Jan 19, 2007


Once I had a conversation with a customer about security.
He sent me a link to some article, but I decided not to read it.
Talking about it I understood that I need to explain - what the security is when it comes to the web development and AJAX in particular.

I asked for the permission to publish the chat, and here it is:

Gri (12:11 AM)
AJAX is the client-side technology.
The security of the web system does not rely on the data received from the client (browser), if developer is assuming that the data as dangerous always.

customer (12:16 AM) :

yes. although it is not our first email about it.... we don't doubt you.

Gri (12:16 AM) :
There are several major security problems in web applications.
This is not written in articles for some reason (maybe I should write one?)
- server security (OS, firewall, non-web-related issues)
- web application security (scripts issues)
- cross-server scripting vulnerabilities

Gri (12:19 AM) :
The first is a server/cluster configuration, it will not be a problem.

Second also separates by different categories, from application design to sql injections and unknown platform bugs.
This is what I don't worry about also.

3rd is a "hard-to-forsee problems" category.
How and in what context will some people want to exploit somebody's security - I don't know.

Gri (12:21 AM) :
I can tell a good story, how people were stealing ICQ numbers

customer (12:22 AM) :
I'm sure that you've seen a lot from behind the scenes
we expect a lot of incoming troublemakers.

Gri (12:22 AM) :
Sometime ago hotmail made accounts expire in 3 months;
Lots of people regietered ICQ with hotmail addresses, hackers found this expired accounts, registered new ones in place of expired with the same hotmail addresses - and got the passwords...

Neither hotmail nor ICQ is directly guilty, as you can see.
Just many months later hotmail fixed a problem - the web mail systems don't allow to re-register an expired accounts anymore.

Gri (12:25 AM) :
The last issue is DDOS. This is a problem in general, and noone has a uniform solution.
Last month e-gold (a big payment processor) was periodically offline for several days day due to DDOS attacks.

customer (12:25 AM) :
but, everyone is aware of it and working on it, correct?

Gri (12:25 AM) :
I never practically experienced a really hard DDOS attack.
Though, I keep it in mind and don't leave the obvious performance bottlenecks in the system.

The only solution is monitoring, detecting attacks and fighting against when it happends.

customer (12:27 AM) :
when more and more applications move to database and become popular... more and more people will try to attack things.

Gri (12:27 AM) :
People don't attak themselves. The hackers attack through controlled computers.
Most serious attacks are from infected computers.
But they are rare, as serious epidemies are rare and hard to organize.

No comments: