Do you remember the first social networking site that got popular? At least in this part of the world I feel it was orkut. There are other sites more advanced and user friendly than orkut, yet orkut remains to be a classic example of a social networking site. I still love the idea behind leaving a scrap. So simple. Less noisy. Beatific. But orkut has been privy to many cultural & privacy problems. It was blocked in Iran because the Islamic community there had strong views about dating, etc. After the Iranian government blocked the site, there have been a lot of proxy sites which allowed you to access orkut. Proxy sites allowed for anonymous browsing of orkut pages. During those times orkut pages were fairly simple I guess. Later google disallowed anonymous browsing over its secured http page. Actually google did a lot of things. The most prominent thing you might always miss is the Loading... part.
This is what google did to render proxy browsing useless. So here is a little about how orkut page gets loaded. After you provide your username and password to log-in to the site, you are taken to the main page (Home.aspx#Main). From a web designers perspective this is nothing but an empty page with place holders (like your friend list, upcoming birthdays, friend updates, etc) where data & images are supposed to sit. These place holders are not marked to be visible to the user. Hence the net effect is a nearly blank page except for the background color and all. (You are welcome the view page source of the orkut main page to testify this fact).
I am guessing that even the "loading..." part is also invisible; it is made visible via means of scripts which execute once this basic data viz mentioned above is loaded. Of course there are some complex google javascripting involved here. Now as the "loading..." placeholder is visible, it initiates a series of call (simultaneously may be) to many google web services (in this case orkut application programming interfaces aka orkut apis) to fetch social data. This data can be suitable formatted in JSON or XML which is then again processed by the javascript on the page, and routed to the appropriate place holders. The net effect of this is visible content.
It is not difficult locating where the javascript on the page is...the scripts are not indented to be readable by humans readily. There is a particular way of writing your javascript, wherein you minimize the unnecessary spaces between two statements, and between the expressions. This process is called minification. It serves 3 purposes. One, it compresses the page size. Two, is your browsers are able to parse the javascript better and faster, as there are no spaces, and three, well, the obvious, to make it 'not easily readable'.
So you might be wondering how does ajax figure in all of this? Ajax is the technology via which the orkut main page makes simultaneous calls to the orkut apis to fetch social data.
So how does security actually figure in this? How does it incapacitate proxy/anonymous browsing? This is where you need to understand how proxy browsing works and how a normal browser works. And brace yourselves, this might sound too technical.
Usually when a web page is requested by a browser, its source code (html markup) is downloaded. The browser reads the content and renders it accordingly to the user. Internally in the application's memory space there is a data structure which represents the source code of the web page. Why the data structure? That too in the computer's memory? Suppose if there were scripts (like javascript) for e.g. on the web page, and it did some modifications, like say, change the font of a paragraph of text, the browser will "walk" this structure, find out where in the whole data structure this change has to be affected, applies the new formatting rules (in this case changes the font to a different one), re-renders how the page should look. So what the user sees is an unobtrusive change. AJAX works like how normal javascript should, except it is able to change the above mentioned data structure with data it has fetched asynchronously via the internet. But what happens to the initial source code which was downloaded by the browser? It doesn't change.
Proxy browsing involves a browser program which runs on the web server. Since its a web application it has no user interface to be exact. It doesn't need one. All it does is that it downloads data (ie the markup) from a different web server, and relays that content back to the person who is trying to anonymously browse. There is no execution of javascript here. Hence what is initially downloaded is simply relayed. There are more complex programs which scan the contents, parse the hyperlinks, etc, so when you click on a link on the proxied web page the navigation request is routed via the proxy server it self, and not to the actual server. The advantage to proxy browsing is that you are not compromising on your location to the target web site. The disadvantage it none can be trusted. Proxy browsing is not safe. You are compromising your account credentials to a different server.
I won't say proxy browsing can be obviated completely. It is still very possible. But its a hell lotta work. Sometimes it better people simply enjoy the site rather than hacking it.
No comments:
Post a Comment