS feeds to users so that they can be alerted when a news item is posted or an article goes live.  The technology behind it, Really Simple Syndication or RSS, really is simple and easy to implement, but too little attention is being paid to security.

In a paper on ‘Feed Injection in Web 2.0’ Robert Auger at SPI Labs shows how many of the programs used to read feeds, including popular web browsers, do not properly check the data they are being sent.  This is a serious security hole, one that hasn’t yet been fully exploited but is sitting there waiting to be used.

All is not lost.  Web 2.0 is still a new approach, and there is time to fix these problems and even make sure new ones don’t emerge. After all, we have a choice – we can decide how these new technologies work.

The danger is that, just as with our approach to environmental damage, we will go for the quick fix, the easy money and the rapid deployment, leaving generations of network users to come to pick up the pieces.

Or, in this case, cope with the crashes.

Bill’s Links

TCP/IP anniversary
Tim O’Reilly on Web 2.0
Help Net Security
SPI Labs report on feed injection

One Reply to “Meet the new flaws, same as the old flaws..”

  1. There’s security risks the other way too; from malicious scripters wishing to take advantage from vulnerable server systems. AJAX is a swine to debug and happens “invisibly” in many cases, it opens up yet more access control, denial-of-service and hacking attack methods.

    But that’s the problem of the developer, like me. As for Microsoft IE users, they have to have ActiveX controls enabled to browse AJAX sites, so they’ve got the worst deal, even though, ironically, Microsoft effectively invented AJAX.

Comments are closed.