Jaqui Greenlees

With Network security auditors able to gain full admin access to University websites because they use a javascript based website, where the entire application logic is sent to the client browser, Why are website designers and developers insisting on using this SEVERE security risk technology? [ on one of the video sites such as youtube there is reportedly a video where this was done, in less than 3 minutes. ]

Every line of javascript is sent to the client browser, in human readable form. [ right-click, view source, there it all is ] There is not one valid reason to use any clientside scripting on a website. [ HEY!, Wordpress developers, that includes your blogging script!! NO TO JAVASCRIPT!! ]

My zero respect for any site that uses / requires javascript is no secret, I refuse to go to sites that do NOT function in lynx. I’m currently looking at the wordpress scripts used for this blog to remove the javascripts from it, I’ll check to see if I can implement the rss and pings with xslt instead of the AJAX they are commonly based on. If not, use a perl based cgi script to accomplish the task. [ this is asking for trouble, my perl is weak ]

Yes, I am posting this, as with all posts to this blog, with no javascript enabled in the browser.

I know, This subject has been covered in depth on many blogs, and on many other sites, but as long as sites are not being written to be standards compliant, it won’t die out.

Most business websites are “designed” to answer the following 5 points, with no consideration of website standards.

1. How do we increase revenue?
2. How do we reduce expenses?
3. How do we bring in more customers?
4. How do we get more business out of each existing customer?
5. How do we increase shareholder value?

To answer them, pointing out the benefits of standards compliant websites:

1. How do we increase revenue?

A well written standards compliant website is accessible by everyone, even those who have to use assistive technologies like screen readers. A.J.A.X. and most “Web2.0″ technologies don’t play nice with these technologies.

2. How to we reduce expenses?

A standards compliant website doesn’t have that huge data transfer bill hitting you every month, they tend to use far less data transfer than non-compliant websites. They also play nice with search engine robots, allowing the website to be indexed properly, improving the effectiveness of your SEO and advertising [ Google keywords etc ] for your website, making a lower expense on the advertising feasible.

3. How do we bring in more customers?

Quit driving people away from your business and website with a site that is not accessible.

4. How do we get more business out of each customer?

The short answer, better customer service as well as better customer experience when they are making a purchase from you. A standards compliant website is as easy to use, accessible by all, and isn’t cluttered with extraneous cruft. [ yahoo.com is cluttered, google.com isn't, look at both as the interface for doing a web search and you will find google as done it right. ]

5. How do we increase shareholder value?

When the sales / service revenues are increasing, then the shareholder vale increases along with it. If a company website is designed and developed to be accessible, secure and look good then your internet site expenses are giving a very large return on investment, it can get as high as 3000% [ yes, three thousand ]

An additional point to remember, if a company cannot be bothered to meet the standards for website design and development, why would anyone trust them to meet the standards for their products? I would never trust a building contractor that has a non standards compliant website. I would never trust any company that can’t meet standards that apply in ALL aspects of their business operation. A non compliant website says to people that the company doesn’t meet any standards they are supposed to in any fashion whatsoever. [ Microsoft® is an excellent example, not one Microsoft® product meets the ISO standards set out for software. ]

We have all heard the term “Open Source” and most of us have used at least one open source program, but what is the real impact of open source software?

According to the European Union’s Enterprise and Industry report it is quite substantial ( see http://ec.europa.eu/enterprise/ict/studies/publications.htm the Economic Impact Final Report downloadable from there. I have also made it available: http://jaqui-greenlees.net/files/2006-11-20-flossimpact.pdf ( to save the EU the data transfer ) ) This report, while an in depth study, is focussed solely on the economic impact and ignores several key areas, while only lightly covering others.

The impact of Free / Libre Open Source Software on innovation and improvement in software s mentioned, but they don’t really cover some of the more significant events recently. Mostly because the report was finalized before the events occurred. One of the most significant was the release of Microsoft’s ® Internet Explorer 7 ®. The new features included in this product are a direct response to the success of the open source browser Mozilla Firefox. MS ® also included support for the open source gecko rendering engine that Firefox uses, for both it’s speed and it’s ability to handle Standards Compliant website scripts, which IE ® is known for failing miserably at.

The most important area that the EU report doesn’t really cover is the social impact that open source software has. Open Source Software has a huge social impact, for the simple reason of it is a community effort to develop open source software. The social and political borders that have limited “community” style interactions in the past were destroyed in the open source community. It doesn’t matter where someone comes from in the world, what their education is, what their political stand is, or religion.* What matters is who you are and what you can contribute. As Linus Torvalds has always said: “Show me the code”, his recent actions in submitting patches to the GNOME project to address some of the problems he commented on with GNOME are an example of this attitude. When he was asked for input on how to fix GNOME he just gave them “the code” to fix them, living up to the words he has used for years.

The open source community is comfortable with using collaboration tools online, and working with people from all over the world, the number of languages supported by open source software would not be as great as it is without the efforts of people who know these languages in translating the documentation, allowing for software coded right to display messages, menus and content in the end user’s language of choice.

Free / Libre Open Source Software is one half of the driving forces in the Global Community that has started ending the threat of another World War. Will anyone be willing to go to war with another country when the people in those countrys are regularly in collaboration online? Or in communication? A few short years ago it would have been unusual to find yourself in a discussion with someone on the other side of the planet about their local legal system, or the social scene in their town. Now, it’s common.

