Web 2.0 - old technology, old mistake

Web 2.0 provides interoperability and extended connectivity for users. However, in the process of rushing to find new "horizons" for this technology, security issues were accidentally abandoned.

Photo: JournalNet Web 2.0 trend is recreating the Internet boom in the 90s with many large-scale seminars organized, countless small companies turn out and pioneering services in turn. like MySpace.com or Writely are bought with big money.

But the feeling of suspicion and anxiety also began to appear in the minds of many experts. Just like the early days of software development on the desktop, it all worked hard to introduce features that forgot to protect them.

" We are repeating the mistakes that the previous generation stumbled on ," said Billy Hoffman, chief engineer at SPI Dynamics web security company (USA). " Everyone discussed and exchanged ideas to build web applications, but never mentioned security and didn't realize the dangers lurking behind the user's system ."

Recently, the virus Yamanner attacked Yahoo Mail to collect hundreds of thousands of e-mails and send them to all contacts in the phonebook. And the Samy and Spaceflash versions have raged in MySpace and caused the file system on the popular social networking site to be disturbed.

Even the definition of Web 2.0 is inaccurate. Any website that allows people to interact more is also considered a Web 2.0 application. One of the names "polished" for this technology is the AJAX combination with the most famous application is Google Maps. But AJAX also makes it easier for hackers to access web servers and exploit sites more simply.

" The traditional website is like a house without a window, all must go in and out through the main door. AJAX-based website is a building with dozens of folding doors, emergency doors, ventilation . Doors The front and rear doors can be equipped with the largest, most stable locks, but the thief will still find loopholes through the windows, 'Hoffman explained.

Moreover, the website with new programming techniques will be more vulnerable because it interacts with the browser and can run JavaScript right on the client. AJAX also increases the likelihood of XSS (cross-site scripting) vulnerabilities - an error occurs when a programmer writes incorrectly. Big companies like Microsoft, eBay, Yahoo and Google have encountered many difficulties when facing XSS problems.

But XSS is just the first trouble. Brian Chess, a research specialist at Fortify, an open source analysis tool company, also lists other issues in AJAX such as code accuracy, object model infringement or error handling capabilities. poor.

The company also discovered many bugs in the sample AJAX code presented in Foundations of Ajax - a book that helps programmers access new technologies. " The code is written incorrectly and if developers around the world learn it, they will repeat it in their product, " Chess said.

" Security is always an integral part of Google's design, development, distribution and operation of products and services ," said Douglas Merrill, Google's vice president of engineering.