Experiencing the Rich Web Could Be Costly?


Sep 14, 2007

I attended the Rich Web Experience conference in San Jose last week, along with my colleague Dean Saxe (who was speaking there on AJAX Security and Web Hacking).

I’m not much of a Web 2.0 designer, and some of the talks were lost on me. It reminded me a bit of a web services conference I went to a few years ago, where people were frothing at the mouth about how their <insert buzzword here> library was the end-all, be-all approach and others didn’t deserve a second flush. Now, I’m sure if I was involved day-to-day in a Web 2.0 design project, I would be frothing with the best of them. As it was, I was just trying to decipher acronyms and count the number of iTunes, Gmail, and Twitter references.

There was, however, some interesting security conversation. A couple of other speakers, Joe Walker and Douglas Crockford, and Dean and I (well, really Dean, but I tagged along) were invited to a security Birds of a Feather meeting. Among the topics discussed were the prevalence of XSS, the problem with SiteKey and other anti-phishing technologies, and the inherent insecurity of cross-domain mash-ups.

I found the last subject particularly interesting. To me, mash-ups at first seemed a little cutesy and limited, but the more I learn about the RESTful and Semantic Web, the more I realize that we (the web service providers) should all be talking the same language, and talking openly. Of course, this convolutes the current security model of the web.

One interesting question I still don’t know the answer to is who makes the trust decisions in a mashup. Do I say which services can talk to each other, and what type of information they can exchange, as a user? Or does the service get to make those decisions? I think fundamental questions like this need to be ironed out. There’s plenty of research going on right now about secure mashups. Summing up the thoughts of the similarly-feathered birds at the conference, I can say a) I hope we don’t cause more browser divergence b) I hope we don’t burden the user with security decisions they aren’t prepared to make.