Friday, March 06, 2009

Offline-Web Applications & Security

We can read a lot about Computing in the Clouds these days, even in ordinary newspapers. It’s a big business with SOME open questions. I started to compile a couple of thoughts in Web Browser, Web-OS and the Era of Cloud. Beside the real differences to Client-Server Computing (“Dude, sometimes I can spot them, and sometimes not!”), I do have my concerns pertaining to security. Take the so called Offline-Web Applications (sometimes called Web 3.0) for example. Beside the fact that this word is a contradiction in itself, the vulnerabilities are an existing problem. Running web servers everywhere increases the attack surface. The HTTP-servers on the client machines are needed to keep the applications (that are web applications) running in case of a network blackout. In addition, to maintain state is another must to allow a kinda real application feeling. Maintaining state in the scope of web application based on HTTP with all consequences has been a security problem from the beginning. Nowadays, state is maintained by using cookies and other remnants initiated and used by browsers and plug-ins. Talking about Offline-Web Applications, small databases on client-side are in use. But this list is not complete yet. HTML 5 specifies a Structured Client Side Storage which includes database storage (local and relational). Some Web-browser vendors are planning to support to a certain degree (session, local, database). This will change attack scenarios as well as attack surface. Combined with excessive scripting, but this is another story …

No comments: