OpenMoko light web server
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Mon Apr 16 22:36:55 CEST 2007
Okay.. a few points:
Q. is an XSS worm on the way?
A. not unless you make your interface susceptible to known web app
vulnerabilities: XSS, SQL Injection, session hijacking, etc. Of
course, it's very hard to disprove the existence of a vulnerability,
but I can say what I'm doing to prevent it. 1) I'm going to run my
code through an automated scanner. I recommend these things to
everyone. They're great in helping you spot overlooked
vulnerabilities. 2) I'm going to use an XML Post interface where the
client constructs XML and each message is MAC'ed. What I don't have
working yet is the hash chain code to prevent replay attacks. But...
I am thinking about it. This helps prevent XSS because I don't use
cookies. XSS tends to require a cookie-based login/session paradigm.
I suspect it's still possible for a bad guy to mail you some
javascript that could be executed in the same browser after you've
logged in, so I won't discount the possibility. But I have actually
been thinking about the security of this thing.
Q. Only on the same host? I.e. - will you only be able to access the
interface through 127.0.0.1?
A. Hey! Where's the fun in that! One of the things I would like to do
is have a platform where we can experiment with new ways of thinking
about mobile devices. If you're frightened by the security
implications... well... there's nothing I can do about that. But...
I'll tell you what... I'll ship everything with defaults setup to not
allow remote connections (so you would have to ssh in to change this
default.)
Q. javascript? on a phone? Isn't that going to suck down the power?
A. in a word, yes. But I think the main problem will not be the added
overhead of using javascript, it's going to be the frequent request /
response. In the old days when we bundled ORBs with browsers, we
could execute java (and presumably have a javascript interface) that
would receive asynchronous messages from the server. Why is this
important? Because the phone (on the other side of the http
interface) is going to ring or receive an sms message or the signal
is going to go up or down. And these are things that occur outside
the context of a client request. So, if you want to see if the phone
just rang, you have to keep pinging the web server every second or
so, and if it responds with "I'm ringing," you fire off the
javascript that draws the "I'm ringing" icon on the interface. All in
all this is pretty substandard.
Q. Did you just say you're going to put CORBA on my beautiful phone?
A. No. I was just using it as an example. <soapbox>Everyone has this
idea that CORBA is big and blobular and fat. Well... if you implement
every stinkin' feature, it is. But IIOP with a Java or Smalltalk BOA
can be implemented fairly easily and without bloat. And it can be
made reasonably secure with IIOP over TLS or CORBASec level 2 if
you're a masochist. I would like to use CORBA on one of my devices,
and I probably will. But every time I mention it, people who have
never used it wretch violently and wax poetic about SOAP. No... I'm
going to do something much worse than CORBA, I'm going to use RPC.
No... not XML-RPC, honest to God XDL/Sun/No way to secure it RPC. So
there!</soapbox>
Okay.... I'm better now. But seriously, I think the added complexity
of forcing a request/response model on top of an application that
clearly must require support for asynchronous events is the worst
problem we're going to face. I've sorta thought that a custom
application, and not a browser, will be the primary consumer of the
XML generated by jowles or 003 (003 is a follow-on to jowles.) So we
might be able to take a few liberties with HTTP. Like keeping the
HTTP connection up between requests and allowing the server to send
responses that aren't bound to requests when asynch events occur.
It's a hack, and it will probably break the javascript version of the
interface, but hey! it's probably better than trying to get everyone
on the list to put their brain-stems around CORBA (or even SOAP.)
Q. Widgets. Why is it always Widgets?
A. Yes. I like widgets. jowles won't be a widget infrastructure, but
003, it's successor will be.
On Apr 16, 2007, at 12:47 PM, Frank Coenen wrote:
> I agree. I don't fancy giving any acces to the phone from a remote
> location. Exept via SSH or something.
>
> Locally 'installed' web-apps would be great though.
> http + CSS + javascript = widgets. (think of the Vista Gadgets, OSX
> and iPhone widgets, SuperKaramba)
> http + CSS + Javascript + some kind of plug-in that has excess to
> the phones hardware = widgets on steroids.
> Making it much easier to write applications (widgets) with exotic
> interfaces, you're no longer tied to OpenMoko/GTK+ toolkit.
>
> It will of course drain more recourse's than native code, in stead
> of run time stuff like javascript.
>
>
> On 4/16/07, Frank Coenen < franknstein666 at gmail.com> wrote:
> I agree. I don't fancy giving any acces to the phone from a remote
> location. Exept via SSH or something.
>
> Locally 'installed' web-apps would be great though.
> http + CSS + javascript = widgets. (think of the Vista Gadgets, OSX
> and iPhone widgets, SuperKaramba)
> http + CSS + Javascript + some kind of plug-in that has excess to
> the phones hardware = widgets on steroids.
> Making it much easier to write applications (widgets) with exotic
> interfaces, you're no longer tied to OpenMoko/GTK+ toolkit.
>
> It will of course drain more recourse's than native code, in stead
> of run time stuff like javascript.
>
> On 4/16/07, Florent THIERY < fthiery at gmail.com> wrote:
> If the GUI is web-based, then we can mix offline and online apps at
> will, transparently ! Yet, if you want a "sexy" interface, you'd
> want to use AJAX, right?
>
> Quite frightening in terms of security... An XSS dialer worm on
> it's way? :)
>
>
> Cheers
>
> Florent
>
> _______________________________________________
> OpenMoko community mailing list
> community at lists.openmoko.org
> http://lists.openmoko.org/mailman/listinfo/community
>
>
>
> _______________________________________________
> OpenMoko community mailing list
> community at lists.openmoko.org
> http://lists.openmoko.org/mailman/listinfo/community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openmoko.org/pipermail/community/attachments/20070416/e1c1712d/attachment.htm
More information about the community
mailing list