I'm speaking next month about "Security for AJAX and Web 2.0" at the RSA Conference. I've seen some magazine articles about Web 2.0 security, but none has, I feel, really nailed the subject head-on. Some articles seem to think it's just a matter of filtering XML, but the fact remains that when you do an Ethereal trace of Web 2.0 traffic, the incoming traffic to Web 2.0 services is almost always not XML (it's HTTP GETs with parameters in URL QueryStrings), although the outbound data usually is XML (or JSON serialized objects).
Nobody seems to have addressed the privacy aspects of Web 2.0 apps. Whereas, whenever a HTML form is submitted, the user is shown a "are you aware that this info is being sent in the clear" warning box, no such box is shown in Web 2.0 apps. The user may not even be aware that data is being sent to the server when no page refresh is happening. But it is happening, to enable the increased interactivity and responsiveness that is one of the defining characteristics of Web 2.0 apps.
Also, remember all the concern about "Web bugs", used to track users via single-pixel images? "Web 2.0 bugs" are potentially a lot more of a privacy risk, but, so far, they fall under the radar [although Vordel's products will detect and block them].
Hope to see you in San Francisco in February!
9:32:51 AM 
|
|
