I hope no one is surprised about the "Greasemonkey Crisis".
Most closed source and open source running applications, middleware, and basic services on the internet or anywhere else are based on a fundamentally flawed concept of security. Greasemonkey is no different; moreover Greasemonkey is especially dangerous sinces its raison de'tre is dynamic customization over the internet.
Things could be different without too much trouble, but the first step is to recognize the real problem and well-known solutions.
Jon followed up with some important questions and implications. And so I should qualify my claim of "without too much trouble".
That should read "without too much *technical* difficulty". The challenging problem I stated above is the that the core problem is so pervasive: in our current systems, but also in our current thinking. A mindshift is needed to recognize the technical problem, realize there are existing technical solutions that are already out of the lab, and that the problem can be tackled one web site and one client application at a time. Not ideal, but much more practical than the ideal.
Some existing solutions that have escaped the labs already: Jon mentioned the E programming language, which if nothing else demonstrates the problem can be addressed on the current Java Virtual Machine. The DARPA Browser illustrates how to use E in a large, real application. The Waterken web application server and the Waterken browser illustrate how to apply the same concept at the level of HTTP and URI's.
The Squeak programming language (Smalltalk) and the Oz programming language are both being extended with E-like capabilities. Objects, virtual machines, web servers are all related concepts (see Mark Baker's recent note and the referenced observation about Smalltalk and HTTP) and all happen to provide a good foundation for capability-based security.
I'll also toss into the mix that concurrency-oriented (pdf) languages like Erlang and Termite are amenable to the same solutions. Capability-based security is just around the corner from our current thinking and our current tools. Capability-based systems can be released onto the internet incrementally, and already have been. Objects, the web, and shared-nothing message passing are all fundamentally doing the same thing... referencing resources and passing around representations of resources that refer to other resources. Just squint a bit to see the similarities and read about capabilities to understand the security aspects of design.
No comments:
Post a Comment