Significance of 'Death of the Document Web' to Security

Wednesday, January 18, 2012

Rafal Los


I'm not n the habit of making predictions because they're almost all obvious and usually wrong when not obvious - but this is one post that I feel I need to write because while it is a prediction... it's not so obvious. 

You'll have to let me know what you think.

I've been thinking about where the Internet as we know it will be evolving to a lot lately, given the technology space I work in and the type of research going on around here at HP... but one really interesting theme lately has been this heralding of the "Death of the Web"... or put more accurately - the "death of the document-based web". 

This article on GigaOM by Dominiek ter Heide caught my attention... because it was actually a really good, rational explanation of what I completely agree with is in the process of already happening.

I really like how Dominiek defines the future role of a modern web server as a machine-machine interface rather than a human-machine interface...

"Today’s Web server is increasingly becoming a data hub that provides connectivity and data synchronization between different client apps. This data hub is becoming much more like a Machine Interface as opposed to a User Interface. It might still render some dumb static HTML pages for the Google Bot, but as any site owner can see in their statistics, traffic from traditional search engines is increasingly being eaten by Twitter and Facebook — or rather, the real-time social Web."

I've highlighted the most interesting part of this quote for you, because there is great significance there for those of us in Information Security and its derivatives.  Even as I pop open Google Chrome one of the more prominent features is the Chrome Web Store, which has applications which run entirely inside your browser - exclusively using web-based technologies and some don't even require an Internet connection to be present.  All the great features of the HTML5 explosion are starting to become present - the big question is are we ready?

If you think of your web server as not serving "web pages" anymore, but rather data, often through JSON style formatting (that is, without context, or much else for that matter) the 'attack surface' of your enterprise begins to look different. 

Those developers still hoping for security to come from the application ("web app") itself are in for a cold splash of water - because odds are the APIs you expose, and the data you share are just as likely to be accessed by your application as by something else that is consuming your data and APIs. Think about that.

It feels strange... almost as if we're returning back to the days of thick clients.  Well, not exactly though, because these semi-thick apps live inside the ultimate thick-client app - our browser. 

The problem is that now we have too many choices again, and whereas JavaScript + CSS + HTML was almost a standard across all platforms, now we're going back to writing apps for specific applications again. 

Android, iOS, BlackBerry, the desktop (Apple, Microsoft, Linux... ) are all valid platforms that come with their own quirks and perversions of the word standard... then again what does that even mean?  Is it a standard if no one follows it?  So how does any of this relate to information security, you're thinking?

Information Security has just started getting comfortable with profiling, analyzing, and defending web-based applications which are served up from a web server, consumed (mostly) by a human, and used in a browser through some almost-standard means. 

Hang on tight because the world has just taken a sharp left and if you haven't buckled in you're bound to be thrown from the bus. 

Do those Web Application Firewalls you've taken 3 years to implement do you any good in this new world view?  Is your code review and penetration testing process of releasing new web apps account for no interface for you to test? 

If you've been practicing good security all along in the software development world - odds are you're not going to have to make any ground-breaking changes... but if you're where the other 99% of the population is you may want to get out ahead of this one. 

This bull is coming fast... check your mobile handset for proof.


Since someone asked in the comments for an example of a "server is acting as a data hub or machine interface, versus acting like a user interface" I thought I would give one here for clarity... if someone has a better one than what I've come up with, please share...

The example that pops up in my head immediately is Facebook.  As people move away from using the website directly (going to in your browser) and move more to mobile device app-based access of the Facebook Application on Android or iOS the human no longer interfaces with the web server itself, but rather with the app on the local device. 

The app then makes AJAX-style API calls presumably using JSON or some other format to shuffle data to and from the mobile Facebook application.  The web server then becomes a data hub or data interchange rather than a user interface... meaning it doesn't serve up web pages anymore, but rather data for the apps to use locally.

I hope this example makes sense, and is clear.  There are examples of this popping up all over the place, with apps like TripIt (one I use every day) on my iPhone/Android mobile handset, and even the games that I used to play on a web site are now played locally through an app that communicates to the web server on my behalf.  Isn't technology wonderful?

Cross-posted form Following the White Rabbit

Possibly Related Articles:
Browser Security Javascript Web Application Security Web Application Firewalls Smart Phone Information Security Mobile Security Rafal Los JSON
Post Rating I Like this!
Danny Lieberman Good post and indeed most Web apps (and certainly tablet apps) are written around JSON request/response.

But that is precisely the problem. HTTP and Web servers are absolutely a broken execution model for a client-server application.
First of all passing messages between remote processes on the user interface is a really bad idea (yes that's what all programmers do when they post in a form or pass data in a query string)
Second - web servers use blocking io and threads which is also a really bad idea and extremely bad for scalability
Third - web apps use chewing gum, stones and knives to develop code, it's no wonder script kiddies can do so much damage when the code infrastructure itself is so brittle.

Here is a talk I gave last year
that talks about the issues and sort of ponders some directions for solutions
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.