[LINK] RFC: AJAX Depredations

Roger Clarke Roger.Clarke at xamax.com.au
Mon Apr 2 15:54:34 AEST 2007 

I'm finalising a submission to ASIC about 'consumer device security'.

It tries to explain - to bankers and lawyers - why consumers can't be 
lumbered with unreasonable responsibilities to secure their desktops 
and laptops, let alone handhelds.  The URL for the previous draft is 
below.  (The slightly more technical description I've put in another 
paper, for eCommerce types, is at the very bottom).

The current iteration of the short section on AJAX is as follows.

Proposals for correction and improvement greatly appreciated!!

"A recent development is an extension to the Web protocol called 
XMLHttpRequest (http://en.wikipedia.org/wiki/XMLHttpRequest).  This 
was originally devised by Microsoft but has since been widely 
adopted.  It extends the capabilities available to programmers, and 
reduces the extent to which the user does, or even can, understand 
what their device is doing.  A family of development techniques 
referred to as AJAX takes advantage of this extended, more powerful 
Web protocol.

"The AJAX approach enables closer control by the programmer of the 
user's visual experience, because small parts of the display can be 
changed, without the jolt of an intervening blank window.  This is 
achieved by constructing an 'Ajax engine' within the browser, to 
intercept traffic to and from the web-server.  Control of the 
browser-window by code delivered by an application running on the 
server represents subversion of the concept of the Web and hijack of 
the functions of the browser.  The power it offers provides 
programmers with the capacity to manipulate consumer devices, and is 
a boon for attackers.

...

"It appears that even highly technically literate consumers may be 
either unable to preclude AJAX techniques from intruding into their 
devices, or unable to do so without abandoning access to a wide range 
of services.  In particular, there appears to be no mainstream way in 
which a consumer can permit AJAX techniques under specific 
circumstances only (such as from a trusted supplier like their bank) 
without leaving their device open to all comers.

"The alternative of using ancient browser-versions, or intentionally 
cut-down  browsers that do not support key features on which AJAX 
depends, incurs considerable disadvantages.  Most web-site developers 
design applications only to run on very recent browser-versions (or, 
in remarkably many instances, only on the most recent versions of 
MSIE).  Old and cut-down versions of browsers therefore quickly 
become unusable on many sites;  and hence there is a built-in and 
powerful disincentive working against consumers using less vulnerable 
browsers."

__________________________________________________________________________

The previous version of the submission is at:

     On the Possibility of Consumer Device Security
     http://www.anu.edu.au/people/Roger.Clarke/II/ConsDevSecy.html

__________________________________________________________________________

Slightly more techo text, from:

     Towards an Understanding of the Web 2.0 Notion
     http://www.anu.edu.au/people/Roger.Clarke/EC/Web2C.html#AltT

The key example of such a lightweight model is the approach referred 
to as AJAX, which is shorthand for 'Asynchronous JavaScript and XML'. 
The term is of recent origin (Garrett 2005), but describes a pattern 
that has been emergent for some years and represents a further 
improvement on longstanding techniques collectively referred to as 
Dynamic HTML.

The AJAX approach utilises well-established tools such as HTML, CSS, 
XML and the JavaScript/ECMAScript family of client-side languages. 
The key difference is the involvement of the more recent 
XMLHttpRequest Method within HTTP. This supports data retrieval from 
the server 'asynchronously', i.e. without forcing a refesh of the 
entire browser-window. The technique enables closer control by the 
programmer of the user's visual experience, because small parts of 
the display can be changed, without the jolt of an intervening blank 
window. It is argued that this enables quicker response and improved 
usability (although that is subject to debate).

The means whereby this is achieved is by constructing an 'Ajax 
engine' within the browser, such that requests and responses are 
intercepted and processed on the client-side. An important motivation 
for Ajax developers is to reduce the complexity caused by proprietary 
features in Microsoft's Internet Explorer, such that a single 
application can work consistently on all client-platforms (just as 
the Web was originally envisaged to do).

 From the user's perspective, however, control of the browser-window 
by code delivered by an application running on the server represents 
subversion of the concept of the Web and hijack of the functions of 
the browser.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list