So I tried to help the discussion over at Lucas’s blog this week, given my fairly extensive experience with enterprise web apps and security. The reaction was far from positive.
Even though my point eventually got across, it was mostly dismissed as inconsequential. Instead, Lucas found a variant of the well known cross-domain attack, and focused on that, dismissing all other claims as true but not nearly as problematic as his “new” variant. Maybe it’s good enough that the point got across, though I’m worried that most people who read Lucas’s blog still think that “cross-domain AJAX is not a security problem.”
Of course, it’s not like I discovered any of this. The cross-domain issue has been well understood for a while. Here’s a 1997 book on Java that explains why applets can’t connect to remote hosts other than their originating server. It’s the same issue with cross-domain AJAX, and port scanning is really just one of the reasons why this is a problem.
A friend suggested I start a web security blog to help explain this stuff in general. Maybe. Something worth thinking about in my copious free time 🙂
UPDATE: Lucas and I have agreed to move on to the more important issue: how might limited cross-domain AJAX be possible. Hopefully we’ll start this discussion soon.