I'm still trying to figure out whether these capabilities are a good thing or a bad thing. On the positive side, what can be done through a web browser is absolutely amazing and web browsers offer finer grained control over resource access than the typical desktop operating system. On the negative side, most of these capabilities have privacy and security risks that are disproportionate to their value in a medium that is primarily used for media consumption.
The browser is a great for distribution (apps are just URLs) and security (web pages need to ask permission before accessing anything on your computer outside of their domain).
More people should question the common belief that desktop OSes (without enforced app sandboxing) do a proper job at being a platform for utilities like OP's. When you download and run an .exe on a normal Windows pc, you're giving it read and write access to everything on your user account. It's bad that you're required to put so much trust in developers to run programs on typical desktop systems; this either ends up causing people to be extremely picky about what they run or to give out trust too freely and get bitten by malware often. Platforms like the browser which sandbox (web) apps and enforce a granular permission system are terrific.
The browser is basically the reinvention of the operating system. Its huge advantage is that it's built on the assumption that the user is trusted and the code isn't. In contrast most operating systems are designed on the assumption that code is absolutely trusted, but the user isn't. That's why rights management in Windows is concerned with who's allowed to access which file, while rights management in Firefox is concerned which which website is allowed to access the Webcam.
The big disadvantage of the browser is of course that there's huge competitive pressure, and most users prefer usability over security. Keeping things secure without asking the user about their intentions every step is a huge challenge (see also Windows UAC, which struggles with the same problem).
I'd say the opposite is true. With more powerful browsers, you are making web applications more powerful and remove the need for a desktop app.
Web apps, if built correctly, are probably more secure than desktop apps. Especially considering that you completely remove the need for user updates, since the website is updated by the developers.
Plus, webbrowsers implement a proper permissions model unlike native apps, especially on Android, used to do.
my gut says this style of application lends itself to less abuse by trackers and surveillance tech than a general purpose browser, but i could just be naive.
I would say the same thing for using a webcam in the browser or accessing the filesystem. But yet everyone use it today and a world without it is unimaginable.
Wrapping functionality with the right security is key, but I browsers in general is already doing a good job in that regard IMO.
I can understand that. In some situations I can even respect that. I think - sadly - you're tilting at windmills.
In other situations - I'd argue you're just wrong. The simplest benefit of a web app vs a local app is exactly the isolation that the browser provides.
To be blunt - the applications from youtube/dailymotion/twitch/etc are NOT running on your system. They're running on the browser. They can't touch your files by default, they can't touch your other apps, they are uninstalled when you close the tab. That's incredibly powerful. It's incredibly liberating too. Users in places with fairly tight restrictions on installed software are almost always allowed to use most web apps (the limitation is usually concerns around inappropriate content - not so much security).
Basically - The browser is the OS that is literally designed around allowing you to run unknown code downloaded from other networks, from untrusted sources, with a modicum of security and consistency.
I think it's very, very hard to surpass the browser as a distribution method, and I think the possibilities it allows are, frankly, miles beyond basically anything else we've invented in the space.
Do some folks go overboard and create bloated, crappy web apps? Absolutely. Just like some desktop apps are complete pieces of garbage.
Does that mean we should throw the baby out with the bath water? My opinion is a resounding "no".
Is anyone else dismayed by the implicit view of these sorts of articles, that browsers should be complicated and full of all these insecure features?
It reminds me strongly of PDF and Acrobat. PDF is great for mailing around print-ready documents, which are more-or-less guaranteed to look the same for every viewer. Writing a PDF renderer is not easy, but it is straightforward, and there are multiple stable implementations without significant security problems.
Then Adobe comes along and they add forms, and 3D charts, or Javascript, or multimedia, and Acrobat grows from a document viewer into what is essentially a backdoor on every Windows computer.
A similar thing is happening with browsers. The core purpose of a web browser is the ability to render HTML+CSS into a human-readable document. Then browser vendors added forms and Javascript, so XSS was invented. They added persistent data storage, so looking at cat pictures can compromise my bank account. And now, Chrome+Firefox are /competing/ to see who can add more features, security be damned.
WebGL exposes your graphics drivers (never security-audited before) to the internet. <audio> and <video> expose multimedia codecs, which in the past have caused numerous security problems. Flash is, essentially, a cross-platform way to let arbitrary people run exploits on your machine.
When will it stop? When will browser vendors take a collective breath, look around, and realize the insanity they've been perpetrating?
I wonder if the argument is here then to make the browsers as secure as a desktop app by giving them all the possibilities of a desktop app?
Giving web and desktop apps the same access - temporarily or permanently alike, no difference - to local data and system will make both the same secure. Or the web one being even less secure as that is inherently remote centered while the desktop could be restricted to local.
Ultimately nothing is secure with a non-paranoic user nowadays so idealisticly no reason not allowing the same access to a web app. But oh there is! Knowing that one does not need to worry at least about a surely web app digging around in the local system above desktop apps that may or may not send local data somewhere is better. Should mitigate the risks not aggravate!
Btw. desktop apps has no unpermissioned access to everything on your system.
> However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities.
I actually quite like the security model of the web.
All code is considered untrusted except for the OS (browser) itself. Permissions are fine-grained, explicit, optional, and enabled on a site-by-site basis. Even basic things, like an application's ability to play audio or execute JavaScript aren't entirely taken for granted and can be controlled by the user.
