Today I came across an interesting corporate attitude. We have been building a range of Flash-based sites and are gearing up to launch them over the coming months.Throughout development, the security guys in the organization have been casting a critical eye at Flash as a technology platform - especially at some of the recent security holes. This is not unlike most operating systems and Web browsers, yes there are holes and they get fixed - with Flash it is certainly something that Adobe are very pro-active when it comes to addressing. Plus most of these issues require access to the SWF file itself…. you would think that if this were true then we would have a bigger problem on our hands!After addressing these whilst in the States, I was thinking that everything was calmed down, and that the security guys (who don’t seem to fully understand or ‘get’ the Web) had been reassured. I was wrong! I was reading the minutes of a meeting between senior technical architects this morning, and this beauty jumped out at me…

The team felt as good corporate systems, a project should be initiated to display a message to the Customer regarding the use of Flash, and its potential vulnerabilities. For example, in a pop-up window, whenever Flash is going to be executed or downloaded. 

Its amazing how one paragraph can make you both smile, cry and bang your head on a desk!Aside from the question as to why anyone would ever thing this is a good idea, is it really wise to tell the user that there are potential security vulnerabilities with a Website? How would you feel if you go to an e-commerce site and are presented with a message like this:

Hello, welcome to SourceBottle!This site uses XY & Z, which have been found to have several, mostly theoretical, security vulnerabilities which may cause your personal details to be compromised.have a nice day! 

Madness! It certainly gives the impression that the company doesn’t know what they are doing. In an age of increasing paranoia about security, I would also imagine that most users would quickly leave the Website and choose to start looking around at the competitors!Oh well… it least it made me smile! (more…)

Well, I flew into Denver this afternoon from Phoenix, witnessing firsthand the impact of the new airport security measures brought into force following the London bombing plot was unearthed - I have to say I’m shocked.The staff at Sky Harbour did a fantastic job ensuring that I had no liquids and/or snakes in my hand luggage… one small problem - at no point was I asked to present any form of identification to verify my identity. At check-in I used the United self service booth and checked my suitcase - no one asked for my passport, and I happily departed with boarding card in hand.Through security, show them my boarding card, off I go - they didn’t even ask me to remove my hat (note to terrorists: look cool and smuggle liquids at the same time, buy Nike!). Before I know it, I’m on the plane and feeling slightly uneasy!You would have thought that being a Brit, the Hollywood bad guy stereotype might have encouraged them to take extra precautions! (more…)

Reading this article on stealth form submissions using AJAX got me thinking… we all know how dangerous that can be!As the article explains, an unscrupulous Web developer could employ AJAX in order to send the values of Web forms back to the server - even if the user does not submit the form. Of course, this technique could also be used to help the user - for example Gmail uses it to offer an auto-save feature.If you have an online application form, probably one of your biggest concerns is drop-out rates. The larger companies go to great lengths to ensure the usability of their application forms as a result of this, with the goal of reducing drop out rates. Vast amounts of money go into tracking solutions which can pinpoint where a user drops out, and that data can (hopefully) be used to ensure that other users do not drop out at the same point.So, I’m the CEO of a credit card company (I wish!), slightly concerned about drop out rates. I call my underlings into a room and proudly announce:

“Lets use this AJAX thing on our forms. That way if a customer drops out then we can still harvest their e-mail address and can entice them back!”

Aside from sounding more technically literate than most CEO’s, I’ve got a good idea, however there is one thing stopping me - data protection legislation. In the UK we have this wonderful thing called the Data Protection Act. Which, essentially governs what a company may/may-not do with your data. I’m sure similar legislation must also exist in other countries.Of particular relevance to this “Stealth AJAX” are the following points:

“Personal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed.”

The first stumbling block - you actually are legally obliged to tell the user that you are capturing their data and what you intend to do with it.

“Personal data must be kept accurate and up to date and shall not be kept for longer than is necessary”

As data captured will likely be incomplete then it becomes difficult to prove that it is kept up to date. The fact that a company has a copy of this data also goes a long way towards saying it has been kept longer than necessary.From the user’s point of view, they also have the right to prevent data processing for the purposes of direct marketing, which begs the question - what is the point of capturing incomplete application data in the first place.All of these points make it too big of a risk for most companies to even contemplate this kind of data capture. That of course leaves individuals, but look at it this way… if you add a bit of AJAX to your site to steal a user’s data (perhaps password phishing?) then what value do you get out of it? You will be discovered sooner rather than later, and lets face it - people are a lot more alert to this kind of thing, so your probably not going to capture anything of value.There are situations, such as offering Auto-Save functionality where this kind of thing is really useful - but lets save it til the user has actually signed up to your application/service! (more…)