Sunday, 01 Mar 2009Browsers as fourth-party software (This is in response to an article by Doc Searls.) Seems like browsers are doing a lot of things already to manage vendor relationships, where "vendors" are websites:
However, the major browser projects tend to have a tough balancing act between users' and vendors' interests, because they need to be compatible with as many vendors as possible. Features like ad blocking are "controversial" for this reason, which is why they're often an extension. Client-side programs (Javascript embedded in web pages) are a rather odd thing. A Javascript application is written by the vendor, but once downloaded, the vendor cannot trust it anymore because it's in the user's control and the user could modify it. So vendors only trust these programs they wrote themselves to represent the intentions of the user identified by the auth cookie. On the other hand, as a user you cannot fully trust one of these programs either, except to display information from one vendor and to relay your intentions back to that vendor's server when you're using a particular website. In particular, you don't want programs from different vendors to talk to each other about you, unless you specifically allow it, and you don't want a program from one vendor to gain control over a program from another vendor. These programs are like agents that all live within different jail cells in your browser. The agents aren't fully trusted by either side, and yet each agent is the primary way that you communicate with one vendor. The major client-side security bugs come from letting these agents escape their cells or spy on each other. And there are millions of these agents out there, one for each website, of widely varying quality. Perhaps Greasemonkey scripts are the closest thing we have to turning these agents into true fourth-party software. However, they're a hack. They have to be rewritten for each agent, they have to be updated each time the vendor changes the website, and vendors sometimes write terms that forbid you from using them. Can someone do better? I suspect an in-browser evolutionary approach is most likely to succeed. Users need better control over these agents and standard, automatic ways of communicating with multiple agents at once. I'm imagining browser extensions whose purpose is to start up a bunch of web sites (agents) and send them bids, and gather information from these agents and store it in a standard way outside of any agent's control. The standard API's for websites to communicate with browser extensions needs to become richer. On the other hand, there needs to be a way to get your favorite browser extensions back when using a different browser. This suggests that the "extension" is just another agent that lives in its own cell and is downloadable by vising a website. So maybe they all talk to each other using Google Gears, and it's just that you've designated certain more-trusted agents to administer the other less-trusted agents? Perhaps there could be a cells-within-cells model, where visiting one website creates an agent in a cell, who creates more cells and downloads agents from other websites into them. We'd need a standard for creating "headless" agents that have no UI but are just used by another website. As the user you'd want to be able to see when this happens and decide whether to allow it. Probably the closest thing we have now are hidden frames, but communication between them is a hack and the user doesn't get any visibility. Update: looks like this could be done with cross-origin workers in Google Gears. Update 2: and of course Facebook Apps and OpenSocial containers allow similar things, with the difference that the "more trusted" agent lives on someone else's server and therefore can do things on your behalf when you're not logged in. Also, it's questionable how much they deserve our trust. Open source client-side software (such as browsers and extensions) can theoretically be reviewed and given more trust than someone else's server, assuming you're using them on a secure client. Then again, this is only a matter of degree in the usual case where you download client-side software from a website without reviewing it yourself. Saturday, 21 Feb 2009Thought this was interesting: "Ownership means that I have something to lose. If you're a banker, it means that you've got collateral. It also means that I'm credible, so you can give me credit. When you think about it, whether it's ownership, whether it's credit, whether it's capital, whether it's identification, none of the things that make a modern economy are possible without property." [emphasis added] Online property might be considered as owning accounts in various online systems. "Having something to lose" means having control over an account that's valuable to you and other people you know (that is, not a throwaway account). Could an identity system be based on this? Someone with control over an account should be able to prove that they are the same person who owns other accounts as well. Once we have that, there are likely to be some systems that tie online identity to offline identity, which can be used to associate other online accounts to an offline identity when that's what you want. The fundamental transaction of proving that two accounts are owned by the same person could be done with OAuth. Note that this isn't a permanent relationship; if one of your accounts is hacked, you should be able to log into all your other accounts and attest that you no longer wish to be associated with the hacked account. When an identity splits in two like this, your friends might not know which identity to trust, but they would know something is up and to be careful. This is distinct from single sign-on; in fact, an identity created this way is more robust if you use an independent method of authentication for each account. In practice, some groups of accounts will probably share an authentication system for ease of use, but using a single auth system for everything is probably a bad idea even if it were possible. Even if you managed to tie most of your accounts to a single OpenID provider, keeping a few accounts separate (like your bank) would be a very good idea. Friday, 02 May 2008With the launch of Google App Engine, I decided to give it a spin by rewriting PixelToy, a Java Applet (and backend server) that I wrote more than a decade ago to learn Java. This time, the technologies I'm trying out are jQuery, Ajax, and Python. PixelToy is a simple paint program where everyone who visits paints on the same canvas. The new Pixeltoy also lets you take a snapshot of your painting and see a gallery of pictures others have made; the gallery also has a feed. How it works: the PixelToy web page sends each brush stroke to the server when you release the mouse button and polls the server for updates. The polling gets slower for inactive users. (Warning: since anyone can paint anything they like and painting is anonymous, you never know what you'll find when you visit. I ask that visitors keep things generally "safe for work," but can't monitor it all the time.) 
(And yes, this is also an excuse to post a gratuitious squid picture.) Sunday, 06 Apr 2008Why can't Wall Street plan for emergencies? When not following the election, I've found the latest financial crisis to be pretty interesting; how can so many smart people be collectively so stupid as to put the entire system at risk? I don't pretend to fully understand this stuff, but here are a few thoughts, from a spectator. Sunday, 30 Mar 2008Capsule reviews of a few web comics I like Maybe it's just that I haven't found the right web site yet, but discovering good web comics online seems a little harder than it ought to be. I went looking for new comics the other day, and found that lots of people make lists of their favorite comics but provide too little information: who wants to follow a blind link from a long list created by someone they don't know? On the other hand, there are a few websites that publish fairly serious critical articles about comics, but that's too much information when you're just looking for a new comic to read. And then there are the websites that review online and offline comics together, so you have to wade through stuff you can't read right now to get to the good stuff. How is it possible that in the year 2008, a really good web comic review site hasn't spontaneously appeared out of the sea of obsession that is the Internet? It's a clear-cut case of market failure (or maybe just laziness on my part) that I could remain unaware of Girl Genius for several years after it started. Until someone does start that website, I'll post a few reviews here and leave it to Google to get them to people who might find them useful: Sunday, 17 Feb 2008Guice callbacks should take parameters Guice is easy to use when you want to build a web of objects based on a static configuration. However, it gets awkward when you want to create multiple, similar webs of objects, where only a few nodes vary. This is because Guice has no direct support for callbacks that take parameters. The only callback that's built into Guice is Provider.get(). I would like to see full support for callbacks with parameters in the next version of Guice. In this article, I'll sketch out how we could do it. Saturday, 26 Jan 2008"There is the dangerous cliché in the financial world [that] everything depends on confidence. One could better argue the importance of unremitting suspicion." Wednesday, 23 Jan 2008
I've written before about how Guice works, but didn't explain why you would want to use it. Here's one way to think about it. Saturday, 20 Oct 2007
No, I didn't fall off the face of the earth. I haven't posted because I've been busy, and also had a case of the blog migration blues. If everything has gone smoothly, the website should look exactly the same. (Attention conservation notice: lots of boring tech detail below.) |