Overall, I think the web does a pretty good job of balancing security with user convenience. Certainly better than any other mainstream platform I'm aware of.
That security advantage is the reason it's inappropriate for certain things. One of those things is i/o intercept. You don't want browsers to be able to do certain things that games or first class apps can.
It is a triumph of programming ingenuity that programmers have been able to accomplish almost anything via a "web browser".
Anyone can argue the benefits. If if there were few benefits the novelty alone might be enough.
But does anyone ever consider the costs?
The analysis I have in mind is: costs versus benefits of using a web browser to do x, where x is anything and everything, no matter how important.
The "costs" are not costs to the programmer to implement but costs to users, e.g., risk of having their personal data stolen.
To give an example, weigh the benefit to Equifax customers in having their data accessible through a web browser versus the cost of having their data exfiltrated without their consent.
Or, weigh the "cost" of having to dial a toll-free number to order a credit report and not have one's data stolen online versus the "benefit" of being able to order a credit report with a web browser and having that data stolen online.
Websites can be used to effectively disseminate public information, with relatively little security risk. For example, djb's tcpserver and httpd to serve static web pages. In continuous use since the 1990's, these have never had any security issues to my knowledge. IMO, this level of software is qualitatively different than software which is released with security flaws, which may or may not be later fixed (sometimes decades later).
IMO, using the web to distribute public information is a benefit that outweighs the costs. I am not worried about static websites, assuming the right software choices are made.
The blog post acknowledges this: "The web has issues as a way of distributing documents too, but not severe enough to worry about."
If Equifax had a static page served by djb's httpd showing number to call to order a credit report, I would be far more impressed than if they were running a "web app" to take orders online that connected to some backend database of user data. Because for that specific use case, a very limited use of the web is the smart thing to do.
I would like to see more people opining that, for "serious uses" i.e., where the risks to the user are potentially serious, the web has limited utility.
The current thinking seems to be that the web has unlimited utility. For everything. We all know that with enough effort the "web browser" can be used to accomplish almost anything.
I remember an RFC many years ago from Marshall Rose that said something like "the web is the new waist". I also remember in the early 1990's, people were afraid to send credit card information via web forms.
"Unlimited utility". Today, many young people, including many programmers, see no difference between internet and web. They are synonymous.
"Unlimited utility". Maybe utility should be weighed against costs such as security risks.
IMO, the web has limited utility.
Would you sacrafice a little convenience, e.g. option to order a credit report online, if it meant your data was not part of the data stolen from Equifax? I would.
The opposite is the case - web applications are one of the best things to happen, security-wise, in a long time.
Web applications are fully isolated and sandboxed, have fine-grained permissions, are easy to inspect, and the runtime is built with a modern threat model.
ChromeOS is probably the most secure desktop OS for this reason.
I want my browser to expose more functionality to web apps, because it means that I have to run less random unsandboxed code on my underlying OS.
I'm not going to argue over semantics. I am bullish on the web as a secure application platform for HN readers, and I am bullish on the web as a secure application platform for everyday users.
Of the current platforms available today for ordinary, nontechnical users, the web is currently in the best position on both security and privacy, and it's currently making the best progress in both of those areas as well.
Firefox is pulling up features from Tor, and while right now they're only available to advanced users, more of them will be enabled by default in the future. We've already seen movement from 'advanced' features to 'everyday' features with Firefox starting to inline more of its tracker blocking. Containers are another strong concept that I suspect will get more powerful and more accessible over time. There's some concern over new features (particularly web USB and file access), but we're also seeing a lot of holes get closed around core browser concepts. The changes Chrome is making around SameSite cookies are huge, and both technical and novice users will get them for free without requiring any training or technical knowledge at all.
On the extension front, uBlock Origin isn't as powerful as uMatrix, but it's wildly simple to use; every single computer I set up has it installed, even when I'm setting up computers for kids. That alone is a substantial security and privacy gain over other platforms -- I can't block ads and phishing attacks within my niece's smartphone games, but I can block ads when they're watching Youtube videos. And uBlock Origin is simple enough to install that average users can do so. At this point, there's practically no reason for anyone, anywhere not to be running an adblocker. And when you think about that, it's kind of crazy that in maybe 5 or 6 clicks from a bare-bones browser, any nontechnical user can get better adblocking on the web today than is even possible for an advanced user to set up on a modern smartphone.
So yeah, I'm bullish on the web.
I genuinely don't understand what's controversial about this. Yes, average users probably can't specifically use uMatrix without training. But the web is still the best option available today for those people, even if the only thing they ever do is install uBlock Origin. I'm still advising everyone I know (regardless of their technical know-how) to use apps like Facebook and Twitter inside a browser instead of installing native clients on their phones/tablets/PCs.
Is there another application platform you think is making better progress in this area? What about the web makes you think I shouldn't be bullish about it?
I see it as a battle between "the browser is a reliable tool for reading and navigating documents on the web" and "the browser is just another UI toolkit for trusted desktop applications". It can't be both, because any seamless UI will always be powerful enough for untrustworthy code to find other malicious tricks like this.
Because the browser provides a privacy and security sandbox where you can't be fingerprinted and where it is more difficult to turn decoding bugs into remote code execution exploits.
Users should have a lot more faith in the protections of a browser over the free-for-all security and privacy nightmare that is desktop computing.
reply