Jello wrote: Congrats on the book. But I'm curious... for AJAX security we use SSL/HTTPS and Catalyst's Authentication/Authorization. In a broad sense, what special concerns are there for AJAX? If you always have to login, and you always make your AJAX calls from a page via HTTPS, isn't AJAX the same as any other CGI in regards to security?
Its good you bring this up Jello. I'll be talking a lot more about this at Phreaknic It's worth pointing out that the situation you describe is the not the norm on the Internet. 90% of websites have all of their functionality exposed without needing a login. Also, I'm sure you know this, but SSL/HTTPS does not secure your website. SSL provides an encrypted tunnel. All web attacks operate at layer 7 and work exactly the same over HTTP or HTTPS. In fact, SSL can hurt you. Unless your IDS has your encryption keys or is the SSL endpoint its much harder to see if someone is attacking you. I've only seen a half dozen or so large scale organizations, but, "for performance reasons," none could set up their network in such a way that the IDS could access the encrypted web traffic. I'll answer your Ajax security question in a new post RE: Its offical! I'm writing a book. |