Jazoon ‘09: RIA and Security
Session title: RIA Security: Broken by Design
From: Joonas Lehtinen, CEO IT Mill
IT Mill is the creator of Vaadin: A 100% Java tool for RIA.
Joonas outlines a spectrum of complexity from Basic site to 3D games examples:
Web Sites (Wikipedia), AJAX Sugar (Facebook), Full RIA
He divides „Full RIA“ divide into client side vs. Server driven. Gives a crash course in GWT.
Vaadin: Apparently 100% Java and server driven, which sounds an awful lot like ULC at this stage… But here’s a difference: It builds on GWT and relies on JavaScript on the client-side.
He goes on to present a bunch of development rules:
Rule #1: Don’t trust the browser
Rule #2: Complexity is a hiding place for bugs
Rule #3: Large surface give more opportunities for attack. This surface has increased with Web 2.0.
Difference between GWT and Vaadin architectures is that GWT relies on the client invoking a server-side Web Service API, whereas Vaadin renders the client’s view on the server.
Erm… he then offers the cures for the problems (Rules above)… which I miss because the explanation is compressed into around 5s.
I’m starting to dislike this presentation at this point. Because here comes another artificial security issue scenario… which guess which product solves. And I thought product placement in Hollywood movies was irritating.
The issues he raises are legitimate, but the lack of objectivity is obscuring the message. And as I write the presenter is debugging JavaScript which depends on analysing the DOM on the client side – I’m not sure if he’s now analysing the problem or trying to fix it!?
I am formally declaring myself lost at this stage. At least I hope the other attendees are getting something out of this presentation, which has lost focus IMO.
He continues with a discussion about attacking at the transport level, inserting new data on the fly. But come on: A secure transaction in this technical setting will operate under HTTPS, which in most instances will deal with this kind of attack. Unless, of course, that’s something else I missed.
I think I need a coffee!!!
Joonas Lehtinen said,
June 23, 2009 @ 4:42 pm
I only gave some examples of frameworks. For server driven frameworks, only ICEFaces and Vaadin were mentioned. Canoos framework is also server driven and thus should have the same architectural security benefits as Vaadin does. The fundamental differences being that Canoo requires Java runtime on client-side and is commercial, while as Vaadin doesn\’t require any plugins and is free and open source (Apache 2.0).
From the security point of view server driven frameworks (including Canoo) are just superior to client side frameworks. Client side frameworks have other benefits that server driven doesn\’t. Still the presentation was about security.
I\’ll be around for the whole week – come to discuss more about the security on our booth.
- Joonas
M said,
July 2, 2009 @ 11:08 am
” A secure transaction in this technical setting will operate under HTTPS, which in most instances will deal with this kind of attack.”
HTTPS wont deal with that kind of attacks at all.
If connection is secure it only means that attack is taking place on encrypted connection. Encryption only secures man-in-the-middle type attacks.