What? You don’t think Free / Libre Open Source Software had anything to do with that? Sorry, it did. F.L.O.S.S. is still the driving power of the internet, which is the other half of the equation in the Global Community.

Oh, no, Microsoft ® did not invent the internet, it was around in two different incarnations before Microsoft ® even started selling DOS. Microsoft ® did make it more popular when they integrated IE ® with Windows 95 ® making it far simpler for the average person to get online.

Instead of spending 90% of your time online dong the social web thing and blogging, use your preferred search engine and research the history of the internet and open source software, 60% of what Microsoft ® has done in the last 10 years is battle to keep up with open source software. A battle they are doomed to lose, not even Microsoft ® can afford to pay 20 million programmers to be at work 24 hours a day, seven days a week, which is a rough estimate of the number of people actively volunteering their time and effort to an open source project at any given time.

* the religious wars over vi/emacs, gnome/kde, linux/*bsd, grub/lilo excepted

This exploit is caused by one thing and one thing only: script author’s screwup.
Any website script that does not, by default, treat all site visitor input as dangerous is vulnerable to such an attack.

The only thing that can be done is to use scripts that do not pass SQL from within a users post to the database engine, it should instead mark such as code or a quote and put it into the database as text in the “comment” section of the table when the page displays, the user attempt to exploit the database engine by injection SQL is shown in the post, rather than actually being processed by the database engine. This, along with server logs, can be used as evidence in a court of law for the user’s attempted criminal activity. It also will very quickly stop others from attempting the same thing, as they can see that the attempt with fail and be publicly displayed as such.

Browser development teams, both open source and proprietary, need to give their heads a shake when it comes to the CA list.

They seem to have forgotten that all Certificate Authorities are businesses first. For a website to get a certificate they only have to pay a fee to any C.A. To phrase it in plain English: Pay me n dollars and I’ll tell everyone that you are a good site to do business with. This is absolute stupidity to say that any Certificate Authority is, or can be, TRUSTED.

There is no oversight on the activities of the CAs, without a body able to REVOKE a CA’s operations there is nothing to make them do anything to validate the information, business reputation specially, for those who want a certificate from them. As long as the situation remains the same, any web broswer development team that includes a list of “Trusted” Certificate Authorities should be held legally liable for any damages that end users suffer from shady website operators. Make the end user have to accept the certificate for the website, then it was by their choice that they trusted the site owner. Currently, because the CA list exists, end users are NOT being reminded that they are risking confidential data that can cost them thousands to a website and company they would most likely never be able to get recompense from. They may not be in the same part of the world as the end user, making the end user unable to even try to get their money back through legal process. [ After all, who can afford to fly to China* to try to sue a company for the money they stole. ]

So, a list of trusted Certificate Authorities is actually an extreme dis-service to the end user, and is not a nice thing for any software to have. With no oversight and enforcement body, there is not one single CA that can honestly be called “trusted”

* China only used as an example of a difficult journey and drastically different legal system, I am not saying that all companies, or even if there are any companies, in China that would or do engage in such illegal activities.

It seems that a lot of website are suffering from this particular problem, which leads me to wonder why this is so.

When I look into the records for exploits from Secunia and Sans I see that web exploits are increasing in number, with cross site scripting being the most common exploit. If we look at the site scripts named in the exploits we begin to see some commonalities. Most happen to be written in PHP, and most happen to use MySQL as the backend.

Can we honestly claim that PHP or MySQL is the reason for the exploit? I don’t think so. When the scripts themselves are examined the cause becomes much more apparent. It is a flaw in the Author(s) of the scripts work rather than in the technologies used. Most of the scripts are popular, open source, scripts readily available for download by anyone. They are written to make it easy for them to be installed and used on their website. The problems are two.
1) They tend to use relative urls within the scripts for includes and functions. If the scripts used Absolute urls instead of relative they would be less vulnerable to this type of exploit.
2) The end user input sanitization is weak to non-existent. This is the one that leave them open to the most damage. The authors of these scripts do not exclude user supplied data from parsing, allowing both cross site scripting and SQL Injection exploits.

The only real solution to this would be for people to submit bug reports to the script authors saying the dismal lack of sanitization on user supplied input is a critical security flaw in the script.

PHP and MySQL are not the only technologies that leave sites exposed to this exploit, they just happen to be the most commonly used technologies in scripts that have suffered from it.

With the rise of WEB 2.0 technologies, where websites consume services from other websites, I do fully expect that AJAX will become the “Poster Child” for cross site scripting exploits if “Web Designers” don’t smarten up and start including security in the core of their designs.

A “Web Designer” isn’t really known for doing anything but worrying about how a site looks. They are known for using code generation tools that write bad, bloated code with no attention to security issues. [ Dreamweaver being a number one culprit ]

A company wanting their corporate website revamped should immediately discard any “Web Designers” that submit quotes and only review quotes from those who identify as Website Developers and Designers. Those who use the developer term are more likely to worry about solid code that is secure first, then work on making the site look good with that code. This is the ideal solution for any website that has Client data that must be kept confidential.
[ ecommerce sites specifically, they have credit card and mailing address data being submitted to them. ]