Feeds

The trinity of RIA security explained

Of servers, data and policies

Intelligent flash storage arrays

The phrase "Rich Internet Applications" has become a popular term for applications that run inside your browser or on your desktop and that interact with web applications or web services. RIA platforms include JavaScript (part of the AJAX umbrella), Adobe System's AIR, Microsoft's Silverlight, Java applets, and Java JFX from Sun Microsystems.

Sure, they look pretty with all that video, those rounded buttons and pop-up Windows - but should we trust them? These applications are, after all, downloaded from websites that can be good, bad or compromised. So what's there to protect users and server applications from a renegade RIA?

To get a good picture of RIA security, think of your browser as a multi-user operating system that is running your RIA along with many other hostile programs. There are two key security protections that limit what an RIA can do. They are known as the "same origin policy" and the "sandbox." Without these protections, a rogue RIA could access anything you see on the web and could also ravage your computer. Unfortunately, both policies have a long history of problems and they were never designed to handle RIAs.

Web 1.0 techniques challenged

If two sites share the same protocol ("http"), domain ("www.foo.com"), and port (80), we say they are from the "same origin." Browsers are supposed to restrict RIAs from accessing anything that is not from the same origin. As the number of data structures and services in the browser increases, there's an explosion of places where the same origin policy must be applied. You can test it with DOM Checker, which runs almost 1,400 test cases. The latest version of Microsoft's Internet Explorer fails 13 of these checks and Firefox fails 25. But even if enforcement were perfect, we would still have to deal with cross-site problems like cross-site request forgery and cross-site scripting, which bypass the policy.

If the same origin policy is like walls within the browser, then the sandbox is the floor, protecting the operating system from malicious RIAs. The sandbox is also absolutely critical for RIAs. Without it, malicious RIAs could compromise the entire operating system and all the data and applications on it. The sandbox is complicated thing to manage, though, as the browser will have legitimate reasons for accessing local files and launching local executables.

Getting these policies implemented would be hard enough. Things are made harder still, though, by the fact that each RIA framework has its own environment that installs into the browser, and they can all communicate through the DOM. Each plug in is responsible for enforcing its own version of the same origin and sandbox policies. There is also quite a lot of pressure on the folks building RIA platforms to allow even more cross-domain and cross-sandbox functionality. New use cases for sharing data and creating mashups will finally stretch policies that were never intended for anything more than Web 1.0 past their breaking point.

Know your frameworks

So, what can you do? First, be sure that you understand exactly what policies your RIA framework is trying to enforce. You may find that it simply doesn't provide the security controls you thought it did. There is absolutely no way to create a secure application without understanding what security the environment provides.

For now, recognize that your RIA is going to be running in a hostile environment with sketchy walls and a rotten floor. When you design your RIA, make sure that critical security decisions - particularly authentication and access control - are not made in the client-side code.

These decisions should be made on the server side, where such decisions and code are safe from tampering. You should also minimize the data that is stored on the client, and provide a way to clear out the data as soon as it is no longer needed. Input validation and encoding are, as always, critical security controls that you will need to implement carefully.

Remember, these RIA platforms and frameworks are still very new. They all have lots of parsers and interpreters in them, and they have to enforce very complex security policies. The more you can minimize the number of technologies you are using, the better for security.

Don't think of security as restricting what RIAs can do. The same origin policy and the sandbox are the security mechanisms that have allowed us to have such a diverse internet. We need to continue to enhance security controls for RIAs so that we can take advantage of their awesome features. With so much demand for RIAs that are capable of accessing multiple data sources, we need to bring the same origin policy up to the application layer and make decisions based on the true "originator" of services and data, not just the last "origin" they happened to come from.®

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Intelligent flash storage arrays

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.