Web 2.0 is AJAX and not secure?

This morning, I skimmed through the issue #41 of the Computer Zeitung, a weekly computer magazine which I receive as part of my membership in the Gesellschaft für Informatik (GI), the biggest German-speaking association of computer scientists. One thematical focus was Web 2.0.

The articles themselves were not overly interesting, neither presenting new ideas nor giving more insights into the Web’s current hype topic. But I came over a comment of Michael Reiter about Web 2.0, which I found rather funny.

“Finally, analysts relativize Web 2.0!”

The comment heading (translated to English) “Finally, analysts relativize Web 2.0″ looked promising at first but didn’t pay off. Reiter summarized Web 2.0 as “the usage of asynchronous browser technology and the usage of the backchannel [for feedback] in the Internet”. He agreed with Burton Group’s analyst Peter O’Kelly (blog) saying that “Web 2.0 cannot protect critical information as well as traditional information technologies”.

Web 2.0 = AJAX ?

First, it seems that Reiter was mistaking the rather non-technical Web 2.0 term for technical concepts such as AJAX, which are simply used quite often in popular Web 2.0 applications such as Flickr. But non Web 2.0 services like Gmail (ok, I admit the term Web 2.0 itself is quite fuzzy; let’s not get into detail right now) are also making heavy use of AJAX techniques. Web 2.0 is rather a change in mind about the nature of creation, publication, sharing, usage and archiving of information. And this comprises not only the question of “how” it is done, but also “who”, “what”, “when”, “where”, “for whom” and – often neglected – “why”.

Web 2.0 ≠ security ?

Second and for the same reason, I cannot understand how one can attest particular security issues to Web 2.0 as described by Reiter. On one hand, popular Web 2.0 aspects such as social networks can often raise privacy concerns (which I count as security-related) because of the wealth of personal information provided and shared by its participants, which is in turn often collected and data-mined by the service operators. But I don’t see how these kind of (user behavior) problems are related to the security of the technical infrastructure being used. On the other hand, assuming that Reiter was not talking about Web 2.0 but of the techniques – like AJAX – used by many Web 2.0 services, these techniques are not different from “traditional” ones from a security point of view. An XMLHttpRequest used for an AJAX call is a HTTP request just like any other. The communication between client and server is the same, you can use the same security measures for protecting your technical infrastructure, etc. – the only big difference is the change of user experience, i.e. how all of this is presented to the user. Saying that techniques such as AJAX are opening security holes is like saying that putting a painting on a hardened steel safe will weaken it against intruders.

Quite astounding how even specialized magazines can still misunderstand Web 2.0 nowadays.