The trinity of RIA security explained
Of servers, data and policies
Sure, they look pretty with all that video, those rounded buttons and pop-up Windows - but should we trust them? These applications are, after all, downloaded from websites that can be good, bad or compromised. So what's there to protect users and server applications from a renegade RIA?
To get a good picture of RIA security, think of your browser as a multi-user operating system that is running your RIA along with many other hostile programs. There are two key security protections that limit what an RIA can do. They are known as the "same origin policy" and the "sandbox." Without these protections, a rogue RIA could access anything you see on the web and could also ravage your computer. Unfortunately, both policies have a long history of problems and they were never designed to handle RIAs.
Web 1.0 techniques challenged
If two sites share the same protocol ("http"), domain ("www.foo.com"), and port (80), we say they are from the "same origin." Browsers are supposed to restrict RIAs from accessing anything that is not from the same origin. As the number of data structures and services in the browser increases, there's an explosion of places where the same origin policy must be applied. You can test it with DOM Checker, which runs almost 1,400 test cases. The latest version of Microsoft's Internet Explorer fails 13 of these checks and Firefox fails 25. But even if enforcement were perfect, we would still have to deal with cross-site problems like cross-site request forgery and cross-site scripting, which bypass the policy.
If the same origin policy is like walls within the browser, then the sandbox is the floor, protecting the operating system from malicious RIAs. The sandbox is also absolutely critical for RIAs. Without it, malicious RIAs could compromise the entire operating system and all the data and applications on it. The sandbox is complicated thing to manage, though, as the browser will have legitimate reasons for accessing local files and launching local executables.
Getting these policies implemented would be hard enough. Things are made harder still, though, by the fact that each RIA framework has its own environment that installs into the browser, and they can all communicate through the DOM. Each plug in is responsible for enforcing its own version of the same origin and sandbox policies. There is also quite a lot of pressure on the folks building RIA platforms to allow even more cross-domain and cross-sandbox functionality. New use cases for sharing data and creating mashups will finally stretch policies that were never intended for anything more than Web 1.0 past their breaking point.
Know your frameworks
So, what can you do? First, be sure that you understand exactly what policies your RIA framework is trying to enforce. You may find that it simply doesn't provide the security controls you thought it did. There is absolutely no way to create a secure application without understanding what security the environment provides.
For now, recognize that your RIA is going to be running in a hostile environment with sketchy walls and a rotten floor. When you design your RIA, make sure that critical security decisions - particularly authentication and access control - are not made in the client-side code.
These decisions should be made on the server side, where such decisions and code are safe from tampering. You should also minimize the data that is stored on the client, and provide a way to clear out the data as soon as it is no longer needed. Input validation and encoding are, as always, critical security controls that you will need to implement carefully.
Remember, these RIA platforms and frameworks are still very new. They all have lots of parsers and interpreters in them, and they have to enforce very complex security policies. The more you can minimize the number of technologies you are using, the better for security.
Don't think of security as restricting what RIAs can do. The same origin policy and the sandbox are the security mechanisms that have allowed us to have such a diverse internet. We need to continue to enhance security controls for RIAs so that we can take advantage of their awesome features. With so much demand for RIAs that are capable of accessing multiple data sources, we need to bring the same origin policy up to the application layer and make decisions based on the true "originator" of services and data, not just the last "origin" they happened to come from.®
Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.
Sponsored: Customer Identity and Access Management