The AJAX danger that never was

I can’t believe how much hype this article is generating. From the article:

Like so many technologies-gone-bad before it, this technology was created for the purpose of good. And until now, the XMLHttpRequest has been so good it could almost be considered saintly, providing users and developers alike with such conveniences as input validation without post-back, text area spell checkers, and Gmail. Interfaces built with AJAX are fun to use and even more fun to program. It’s almost hard to imagine that such a miraculous object could ever do wrong.

But even without the discovery of a giant security hole, the XMLHttpRequest will likely fall from grace. Its fall will be in the form of “user over-profiling” for want of a better description. Currently, user profiling helps Web site owners detect trends, track page viewing habits and iron out usability problems. Until now though, developers could only analyze posted data—data that users decided they wanted the server to get, and were happy to send off for processing.

This is just ridiculous. Not only is it dead wrong technically, it makes assumptions that just because a technology is gaining recent popularity, the potential is there for security flaws to appear.

Let’s take a look at this claim from the article: Until now though, developers could only analyze posted data—data that users decided they wanted the server to get, and were happy to send off for processing.

Let me share some information with you: The internet is not private. Ever since the first day you opened a web browser and started visiting websites you have been tracked. This is no secret, everyone knows about cookies and how websites use them to store data. Recently there have even been reports of people realizing that they might not need cookies and starting to regularly delete them.

You don’t need to submit any forms for them to track you. You don’t even need AJAX or even Javascript. You merely need to visit their website with a web browser that accepts cookies or images. Nearly every browser does this by default and behind the scenes so you never know it’s happening. Advertising companies are tracking the ads you view, remembering which ones you click on so they can target you with ads they think you will click more. Websites you visit are tracking your movement through their site to see which pages you view most, and which pages you miss. They’ll be analyzing this data in their board rooms and asking questions about how to make you stay longer and click more ads.

AJAX brings nothing new to the table. Even in a browser that doesn’t support XMLHttpRequest, I can track your movements and clicks and any information you put into forms (yes, even before you submit that form). All you need is some very simple Javascript and a server side language to catch the input. This can be done easily in Netscape Navigator 3.

When you use the internet, you are giving up parts of your privacy. When you enter information into a website you are trusting that website with whatever information you give it. This is how the internet works, and how it will work for years to come (if not forever). Either get used to it, or it’s time for you to get a bigger tin foil hat.

Anyway, back to my original point: The article is simply uninformed whining, and I’m very surprised any technical website would publish such a hyped up piece of crap. They may as well have written an article on the ‘Dangers of cookies’ and published that instead. I’m even more surprised at the amount of attention it’s getting.

3 thoughts on “The AJAX danger that never was

  1. That was just sad really. I was so turned off from his pulp style of writing. It just came off as some cartoon warning, like: “Danger Davey”. While I respect the persuit to truly uncover any misusage, I can’t really find the point in his point.

  2. I get the feeling that he’s having trouble convincing even himself – how flakey are those arguements? I don’t mind journalism which poses intelligently constructed questions about a subject for the sake of a sanity check, but the article is just badly informed and fails to justify itself. Boo to hack journalism!

  3. I completely agree with you.
    Just something to add, to make the overall picture even darker.
    Not only all user activity can be tracked with the use of 1px large , invoked by simple html or javascript, not only this information can be shared or sold to numerous commercial sites, but actually even your identity can easily be revealed.
    There are many popular services on the web which for a small fee, can tell ythe commercial site, what country, city and what provider you use. Al they need is the ip of the visitor.
    Privacy? Are you kidding?

Comments are closed.