I've seen several posts commenting on this Wired article online yesterday. I feel obliged to weigh in.

Beguiling but Beware: AJAX, VoIP
By Quinn Norton12:00 PM Oct, 03, 2006
SAN DIEGO -- Some of the slickest new technologies online -- VoIP and AJAX -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference here.

Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VoIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VoIP systems neither of these channels is actually encrypted.

According to Dustin Trammell, VoIP security researcher at Tipping Point, this leaves most VoIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VoIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VoIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless.

First, go read the entire article. It's only one page, but here's a quote that leads back to the headline and to the larger issue -

Alex Stamos, principle for the security firm iSec Partners, said AJAX has no realistic framework for creating secure sites in an environment where increasingly sensitive data is passed through web pages.

I said I've seen several posts. The disheartening side of that is that they've almost all said "go read this" and not offered any additional thoughts. The headlines make VoIP and AJAX look like oil and water, and I just can't buy that that's the case.

AJAX, like C, C#, DotNet, and every other development platform or framework out there, relies on the developer to write secure code and do the right things to protect the data, services and users. Secure application development is the responsibility of the developer, regardless of the platform used.

The article talks about how easy AJAX development is and that developers cand write complex apps easily, without fully grasping how AJAX works.

And DotNet developers don't have the same problems to contend with?

The root of the issue is secure coding practices and quality assurance in software development. Every developer has to address these issue. Some do it really well. Some don't do as well. And some larger companies hit right in the sweet spot of mediocrity in the middle and try to put all the onus for security on users/customers. That clearly won't work.

AJAX isn't alone as an emerging development environment that puts power in the hands of developers, but I'd argue this isn't new. Even writing assembler code back in the ancient past, I had full control over everything. What's changed is the base architecture. It used to be a PC, or a mainframe. Then it became the LAN. Then the WAN. Now it's the planet because the Internet wraps the entire planet into a single network architecture, and has become tightly coupled with both consumers and business. It's integrated into everything we do from buying CDs online to business automation in Fortune 100 companies.

VoIP has vulnerabilities that can be exploited. It runs on IP which has vulnerabilities that can be exploited. Writing code for applications that doesn't account for all the error conditions is a guaranteed path to security failure. Security failures fall broadly into two categories - human errors, and unknown response to unexpected input.

Easy development tools don't create sloppy code or vulnerabilites. But
they make it incredibly difficult for a developer to test for and
mitigate all unknown inputs. The number of inputs has grown
exponentially, making it harder and harder for devlopers to anticipate
"if this, do that."

Certainly we'll see problems arise from the ease of AJAX, but they aren't unique to VoIP. AJAX use in building Systems Oriented Architecture (SOA) solutions will introduce security problems there too.

VoIP isn't any less secure that IP. I'll make that as a bold statement. For a company to bet all their data on IP and say they won't do VoIP because it's insecure is a specious and shallow argument. Security takes work. A lot of work. Writing secure code that's reliable and meets user needs takes work. A lot of work.

If there's a lot of work ahead, there are a lot of jobs in IP communications. We're in growth mode. VoIP is growing. VVoIP is growing. IMS and FMC are on the rise. SOA lies ahead. We've got lots of tools and lots of opportunities. With some of those opportunities, we'll acheive phenomenal success. With some we'll create our own nightmares. Technology is neutral and doesn't care how we use it.

Our challenge is to be methodical and thoughtful when developing solutions, and to always look to the future. And most important, never discount the law of unintended consequences.


Technorati Tags: VoIP, AJAX, software development, information security, InfoSec, unified communications