Comment by j on "If AJAX is prone to hacking, why do billions of websites use it?"

the tl;dr answer would be:

At least the majority of developers think that the benefits outweigh the risks. .... and the others don't even know what you're talking about.

it is like vaccination, there are proven issues still the majority of the medical community thinks the benefits outweigh the risks. Where we could now have a philosophical debate ...

the long answer:

hmmm isn't everything prone to hacking ?

I'm not really part of the hacker community, but I love to see them work :) If you look the video posted below, one logical question would be:

since cookies are prone to hacking why do people use them ?
or if USB is so insecure why to people use it ?

https://samy.pl/poisontap/

obviously every exposure of your application that is not sanitized and validated is a security risk per default this goes for the client and the server.

I will not go into CORS or other forms of poisoning or man in the middle attacks and the issues of certain ciphers.

Even if you can make your application secure you still have things like: https://xkcd.com/1354/

which are core library bugs and you have to keep your infrastructure secure.

Ofc if you're like me you never transport any password in clear-text with nice libs like cryptojs everything is hashed and salted.

but this is overkill for the normal person ;) don't forget that almost every big cert company in the world at least once leaked the master key ... which is how much you should trust the google SSL initiative and the "chain of trust" ;D ... but in the end ... deal with the fact:

Absolute security is an illusion and we have to make certain trade offs between security and features/ux/speed/space/......

Lets give some beneficial reasons why we use it:

lazyloading -> loading only what you need when you need is a nice idea this reduces the amount of bits transfered at once you have to be aware of the "cold-start" https://en.wikipedia.org/wiki/Cold_start which is one consequence.
the amount of data transfered from server to client and back again. in a classic request response model, lets ignore reverse content proxies and cdns, the server renders for example the HTML and delivers the css, js and so on. and this on every page change.
Non blocking behaviour, this is per se not really relevant for ajax but in combination with ajax it's allows us to lazyload with the cache manifesto and give you the impression that you actually move freely inside of you application and if you abort and go back we still load the content and maybe the next time you click on that button it's already there.

those are the three reasons that come to mind. I will skip websocket security as I mentioned my knowledge is rather superficial in this area.

I hope this answer helps a little.

You are absolutely right! Here is my complete logical chain of thoughts:

Well, AJAX isn't less secure than opening a website, since both more or less do the same thing, so why do so many people browse the internet even though it's not secure?

Let's not browse the web. Let's shut it down for security reasons. Ain't no terrorists be able to do bombs over the internet anymore!

But then there's stuff going on with hacked USB sticks. Computers are not safe! Let's just shut down our computer! It'll be secure as sh*t

Instead of doing computer, let's go outside, meet the people directly. Oh no! When going outside, someone might run over you with their car or steal your wallet or kill you. Let's not go outside.

Ahhh, still, mother nature might give you a disease or there might be an earthquake. So... why do we still live, it's so dangerous!?

Search Hashnode