[OpenAjaxSecurity] Google has posted an article on Ajax security

Bertrand Le Roy Bertrand.Le.Roy at microsoft.com
Wed Apr 4 14:19:53 PDT 2007


Totally agree on (1).
Not so sure about (2). Security is a rapidly moving field. Would you want to revoke conformance if/when a new vulnerability appears? Even defining security-related requirements for conformance would be very difficult, and I'm not even talking about checking that conformance.
(3) seems like something that standards organizations, browser and server vendors would be more qualified to do.

Bertrand

From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Wednesday, April 04, 2007 12:53 PM
To: OpenAjax Alliance Security Task Force
Subject: Re: [OpenAjaxSecurity] Google has posted an article on Ajax security


Bertrand,
Thanks for referencing the MS posting.

I read through the JavaScript hijacking article and I think it throws a spotlight on just a couple of issues among many. For the issues pointed out in the article, there are techniques to address the potential problem, and ASP.NET uses some of those techniques.

The question for the security task force is what role OpenAjax should play. Here are some options:

(1) We could play an educational role. There are known techniques for many of the most well-known Ajax vulnerability issues. OpenAjax Alliance could create white papers or web pages that describe these vulnerabilities and techniques for addressing them (or link to other sources which provide the details).

(2) We could define a set of Ajax security best practices as part of our OpenAjax Conformance trust brand. In order for products to claim OpenAjax Conformance, they would have to support our security-related best practices.

(3) We could play a role in improving the security infrastructure of the Web. Maybe there are improvements to the browser or server technologies which would help with security issues. (One example might be federated authentication.)

I don't have an opinion yet, but my instincts are that there is something we can do around (1) and (2) at least.

Jon

[cid:image001.gif at 01C776C4.2EDF6B50]Bertrand Le Roy <Bertrand.Le.Roy at microsoft.com>

Bertrand Le Roy <Bertrand.Le.Roy at microsoft.com>
Sent by: security-bounces at openajax.org

04/04/2007 11:48 AM
Please respond to
OpenAjax Alliance Security Task Force <security at openajax.org>



To


OpenAjax Alliance Security Task Force <security at openajax.org>


cc




Subject


Re: [OpenAjaxSecurity] Google has posted an article on Ajax security








FYI, here's the Microsoft answer on the JSON hijacking vulnerability that made the news yesterday:
http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx


From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Monday, April 02, 2007 4:07 PM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Google has posted an article on Ajax security

Google has posted an article on Ajax security:

http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070404/4078675f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 105 bytes
Desc: image001.gif
Url : http://openajax.org/pipermail/security/attachments/20070404/4078675f/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 168 bytes
Desc: image003.png
Url : http://openajax.org/pipermail/security/attachments/20070404/4078675f/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 166 bytes
Desc: image004.png
Url : http://openajax.org/pipermail/security/attachments/20070404/4078675f/attachment-0003.png 


More information about the security mailing list