Is Google Wave secure?

    1 of 1 2 of 1

      Google Wave is an impressive effort to reinvent on-line communication, unifying dominant text-based communication paradigms (such as e-mail, instant messaging, and wiki-based collaboration) under one open standard. An interesting feature of Wave is its support for robots, computer programs that act as participants in conversations, providing services such as translation, diagram embedding, and more.

      It appears, however, that the current implementation of Google Wave robots opens up the possibility of compromised communication security.

      Here are the key factors:

      1. Any non-robot participant can add a robot to a wave.
      2. Google Wave robots seem to have read/write access to the entire wave, even private wavelets.
      3. Google Wave robots are hosted on Google App Engine (GAE) and have access to all of GAE's available functionality.
      4. There is no approval/trust mechanism for vetting Google Wave robot applications.

      Here are some hypothetical compromise scenarios:

      1. A Google Wave robot logs wave content to a GAE datastore (or transmits it via an external web service) for eavesdropping purposes.
      2. A Google Wave robot alters wave content for phishing purposes (changing a legitimate login link, for example, to a phishing link).

      Given the current implementation, it appears that there is nothing one can do to insure that sensitive data discussed on Google Wave won't be compromised if any participant introduces a robot. One possible improvement to this situation could be to introduce robot vetting, crowdsourced or otherwise, using a checksum to fingerprint each version of a robot's codebase. This, however, would make wave robot development extremely difficult given that wave robots can't be tested locally on a developer's own workstation.

      Comments

      4 Comments

      Dethe Elza

      Oct 13, 2009 at 11:33am

      This is trivially true, but the same is true for email, instant messaging, etc. Communicating with people you don't trust allows them to record your communication and send you bad things. And the limit to running wave robots on Google AppEngine is a temporary one while the service is being fully specified. Eventually you will be able to run robots from any web server, so testing will not be any more of a burden than any other web service.

      I agree that there should be more concern for security in the spec, not because it is especially less secure than existing protocols, but because wave has the potential to be better than email / instant messaging. It is still early days, though, and the service is still being worked out. And in fact, looking over the spec shows that there is more security: Each wave can determine who has access and what level of access they have (http://www.waveprotocol.org/whitepapers/access-control).

      Even the limitation to AppEngine for robots is a form of security, because there is a path for identifying and blacklisting rogue robots and their creators.

      Ultimately it is like any other form of communication. Be careful what you say and to whom, and don't believe everything you read (or click).

      Michael Chermside

      Oct 13, 2009 at 12:40pm

      I could be incorrect: I have been participating in the google wave preview for developers, but have not closely investigated this particular issue. But I *believe* that you are mistaken about point 2. I THINK that the access for robots is essentially the same as that for non-robot participants in the wave: if they are excluded from a particular wavelet then they cannot see it.

      If this is not the case, could you show me an example?

      Mike Cantelon

      Oct 13, 2009 at 1:59pm

      Hi Michael,

      What I did to test the wave robot access was I added a robot (the Graphy bot: http://wave-samples-gallery.appspot.com/about_app?app_id=23016) to a wave, created a private wavelet with a friend, then entered a command for graphy. Even though the command was entered in a private wavelet, Graphy executed the command, rendering a graph.

      I should have included a screenshot of this with my post. I'm trying to recreate for a screenshot, but I'm getting no response from the bots at all. When bot access returns I'll get a screenshot showing an example of the issue.

      Mike Cantelon

      Oct 13, 2009 at 3:56pm

      Hi Dethe,

      Email and IM could theoretically be succeptable to eavesdropping by automated participants, but automated participants (other than SMTP/IMAP/POP servers) aren't commonplace, whereas robot integration is a highlighted feature of Google Wave.

      I do agree, however, that it is early in the game and Google will likely address this issue. As the whitepaper you linked to says, "Google Wave will eventually support some level of access control on a wavelets but requirements and implementation plans have yet to be determined". I think it's good to point out to people that the vulnerbility currently exists, as it would be a shame to see a wave exploit succeed and undermine confidence in the platform, but in retrospect I should have given this post a less alarmist title.