Feeds

The trinity of RIA security explained

Of servers, data and policies

Beginner's guide to SSL certificates

The phrase "Rich Internet Applications" has become a popular term for applications that run inside your browser or on your desktop and that interact with web applications or web services. RIA platforms include JavaScript (part of the AJAX umbrella), Adobe System's AIR, Microsoft's Silverlight, Java applets, and Java JFX from Sun Microsystems.

Sure, they look pretty with all that video, those rounded buttons and pop-up Windows - but should we trust them? These applications are, after all, downloaded from websites that can be good, bad or compromised. So what's there to protect users and server applications from a renegade RIA?

To get a good picture of RIA security, think of your browser as a multi-user operating system that is running your RIA along with many other hostile programs. There are two key security protections that limit what an RIA can do. They are known as the "same origin policy" and the "sandbox." Without these protections, a rogue RIA could access anything you see on the web and could also ravage your computer. Unfortunately, both policies have a long history of problems and they were never designed to handle RIAs.

Web 1.0 techniques challenged

If two sites share the same protocol ("http"), domain ("www.foo.com"), and port (80), we say they are from the "same origin." Browsers are supposed to restrict RIAs from accessing anything that is not from the same origin. As the number of data structures and services in the browser increases, there's an explosion of places where the same origin policy must be applied. You can test it with DOM Checker, which runs almost 1,400 test cases. The latest version of Microsoft's Internet Explorer fails 13 of these checks and Firefox fails 25. But even if enforcement were perfect, we would still have to deal with cross-site problems like cross-site request forgery and cross-site scripting, which bypass the policy.

If the same origin policy is like walls within the browser, then the sandbox is the floor, protecting the operating system from malicious RIAs. The sandbox is also absolutely critical for RIAs. Without it, malicious RIAs could compromise the entire operating system and all the data and applications on it. The sandbox is complicated thing to manage, though, as the browser will have legitimate reasons for accessing local files and launching local executables.

Getting these policies implemented would be hard enough. Things are made harder still, though, by the fact that each RIA framework has its own environment that installs into the browser, and they can all communicate through the DOM. Each plug in is responsible for enforcing its own version of the same origin and sandbox policies. There is also quite a lot of pressure on the folks building RIA platforms to allow even more cross-domain and cross-sandbox functionality. New use cases for sharing data and creating mashups will finally stretch policies that were never intended for anything more than Web 1.0 past their breaking point.

Know your frameworks

So, what can you do? First, be sure that you understand exactly what policies your RIA framework is trying to enforce. You may find that it simply doesn't provide the security controls you thought it did. There is absolutely no way to create a secure application without understanding what security the environment provides.

For now, recognize that your RIA is going to be running in a hostile environment with sketchy walls and a rotten floor. When you design your RIA, make sure that critical security decisions - particularly authentication and access control - are not made in the client-side code.

These decisions should be made on the server side, where such decisions and code are safe from tampering. You should also minimize the data that is stored on the client, and provide a way to clear out the data as soon as it is no longer needed. Input validation and encoding are, as always, critical security controls that you will need to implement carefully.

Remember, these RIA platforms and frameworks are still very new. They all have lots of parsers and interpreters in them, and they have to enforce very complex security policies. The more you can minimize the number of technologies you are using, the better for security.

Don't think of security as restricting what RIAs can do. The same origin policy and the sandbox are the security mechanisms that have allowed us to have such a diverse internet. We need to continue to enhance security controls for RIAs so that we can take advantage of their awesome features. With so much demand for RIAs that are capable of accessing multiple data sources, we need to bring the same origin policy up to the application layer and make decisions based on the true "originator" of services and data, not just the last "origin" they happened to come from.®

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Security for virtualized datacentres

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.