There is this new trend going around that has been dubbed “Web 2.0″. This term in my opinion is lacking, it is so broad that anything can be called “web 2.0″. More than anything it is a dotcom bubble 2.0. People are now using javascript to create interactive web sites rather than flash like in the first bubble. People are starting to call this technology AJAX when it is just advanced javascript. There is nothing all that new about it, just more people are starting to use it.
From a security standpoint this new trend of moving towards a web based OS is scary. By US law a security researcher cannot test to see how secure a web site is. They can slam an application to death trying to find bugs, but they are unable touch a web site. This is bad because ethical hackers who would report bugs are not able to do so while the unethical hackers have at it. This means that the people who look for the bugs are the ones who have something to gain. They are trying to gain the users information, be it their username and password or other information stored on the account.
End users are starting to trust these web based services for data storage. If you post your personal information on a site such as google docs it is there forever. You may say to remove it, but there could be a copy floating around google’s backup servers somewhere. This means that none of your information is private. Someone somewhere could get it if they really wanted to. For most home users this is not all that big of a deal, but google is targeting businesses. When you start looking at this from a business standpoint it is truly scary. All of your trade secrets can no longer be called secrets, google knows them. So, if you use google docs along with gmail someone could gain access to everything.
Let’s go in a different direction now, security in javascript itself. Client side scripting is not safe. Moreover, javascript is not safe. You can just take a look at Jikto, it is a Trojan of sorts that is in javascript. This little piece of code looks for problems in a web site and then when it finds something it infects that site. The end user interacts with this without even knowing about it. Javascript is so powerful today that is can do much more than it was intended to do, this means that the “bad guys†can do evil along with the web developers who create tools like google docs and other AJAX sites.
This term “web 2.0″ classifies a grouping of sites that in my opinion are possible to being insecure. People are trusting their personal and business information with a company who offers a free service. If you signed a contract stating exactly what you were getting then it is another story, but with the current sites that I have seen it is a scary reality.
