Interface developers and security

You live in a new era, when demanding that people register on your site is no longer enough. There’s far too many other sites out that that you’re already a member of, you don’t need another one. You need to trust people.

You also want people to contribute to your sites with content somehow. Text is not enough, you want all kinds of “rich” content, and you want people to be able to place them how they want on your page. I mean, we live in a new era after all.

Problem is, this new era thingie talk makes people forget the basics. Even though this is the future, and we’re all bored with “just” hypertext, we can’t allow random people to add HTML to our sites. Why? Ask myspace about the Samy worm from 2005, a little piece of clever front-end code that took their servers flying. What did they do wrong? They tried to let untrusted people embed HTML on their profile pages.

But they even had this clever filter, which cleaned the code first! Well, long story short, using a div with the style attribute set to a background image that points to a javascript url actually execute the javascript in IE6. Didn’t think of that did you? So what about the fact that both IE6 and IE7 execute vbscripts in urls prefixed with “vbscript:”, just like with javascript. Didn’t know that? Ohhh. Perhaps then you shouldn’t be trying to let unknown people embed HTML on your site?

Many of these security issues stem from the fact that ordinary well-educated computer scientists don’t know enough about interface development, HTML, CSS and javascript, and discount them as being something that “anyone” could do. “Even my aunt made this puppy site in like 3 days, how hard can it be?!”.

I’ve always thought that interface development have an undeserved reputation of being easier than “real programming”; something that you can let rookies work with, something that no “real” programmer would ever want. “No, I want to work with hard stuff, not that webby stuff”.

If you are in a position where people actually think that, perhaps security could be the way to lift interface development to its proper status. So why not read up on Cross Site Scripting (XSS), look at examples of vulnerabilities, and pick a couple of examples of big sites that are vulnerable. While you’re at it, why not read up on Cross-site request forgery (CSRF) too?

These are real issues that someone needs to take into account when building websites. My guess is that the fancy computer scientists will have a very long way to go before grasping this stuff. “Why does IE6 parse ‘java   script:’ as if there where no space in the middle?”. You know who’s not surprised? Every damn interface developer out there.

So. Go out there, and teach them silly math people how it’s done, and what your HTML, CSS and javscript-knowledge is worth. Show them that logic isn’t the way we do things around here, that anything can happen when IE6 boots. And… whatever you do… think very hard before letting people embed HTML on your site.

13 responses to “Interface developers and security

  1. @Krijn Hoetmer: Excellent link, loads of useful stuff there! (Your comment got blacklisted by spam karma because you linked to google.com, I’ve fixed that problem now).

  2. I’m *really* considering emailing this post round ALL my friends in another attempt to let them know how shit IE browsers are.

    I check out the W3C’s browser stats on almost every new project I undertake for clients these days, and dread the cross-browser work I ‘have’ to do for the likes of IE (Surprisingly Opera renders really poorly these days too).

    It’s just nice to see that almost 1-in-2 people on the internet now are using Firefox :]

    Good post, again, Emil.

  3. @Lewis Litanzios: Don’t let me stop you, I’d love to have this article spread far and wide :)

    Concerning cross-browsers stuff: my last project was actually one where I didn’t have to build for IE6, which made it a lot less painful for everyone involved. I hope everyone could have that pleasure, always.

  4. Jesse (Skinner) gave me some wise words recently regarding this issue: ‘I don’t code for IE6 any more unless the client specifically asks for it. If they do I tell them it’ll cost them extra (And rightly so, for I will have to spend at least a day restyling…’).

    Code to standards and everything will be OK.

    On a side note: Disappointed to see you cut my last post out here Emil. I know it contained a link to my ‘new’ folio, and you probably interpreted it as spam, but I was really after some feedback. Believe it or not I care what you think :/

    PS. Really interesting, that article, on the Samy worm – do you understand all that code? I don’t.

  5. @Lewis Litanzios: I’d like to update that to “Code to reason first, to standards second”. Far to many are standards zealots, and forget all about reason (not saying you are one, of course :) ).

    About the folio link: I removed the link because I thought it was out of context. Comments are about comments to a main article. As this site is growing (over 2000 RSS subscribers!) I’m thinking of adding an optional part where other people can post their articles or sites, and ask for feedback. A request for feedback on a portfolio would fit perfectly there.

  6. I interpret; ‘code to reason’ to mean using common sense – am I correct? I *think* I know what a ‘standards zealot’ is (I’m aware a lot of people rely on that phrase to get them work), but I’ll rest assured on the fact I’m not one of them :]

    Fair point regarding the comments. It’s your blog, you do what you want with it. I think a feedback/general comments section tagged onto the end of every post would be a good addition (if not a potentially time consuming one for you Emil :P).

    Have a good day mate!

Comments are closed.