Mashups : Trusting the man in the middle

Mashups are very popular words these days. Take an example of a very popular mashup – Meebo ¹. Meebo allows you, through a web browser, to logon to all of your IM accounts and chat with people.

Browsers, in general, do not allow a script to make network connections to servers other than the one the web page originally came from. To work around this issue, some Ajax applications use a proxy. This proxy sits on the primary server, makes connections to other servers, and returns relevant data to the Ajax application through the primary server ². This way, cross domain restrictions are by passed. The ASP.net Ajax framework provides a "Web Service Bridge" for this purpose. Some mashup applications might use other methods to bypass this restriction – Flash uses a file called crossdomain.xml which is placed at root level of a server that the flash movie wishes to access.

Consider the case where you are required to transmit your credentials to a Windows Live authentication server through a mashup application. Regardless of the method being used, a user has no way of knowing ³ what the mashup application is doing with their credentials or data and whether it is connecting securely to the authentication server.

As a rule, before I enter my credentials to see sensitive information on a regular web application, I look for a valid domain and valid SSL connection in the browser window.

I can’t, AFAIK, do the same with mashups – I can only trust that the people running the mashup application have followed best practices to ensure that my credentials and information are being securely transferred and that none of it is being misused.

As time progresses, It is also going to be interesting to see how many services actually allow their data to be accessed through third party mashups.

¹ I have nothing against Meebo. I am only using it as an example.
² This might cause a server bottleneck but that is a different topic.
³ Web applications, I think, should have a page where the user can view their security log. They should be able to see what times they signed on/off and what critical activities they performed on the site.