First of all Google doesn’t condone the sale of it’s Wave invites. Secondly, is it worth risking the Backdoor.Tiderv Malware Trojan (some would say yes. Lol). Scammers convince Waver’s that they can earn money by selling their invites to others. (According to Symantec). So keep an eye out for these muppets/scammers.

What does a wave invite look like and how do I receive one?

A wave invited gets sent to your inbox with a link that takes you to a Google page to sign up. That’s it, nothing else.

Here is a screenshot of a Google Wave Invite.

This link will take you to a Google Url

It should look similar to this screenshot:

Best way to get an invite is ask someone you know to invite you. As it only gets sent to your email address.

Dian Joubert
Waving like there’s no tomorrow.

dianjoubert.com@googlewave.com

After I posted concerns over security in Google Wave, several responses came (including one from Google) emphasizing that Wave was “still in an early preview stage” and many bugs would be fixed before a wider release. I think that clarifying why I would bother discussing bugs in a preview product may raise a few important points about web application security.

First, let me be clear about one point: I would not pretend to know more about application security than the engineers, programmers, and scientists at Google. In addition, I would not want to imply that Google does not care about security or user privacy. I realize that Google takes security issues seriously and has the resources to build highly secure products.

But those realizations are also a source of confusion for me when I observe decisions made about Google Wave. As an outsider, I don’t understand why Wave would include the problems I’ve outlined. What I’ve posted does not involve clever hacks or specific parameters – these problems involve weaknesses in the overall framework of Wave. And such weaknesses relate to well-known issues in application security. In fact, Google has previously addressed deploying third-party code by developing Caja after the launch of OpenSocial.

Returning to the “it’s a preview” argument, though, I would first respond by saying that applications, particularly ones that allow users to embed untrusted third-party code, should include security from the very beginning. Starting with an open model and trying to add restrictions later on is a recipe for disaster.

A larger issue in Wave’s case, though, is that Google has often cast Wave as a reinvention of SMTP e-mail. If you set expectations high, much will be expected of you. If a company with the reputation, resources, and revenue of Google markets a product as a replacement for traditional e-mail, I’m going to evaluate its security even more closely than normal. In my view, the hype that has already built around Wave and the reach it’s already found (Novell is reportedly planning a Wave-based business product in mid-2010) disallow the “preview” excuse.

In addition, if you’re going to reinvent e-mail, don’t forget lessons already learned from traditional e-mail. In a previous post, I outlined four major weaknesses I saw in Google Wave:

1. Allowing scripts and iframes in gadgets with no limits apart from sandboxing
2. Lack of control over what content or users can be added to a wave
3. No simple mechanism for verifying gadget sources or features
4. Automatically loading gadgets when a wave is viewed

Name one webmail interface that executes scripts in messages. Name one recent e-mail client that automatically loads content such as images in messages. Why were such considerations not part of Wave from the very start?

Of course, while Google has at least promised to include further permissions controls in Wave, such controls are one aspect of Wave intentionally left out in initial releases. While one can argue whether Google is correct in the merits of such collaboration, I’m a bit surprised that more of the security implications have not been raised before (at least not to my knowledge). When such changes will appear, though, remains to be seen. Personally, I find it a tad disconcerting that Google has similarly promised such updates as allowing users to turn off Wave’s real-time typing behavior, yet Wave has changed little since its announcement.

Still, I’m confident that Google will address at least some of the issues I’ve raised. If nothing else, I hope I’ve contributed to the public dialogue about Google Wave. I will add that Wave appears to include much security on the backend – most of the problems I’m seeing come in the client implementation. Let’s remember, though, that Wave will be federated. Another reason to bring up client security issues early is that other clients can learn from Google’s implementation. I’m rather concerned that if Wave interfaces proliferate, they may repeat many of the security problems seen in early e-mail interfaces.

I’m also concerned that Wave is not really addressing many of the issues that have plagued e-mail. The current “chaos” with Wave’s lack of permissions does not bode well for how it will handle spam, for instance. Whitelisting alone won’t do the trick. In fact, I would argue that Wave is a collaboration tool, not a communication tool, and thus not a replacement for e-mail.

In conclusion, I’d simply add one more point. While it’s exciting to find exploits such as specific XSS holes on a web site, it’s often more important to raise awareness regarding larger security issues that relate to the overall framework of an application. That’s why I’ve discussed FAXX hacks so much, as they relate to the overall implementation of the Facebook Platform instead of particular vulnerabilities.

Similarly, my concerns about Google Wave thus far involve behaviors built into the current system that open the door for exploiting the privacy and security of users. Preview or not, Wave needs to address these high-level weaknesses if it’s going to match the hype.

