Security in the next web's world
Hi...
Security is a topic which will not leave us for the time of our existance, I think.
Recently I was playing with some technologies like Astoria, Silverlight and ASP.NET Futures. My idea was to build something special for the XTOPIA conference. We could build a data service based on Astoria in the cloud. Instead of having the somewhat typical website just have the database accessible via XML and JSON. We would have done an implementation of Silverlight frontends to the dataservices but being able to invite the community to do their own simply by uploading their Silverlight code to the server. So everybody would have been able to build a mashup right there.
In the process of thinking I discovered that code quality could be a problem. OK, in the web nobody seems to care to much about code quality. But the source of the code is unknown. What this code really does is hard to figure out.
If you have a look at the Popfly concept they are coping with the same problem. The boxes are defined by somebody else. When ever you use a user generated box it warns about the unknown source of the code.
Thinking about this results in very interesting insides. What we do is to blur trust boundaries since the code is delivered by a trusted source (say the popfly URL) but cannot be checked as trustworthy (e.g. by the browser). This really kills the idea of trusted URLs.
But not only the browser is affected. For the user it is also risky in the sense that most people decide based on experiences made in the past. So it will result in a digital decision: if a site is trustworthy all content is trustworthy.
How can we get this daemon back in the bottle?? While code signing is not the final solution it might be a good step towards it.
I will surely ask Oliver Scheer - Content Manager for the XTOPIA - if we could have a session or a discussion board around this topic...
CU
0xff
Comments
- Anonymous
June 07, 2007
Signing code would not solve the problem. Take for example our own MS products - they all over signed and come from trustworthy source, but vulns are constantly discovered. We vastly improved and many think (including me) we are the leaders in Security Engineering. It is so huge topic that embraces people, technology, processes, legislation etc. I am so happy to see one more voice raising this problem and inviting disussion. Please share what came out of discussion borad Thanks alikl