Monday, August 23, 2010

Security on the Client Side

Common--and good--advice is to not trust the client. If an organization has no control over the client, as is the case in web-based client-server applications, the client is not trustworthy. The Milwaukee Journal-Sentinel's Packer Insider is a very good low-stakes example of a site that has gotten this wrong. The Packer Insider is intended to be a subscription-only service, but I was reading it for a while, perhaps a long while, before I realized I was reading for-pay content.

If I visit http://www.jsonline.com/sports/packers/ in Firefox I get full access. If I visit it with Opera or Chrome, and click one of the Insider links, I get a login screen. What's the difference?

The difference is NoScript, an indispensable Firefox tool. NoScript is not intended to circumvent security, but rather to enhance client-side security. The idea is that if I let any given web site execute any script it wants on my machine, my personal data and the integrity of my machine are at risk. NoScript also helps me limit more obnoxious advertising by selectively shutting off Flash, JavaScript, Java, etc. NoScript uses a default-deny model, meaning that sites are not allowed to run client-side scripts unless I assent. NoScript is not for everyone because it does cause problems with some sites and it does require some effort on the part of the user, but it does provide a much safer browsing environment.

So, if I disable scripting, I get a much cleaner, more pleasurable view of the Journal Sentinel's Packer pages. As a side effect, I also get access to the Packer Insider materials. This is due entirely to poor security architecture at the Journal Sentinel's site, and, IMHO, strong evidence that the design was not done by an experienced professional. OTOH, there may have been other constraints making this desirable, and they may not actually care. If I were to lose access to these pages, I wouldn't really care because the Green Bay Press Gazette has comparable content that's openly-available.

As an aside, there are those that think it is bad to disable advertisements that support web sites. I have sympathy for this view, but I don't want their scripts running on my machine, eating cycles, providing animations which make it difficult to concentrate on the actual content, and, in extreme cases, making noise or damaging my system. I will aggressively block Flash, animated GIFs, etc., that damage the user experience.

This shows a general advantage of server-side over client-side scripting. Providers have a better idea of what their pages look like on the client side if they use server-side scripting--which is controlled by the provider--rather than client-side scripting, which is controlled by the end user, the browser, malware, etc.

Summary: security must be on the server side.

1 comment:

LentilBeard said...

Excellent post! I've been using NoScript for a little while now and don't miss any of those distractions.