@QCon SF, I attended a presentation of Erik Meijer in which he talked about research projects he is involved in, including the Volta project. He talked about an interesting problem that is ignored when we talk about Ajax application and especially when we talk about solutions like GWT that make you feel home while programming for the web. In such an experience, and before splitting your application and deploying it on the web, you feel quite secured. Anyway, often, it is not so important to look for securing inner computer guts communication when there is no network involved. Evil shows up when it is time to go live, to the clouds. There you are not communicating through inner channels but rather through public Internet network.
Now, "evil" seems like exaggerating. But with rich ajaxified web applications, there is a part of the business logic that is done at the client side. If you are designing a "Web 2.0" application you have indeed to do some work at the client side to keep your application responsive. This gives even more chance and time for malware to play and mess around. The page is not anymore returned by the server but rather dynamically constructed using javascript after some asynchronous web calls to the server. User’s session got longer, giving more opportunities for evil (not thinking of invocation of some javascript that is supposed to be returned from the server!).
Erik, while talking about Volta project, seemed very concerned about this security hole that everyone ignored when talking about splitting an application into two parts or about RIA applications. During this interesting presentation, he suggested a solution to this problem: a low level channel that transmits user’s key interactions to the server in a secured way to be replayed to verify the request sent through http. This mechanism is introduced through a plugin or so. This suggestion triggered negative reaction in the audience, people seemed not to like the idea for several reasons. Some people thought that it is bad for confidentiality reasons. I guess the server anyway knows about what the user does through the http requests, so I guess there is no harm in this channel.
But what really drew my attention is that a lot of people thought it is a bad idea because it "breaks web rules", or "breaks the web’s architecture", or "introduces a whole new concept that people will certainly reject". Well here, I feel to clear out some points.
Firstly, this is Microsoft that is in act. Back when Microsoft introduced Xml request into their browser for outlook’s web interface, everyone felt it like a bad idea and that they are breaking the rules. Later on, that became a standard and an essential part of the Web 2.0 enabler that is called AJAX. Examples like this are numerous but this one is sufficient.
Secondly, as the title of this post says, innovations do not come often at our knowledge or expectation level. I mean, who could ever imagine that the Web will have the shape it has today, or that it will even exist.
Last but not least, Erik and his team are trying to find a solution to an ignored unsolved, yet very dangerous, problem. This solution, if it works, can save us from a lot of malware, spam and other kinds of evil on the web. With Microsoft behind it, I guess people will have no problem adopting the solution when it is integrated in the next browser, the most used browser for far. And, think about it, a lot of big companies solutions became standards. Maybe that is Microsoft’s way back to the WWWeb!
