Google is certainly hoping that Wave will become a killer app, bringing together email, instant messag-ing, wikis, forums and other social networking tools to allow multimedia collaboration and real-time editing within a Web environment. In fact, Google wants Wave to replace email as the dominant form of Internet communication.
But as we all know, email has long been plagued with security problems, so any intended replacement should come out of the starting gate having tackled the problems we've already painfully dealt with, like not executing scripts or automatically loading content such as images . Google claims that Wave is more secure than email and plans to release most of the source code; it's current security features include TLS authentication and encryption of all Wave traffic, and the ability to whitelist users. Yet Wave is struggling to balance collaboration functionality with security.
The Wave protocol was launched in September 2009 and, on closer inspection, it's clear that, like most new software, the emphasis has been on getting it to work rather than making it secure. Despite the problems it caused for email, Wave allows scripts and the use of iframes in gadgets, and gadgets are actually loaded automatically from source every time a wave is viewed. (Email programs that allowed scripts to execute or downloaded images automatically enabled hackers to launch attacks on the user's computer.) This allows dynamic changes to functionality, which can be seen as a great feature or a chronic security problem: This is the dilemma when aiming for easy-to-use collaboration tools.
Google Wave security does seem to be moving back up the agenda, though.. You can now set some basic user permissions to waves such as read-only, although you still can't set individual components of a wave to read-only. And you still can't permanently remove content, including users, although this is promised at some point. In fact a lot of security enhancements are still works in progress. For example, Google is still working out how to secure robots and gadgets. Teaching people not to write bad robots is not the answer, and developing a blacklist for problematic robots is not a great remedy as we've already seen with attempts to stop spam this way.
Google Wave needs to tackle all of the security risks associated with current collaboration and real-time social networking services, such as those mentioned above, but the very nature of collaboration means it will be a real challenge to make security strong and effective. Wave is a potential killer app for Google, but without continued improvements to the security of the Wave framework, particularly the client side, it will never take off at the enterprise level. The fact that all communications are stored on the Wave servers instead of being sent between users may also mean data protection and compliance regulations will prevent it becoming the tool of choice.
You can probably tell I don't feel that Wave is mature enough yet for enterprises to risk using it for anything more than development and familiarization, and certainly not for critical or sensitive data. Security issues are being addressed but it will take time to see whether they've truly been solved.
For more information:
- Read more about strategies for securing online collaboration applications.
- Check out these security must-haves after building a Web application.
This was first published in May 2010