Fresh Thoughts #135: Listen for the Tiny Details That Matter
- Newsletter
Last week, OpenAI decided to change the web application framework they use to build ChatGPT.
As a significant tech company, this had some areas of the internet frothing.
Typically, this level of detail is far too low for me to worry about.
My attitude is simple...
Use what works.
Make sure it can be securely maintained over the long term.
However, the hidden impact of OpenAI's change is much more significant than it first appears.
Since its launch, ChatGPT has been using a framework called NextJS.
It's the same framework we use at Fresh Security, and we like it.
Crucially, using NextJS, the application's business logic was managed on web servers dotted around the internet.
Customers had a view - like peering through a window at the application.
Interactions with ChatGPT were managed via well-defined button clicks and information requests.
This is called "server-side rendering".
From a security view, it means that all of the business logic and the inner workings of the web application are hidden from customers - which makes vulnerabilities significantly harder to find.
Last week, however, ChatGPT moved to a different framework called Remix.
This change moves the application's business logic and inner workings onto customers' devices.
An approach called "client-side rendering".
This means that all business logic—and, critically, business logic vulnerabilities — are now on the customer devices.
Any hacker, scammer or discontent customer can now more easily find, control, and exploit logic vulnerabilities.
This significantly increases the number of ways the ChatGPT web application can be attacked, and its "attack surface" has increased.
Typically, this is the opposite of what we try to do in cybersecurity...
So why do it?
The decision was almost certainly economic.
OpenAI must have spent millions of dollars on web server hosting fees to scale to over 200 million active customers.
Therefore, pushing all that work onto a customer device is a straightforward decision and creates substantial cost savings.
Final Thoughts
This type of technical and business decision occurs regularly.
Cybersecurity professionals must respond positively with an attitude of - How do we make this secure?
There is no option to push back or say this change shouldn't be done.
In these situations, deciding how to secure the new technology will typically require a full revision of the security risks and security safeguards.
And is likely to be as complex as the initial development of a solution.
So, it is always critical to listen for the seemingly insignificant details - that change everything.
September 10, 20242 Minutes Read
