Could AJAX Security Vulnerabilities Mean Good News for Flex?
Recent news coming out of the Black Hat conference has it that security specialists SPI Dynamics and WhiteHat have found a way to profile networks from behind the firewall using client-side JavaScript. Additionally, RSS and Atom feeds can be used as the delivery mechanism, which opens up myriad possibilities for cross-site exploits. In many cases, JavaScript delivered through an RSS or Atom feed will execute on the client-side. You can get more detailed information on the vulnerabilities here:
http://news.com.com/JavaScript+opens+doors+to+browser-based+attacks/2100-7349_3-6099891.html?tag=nl
and here:
http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html?tag=nl
What interests me the most about these newly exposed vulnerabilities is the potential Flex has to step in as a safer alternative. Although Adobe has thus far been reluctant to market Flex against AJAX (instead, promoting a somewhat Frankensteinian blend of the two), one could imagine that vulnerabilities in AJAX could yield increased market share for Flex apps.
One criticism of the Flash Platform I have heard is that it's considered unsafe by many firewall administrators. The conventional wisdom among security professionals can sometimes be skewed by not understanding the format. Who would take the time to configure the Flash Player security settings across all machines on their network when they can simply block SWF at the firewall level? If they understood that the Flash Platform is safer than another technology they already commonly allow across the firewall, the decision would be made in a different context.
Unfortunately, even if Adobe did wish to make the case that Flex is safer than AJAX, they couldn't (or they would be foolish to try). Because the Flash Player has an ExternalInterface API (which uses JavaScript for serialization/deserialization), it could be used as a delivery mechanism (possibly even a more effective one than RSS) for the very exploits that are being exposed in AJAX.
I don't know if there's an answer for this. I wouldn't want to part with ExternalInterface, despite its problems. My gut feel is that the AJAX vulnerabilities will amount to no big deal. After all, the same principles apply to these 'new' issues as apply to others: don't go poking about the shady back alleys of the web, scrub all data that comes into your system, etc. But I'm interested to see how all this will play out, and I'm interested to hear other people's thoughts on the subject. So, please comment!!!
http://news.com.com/JavaScript+opens+doors+to+browser-based+attacks/2100-7349_3-6099891.html?tag=nl
and here:
http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html?tag=nl
What interests me the most about these newly exposed vulnerabilities is the potential Flex has to step in as a safer alternative. Although Adobe has thus far been reluctant to market Flex against AJAX (instead, promoting a somewhat Frankensteinian blend of the two), one could imagine that vulnerabilities in AJAX could yield increased market share for Flex apps.
One criticism of the Flash Platform I have heard is that it's considered unsafe by many firewall administrators. The conventional wisdom among security professionals can sometimes be skewed by not understanding the format. Who would take the time to configure the Flash Player security settings across all machines on their network when they can simply block SWF at the firewall level? If they understood that the Flash Platform is safer than another technology they already commonly allow across the firewall, the decision would be made in a different context.
Unfortunately, even if Adobe did wish to make the case that Flex is safer than AJAX, they couldn't (or they would be foolish to try). Because the Flash Player has an ExternalInterface API (which uses JavaScript for serialization/deserialization), it could be used as a delivery mechanism (possibly even a more effective one than RSS) for the very exploits that are being exposed in AJAX.
I don't know if there's an answer for this. I wouldn't want to part with ExternalInterface, despite its problems. My gut feel is that the AJAX vulnerabilities will amount to no big deal. After all, the same principles apply to these 'new' issues as apply to others: don't go poking about the shady back alleys of the web, scrub all data that comes into your system, etc. But I'm interested to see how all this will play out, and I'm interested to hear other people's thoughts on the subject. So, please comment!!!