Sunday, 01 Mar 2009
Browsers as fourth-party software
(This is in response to an article
by Doc Searls.)
Seems like browsers are doing a lot of things already to manage vendor relationships, where
"vendors" are websites:
- they remember passwords for you
- they try to protect you from getting phished
- they sometimes block ads and popups you don't like
- they can allow anonymous access
- they protect against unwanted information leakage from one vendor to another
- using Greasemonkey, they can fix some issues in vendors' software
However, the major browser projects tend to have a tough balancing act between users' and vendors'
interests, because they need to be compatible with as many vendors as possible. Features like ad
blocking are "controversial" for this reason, which is why they're often an extension.
application is written by the vendor, but once downloaded, the vendor cannot trust it anymore
because it's in the user's control and the user could modify it. So vendors only trust these
programs they wrote themselves to represent the intentions of the user identified by the auth
cookie. On the other hand, as a user you cannot fully trust one of these programs either, except
to display information from one vendor and to relay your intentions back to that vendor's server
when you're using a particular website. In particular, you don't want programs from different
vendors to talk to each other about you, unless you specifically allow it, and you don't want
a program from one vendor to gain control over a program from another vendor.
These programs are like agents that all live within different jail cells in your browser.
The agents aren't fully trusted by either side, and yet each agent is the primary way that
you communicate with one vendor. The major client-side security bugs come from letting these
agents escape their cells or spy on each other. And there are millions of these agents out there,
one for each website, of widely varying quality.
Perhaps Greasemonkey scripts are the closest thing we have to turning these agents into true
fourth-party software. However, they're a hack. They have to be rewritten for each agent, they
have to be updated each time the vendor changes the website, and vendors sometimes write terms
that forbid you from using them.
Can someone do better? I suspect an in-browser evolutionary approach is most likely to succeed.
Users need better control over these agents and standard, automatic ways of communicating with
multiple agents at once. I'm imagining browser extensions whose purpose is to start up a bunch
of web sites (agents) and send them bids, and gather information from these agents and store it
in a standard way outside of any agent's control. The standard API's for websites to communicate
with browser extensions needs to become richer.
On the other hand, there needs to be a way to get your favorite browser extensions back when
using a different browser. This suggests that the "extension" is just another agent that lives
in its own cell and is downloadable by vising a website. So maybe they all talk to each other
using Google Gears, and it's just that you've designated certain more-trusted agents to administer
the other less-trusted agents?
Perhaps there could be a cells-within-cells model, where visiting one website creates an agent
in a cell, who creates more cells and downloads agents from other websites into them. We'd need
a standard for creating "headless" agents that have no UI but are just used by another website.
As the user you'd want to be able to see when this happens and decide whether to allow it.
Probably the closest thing we have now are hidden frames, but communication between them is a
hack and the user doesn't get any visibility.
Update: looks like this could be done with cross-origin workers
in Google Gears.
Update 2: and of course Facebook Apps and OpenSocial containers allow similar things, with the
difference that the "more trusted" agent lives on someone else's server and therefore can
do things on your behalf when you're not logged in. Also, it's questionable how much they
deserve our trust. Open source client-side software (such as browsers and extensions) can
theoretically be reviewed and given more trust than someone else's server, assuming you're
using them on a secure client.
Then again, this is only a matter of degree in the usual case where you download
client-side software from a website without reviewing it yourself.
respond | link |