Reading through the Google Wave specs this weekend, I realized that Google has really accomplished something wonderful with the security model baked into the Wave protocol. (Not the CLIENT, specifically, but the extensions Google made to the XMPP PROTOCOL.)

Usually security is done one way, in just about every application on earth: you create the thing you want to secure, whether it’s a file, or an email, or a piece of content, or a financial transaction, then you find a security button somewhere that usually looks like a big lock or something:

You click that button, and from there you can select the users who you want to have access to your thing. This is all fairly standard, and there are very few deviations from this. Entire companies have been founded to make this process a little less painful.

I don’t think I’ve ever looked at an application’s security model for the first time and thought “wow, that’s really easy”, which is the way EVERY feature SHOULD be.
Until now, that is.

Reading through the Wave protocol specs I realized that they kind of changed the workflow for applying security to things. Instead of setting security as a separate operation, the security for a Wave is constructed as the wave is being used.

Security in a normal application is very disconnected from the act of using the thing you’re securing.

With Wave, however, you add people as they’re needed. The act of adding somebody to the conversation grants them permission to operate on the Wave. You can break off into sub-Waves (”Wavelets”), and give people access to just those as well, by adding them to the sub-wave instead of the main wave.

It has the effect of creating functional user groups on the fly, moving individuals in and out of the group as needed by creating new wavelets. As opposed to the typical model of preconfiguring user groups and tweaking them as needed.

I think you could call it “participatory security” versus the old “administrative security” model. The whole idea seems kind of a “duh” item in retrospect, like all great ideas I suppose.

I was just very impressed with this as it’s the first common-sense and intuitive way to handle object security that I’ve ever seen. It’s going to be such a great fit for the enterprise that I seriously cannot wait to begin using it myself in an application. I’ll be interested to see how this model ends up either competing or integrating with Microsoft Exchange. If they’re smart, Microsoft is watching this VERY closely.

I have lots more to say on Wave, but suffice it to say that I’m very keen on the security model it employs, and will be rooting very hard for it. It’s a nice simple and elegant solution to what’s been a pain forever.

Interest in Google Wave is being exploited by people behind malicious web sites, according to a security software company. Looking for an invitation could result in a malware infection.

Those using Google searches to try to gain an invitation risk landing on a page that attempts to install malware on their computer. According to Kane Lightowler, Imperva’s regional sales director for Australia and New Zealand, the bad guys are using techniques such as Google search poisoning to attract people to malicious sites.

“We’ve seen this happening,” he told iTWire.

Lightowler explained that one approach involves linking to the malicious page from reputable sites either by using exploits that allow the alteration of content hosted on a server, or simply by leaving comments. Embedding the right keywords makes the target appear a better match to Google, and setting the link text the same colour as the background means it is less likely to be spotted by the site administrator.

“Google Wave is a very topical search term at the moment,” says Lightowler, which is why it is being targeted.

He suggests individuals run up to date security software on their computers and keep it up to date. Browsers such as Firefox and Chrome warn of dangerous search results, and there are various add-ons for other browsers to provide similar protection.

Organisations should take steps to ensure the security of their web servers to prevent such malicious defacements. Previous attacks have concentrated on high-profile sites which have now tightened their security, so attention has shifted to compromising larger numbers of smaller organisations.

One way this can be readily achieved is by attacking a service provider’s server that hosts multiple sites.

“Small or large [sites] are not immune” to the crooks’ attention, said Lightowler. And the processes needed to mount such attacks are becoming automated, he warned.

Not much is known about Google Wave except that there are hopes it will do away with all other forms of collaboration. The way I see Google Wave developing is that it will become a very useful tool to connect different business services onto one platform. This will become more and more popular as more and more businesses use it. This is a system for the big boys, whoever invests time and effort to implement and understand it, will be leading the pack. However, at the moment we’ve not even touched the tip of the iceberg.

Developers have to get stuck in and create reliable secure programs for the Wave system to plug into and connect business services. The important thing will be security. Google Wave will make it possible to do purchases directly via a Wave.

People and businesses will only adopt these game changing methods (as well as keeping the old methods) once it becomes mainstream and 100% reliable and secure.

(Google Wave Explained by Mashable)

I wouldn’t get my hopes up right now. We’re still a long road away before it becomes integrative for business structures.

In the meanwhile we need to address the security issues and discuss them.

What we talk about and demand the system to have is what the developers will develop.

The butterfly feeling of Google Wave will soon disappear however, it will come back when Wave services have the ability to grow your business’s bottom line securely.

06 Oct 2009
Dian Joubert

Google Wave Security Forum

Forum at top of page under “forum” tab.