Brian Slesinsky's Weblog

Sunday, 01 Mar 2009

Browsers as fourth-party software

(This is in response to an article by Doc Searls.)

Seems like browsers are doing a lot of things already to manage vendor relationships, where "vendors" are websites:

  • they remember passwords for you
  • they try to protect you from getting phished
  • they sometimes block ads and popups you don't like
  • they can allow anonymous access
  • they protect against unwanted information leakage from one vendor to another
  • using Greasemonkey, they can fix some issues in vendors' software

However, the major browser projects tend to have a tough balancing act between users' and vendors' interests, because they need to be compatible with as many vendors as possible. Features like ad blocking are "controversial" for this reason, which is why they're often an extension.

Client-side programs (Javascript embedded in web pages) are a rather odd thing. A Javascript application is written by the vendor, but once downloaded, the vendor cannot trust it anymore because it's in the user's control and the user could modify it. So vendors only trust these programs they wrote themselves to represent the intentions of the user identified by the auth cookie. On the other hand, as a user you cannot fully trust one of these programs either, except to display information from one vendor and to relay your intentions back to that vendor's server when you're using a particular website. In particular, you don't want programs from different vendors to talk to each other about you, unless you specifically allow it, and you don't want a program from one vendor to gain control over a program from another vendor.

These programs are like agents that all live within different jail cells in your browser. The agents aren't fully trusted by either side, and yet each agent is the primary way that you communicate with one vendor. The major client-side security bugs come from letting these agents escape their cells or spy on each other. And there are millions of these agents out there, one for each website, of widely varying quality.

Perhaps Greasemonkey scripts are the closest thing we have to turning these agents into true fourth-party software. However, they're a hack. They have to be rewritten for each agent, they have to be updated each time the vendor changes the website, and vendors sometimes write terms that forbid you from using them.

Can someone do better? I suspect an in-browser evolutionary approach is most likely to succeed. Users need better control over these agents and standard, automatic ways of communicating with multiple agents at once. I'm imagining browser extensions whose purpose is to start up a bunch of web sites (agents) and send them bids, and gather information from these agents and store it in a standard way outside of any agent's control. The standard API's for websites to communicate with browser extensions needs to become richer.

On the other hand, there needs to be a way to get your favorite browser extensions back when using a different browser. This suggests that the "extension" is just another agent that lives in its own cell and is downloadable by vising a website. So maybe they all talk to each other using Google Gears, and it's just that you've designated certain more-trusted agents to administer the other less-trusted agents?

Perhaps there could be a cells-within-cells model, where visiting one website creates an agent in a cell, who creates more cells and downloads agents from other websites into them. We'd need a standard for creating "headless" agents that have no UI but are just used by another website. As the user you'd want to be able to see when this happens and decide whether to allow it. Probably the closest thing we have now are hidden frames, but communication between them is a hack and the user doesn't get any visibility.

Update: looks like this could be done with cross-origin workers in Google Gears.

Update 2: and of course Facebook Apps and OpenSocial containers allow similar things, with the difference that the "more trusted" agent lives on someone else's server and therefore can do things on your behalf when you're not logged in. Also, it's questionable how much they deserve our trust. Open source client-side software (such as browsers and extensions) can theoretically be reviewed and given more trust than someone else's server, assuming you're using them on a secure client.

Then again, this is only a matter of degree in the usual case where you download client-side software from a website without reviewing it yourself.