The Security of the Empty Client Model: In contract with AJAX

The benefits of AJAX are undisputed, in particular the techniques that empowered the Web 2.0 experience. AJAX, however, has not achieved a penetration rate that is even close to that of the enterprises. In fact, only 1% of newly built enterprise web applications utilize major AJAX infrastructures

By Itzik Spitzen | Posted Feb 10, 2010
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
.Security challenges of AJAX:

The benefits of AJAX are undisputed, in particular the techniques that empowered the Web 2.0 experience.  This helped make AJAX very popular among mainstream webprogramming because it offered a richer web UI and more fluid page transitions. Today, approximately 60% of all newly built websites use some AJAX components. AJAX, however, has not achieved a penetration rate that is even close to that of the enterprises. In fact, only 1% of newly built enterprise web applications utilize major AJAX infrastructures.

Analysts believe that one of the main reasons for the low penetration rates into enterprise applications is the security complications that traditional AJAX creates. A traditional Web 2.0 AJAX application creates scatter calls to the server instead of the centralized one of Web 1.0. "Not only does this scattering of AJAX calls make it difficult for developers to handle, but also tends to induce sloppy coding practices because these calls are hidden and not easily obvious," noted Shreeraj Shah in Top 10 Ajax Security Holes and Driving Factors. The increase in the application's endpoints also naturally raises the application's vulnerability, as more services between the client and the server open up.

So where does that leave us?  Using today's technologies and, more specifically, .NET, we are offered many great solutions and methodologies to help us understand how and with which tools we can secure our applications.  The most painful security challenges aren't in using standard protective solutions to secure our server's farm or in securing the messages sent between the client and the server. Those security tasks can be quickly and efficiently achieved by using today's firewall capabilities and other secured server's farm solutions, and by securing the transferred data using HTTPS, WCF and other great solutions.

The most problematic challenges today, which worsen when it comes to thick clients such as traditional AJAX clients, Flash/Flex or Silverlight based clients, is that the more broad and accessible the system becomes the less we can control or even know who are our clients. We should never forget that thick clients hold sensitive data which is potentially accessible to those clients. Furthermore, in many cases the clients contain logics and abilities that can change the flow of the application; if the clients are hacked, the application is completely exposed to fraud access.

The Empty Client Alternative:

The Empty Client is an emerging open source methodology previously discussed here, which offers a different approach to architecting, developing and deploying AJAX applications. With the "Empty Client" approach, the application is developed and run on the server, and its user interface is projected on the client. An algorithm is charged with the task of transferring user interactions and application responses back to the client. While other frameworks utilize AJAX to enhance scattered parts of the applications (like individual controls), the Empty Client approach seeks AJAX to accomplish one specific need: acting as its main pipeline to the server. This explains why it is so secure, why there is no need to code AJAX, and why there is a very speedy performance regardless of the size or the amount of data that the application consumes. All that sits on the client is a small JavaScript kernel that is responsible for drawing on the browser and receiving the user interaction.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter