{"id":13,"date":"2011-02-05T00:09:50","date_gmt":"2011-02-04T23:09:50","guid":{"rendered":"http:\/\/cerezo.name\/blog\/?p=13"},"modified":"2024-10-14T14:38:07","modified_gmt":"2024-10-14T12:38:07","slug":"cloud-computing-on-fire","status":"publish","type":"post","link":"http:\/\/cerezo.name\/blog\/2011\/02\/05\/cloud-computing-on-fire\/","title":{"rendered":"Cloud (computing) on&nbsp;Fire!"},"content":{"rendered":"<p style=\"text-align: justify;\"><a href=\"http:\/\/cerezo.name\/blog\/wp-content\/uploads\/2011\/02\/Irid_clouds1.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" class=\"size-medium wp-image-102 alignright\" title=\"Iridiscent clouds\" src=\"http:\/\/cerezo.name\/blog\/wp-content\/uploads\/2011\/02\/Irid_clouds1-300x280.jpg\" alt=\"Iridiscent clouds\" width=\"300\" height=\"280\" srcset=\"http:\/\/cerezo.name\/blog\/wp-content\/uploads\/2011\/02\/Irid_clouds1-300x280.jpg 300w, http:\/\/cerezo.name\/blog\/wp-content\/uploads\/2011\/02\/Irid_clouds1.jpg 641w\" sizes=\"(max-width: 300px) 100vw, 300px\"><\/a><strong>Cloud computing is<\/strong> <strong>badly<\/strong> <strong>broken, by default<\/strong>. And it won\u2019t be solved anytime soon, no matter what server-side countermeasures or architectural patterns are deployed. Blame JavaScript, or rather, blame its abusers. JavaScript sandbox and security model wasn\u2019t designed for the current cloud-computing architectures: sure, the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Same_origin_policy\" target=\"_blank\" rel=\"noopener\">Same Origin Policy<\/a> prevents scripts running on pages originating from one site to access to documents, methods and properties from other sites, but this same policy is not valid for the script themselves.<span id=\"nc9717592\"> <\/span>Furthermore, JavaScript is a dynamic, global language: therefore, scripts from different sources in the same webpage have equal access rights to the webpage and to each other, opening the possibility to change each other\u2019s functions and variables.<\/p>\n<p style=\"text-align: justify;\">Attack methods and vectors are plentiful: <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">XSS<\/span><\/a>, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-zone_scripting\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">CZS<\/span><\/a>, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">CSRF<\/span><\/a> and <a href=\"http:\/\/en.wikipedia.org\/wiki\/DNS_cache_poisoning\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">DNS<\/span> attacks<\/a>, among others. The chain is too long and too weak, the responsibilities are too distributed: &nbsp;cloud-computing architectures are not trading off <span class=\"caps\">CAPEX<\/span> for <span class=\"caps\">OPEX<\/span>, they are <strong>trading off <span class=\"caps\">CAPEX<\/span> for <span class=\"caps\">OPEX<\/span> <span class=\"caps\">AND<\/span> security<\/strong>. The modern cloud computing movement got started when Amazon internally validated the architecture and started offering it to the public via <a href=\"http:\/\/en.wikipedia.org\/wiki\/Amazon_Web_Services\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">AWS<\/span><\/a>, but extending that to the browser with JavaScript from multiple sites within the same webpage is going too&nbsp;far.<\/p>\n<p style=\"text-align: justify;\">Compromise <a href=\"http:\/\/trends.builtwith.com\/analytics\" target=\"_blank\" rel=\"noopener\">google-analytics.com<\/a> and not only the whole web are yours, but the whole privacy and documents offered through services like Google Docs and intranets all over the&nbsp;world.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cloud computing is badly broken, by default. And it won\u2019t be solved anytime soon, no matter what server-side countermeasures or architectural patterns are deployed. Blame JavaScript, or rather, blame its abusers. JavaScript sandbox and security model wasn\u2019t designed for the current cloud-computing architectures: sure, the Same Origin Policy prevents scripts running on pages originating from&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"ngg_post_thumbnail":0},"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/13"}],"collection":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/comments?post=13"}],"version-history":[{"count":19,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":1695,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/13\/revisions\/1695"}],"wp:attachment":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/media?parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/categories?post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/tags?post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}