Smarter Clients Via ReverseHTTP and WebSockets

igrigorik writes "Most web applications are built with the assumption that the client / browser is 'dumb,' which places all the scalability requirements and load on the server. We've built a number of crutches in the form of Cache headers, ETags, and accelerators, but none has fundamentally solved the problem. As a thought experiment: what if the browser also contained a Web server? A look at some of the emerging trends and solutions: HTML 5 WebSocket API and ReverseHTTP."

A problem that I can see.

[ls671]

A problem that I can see is that web browsers already contain enough security holes, imagine if they contained a web server ;-)

Re:A problem that I can see.

[palegray.net]

What if the web server were limited to only communicating with external web servers to which a connection was already made, refusing any unknown connections from the network?

Re:A problem that I can see.

[jellomizer]

Are you trusting the site you connect to. That is the Active X mentality. If you went to the site then it is OK.

Re:A problem that I can see.

[palegray.net]

Nobody ever said the web server in the browser should have any privileges beyond the browser. That's not the ActiveX mentality.

Re:A problem that I can see.

[wealthychef]

What if the web server were limited to only communicating with external web servers to which a connection was already made,

How is it a server if it is the one requesting a connection? This is semantic abuse! I'm calling the definition police.

Re:A problem that I can see.

Stop the presses! Newsflash! Slashdot poster claims Windows is inherently insecure! Only way to ensure security is to not run Windows!

Re:A problem that I can see.

[CannonballHead]

Then accidentally visiting a bad website would kill your computer.. :)

Re:A problem that I can see.

[0racle]

Opera wants to explore that particular 'what if.'

Re:A problem that I can see.

[jellomizer]

So lets have it create a 120gig file called "-rf /" And lets see how many amateur Linux users will whip out their drives.

Re:A problem that I can see.

[cripeon]

And pray tell me how exactly you're going to encode a "/" in the file name?

Re:A problem that I can see.

I've done it before. Accidentally. It wasn't easy.

Re:A problem that I can see.

[Adm.Wiggin]

BLOAT. Firefox is "the great hog". Why would we want to add MORE? Yes, I love it, but that doesn't change the fact that Firefox is a pig.

Re:A problem that I can see.

[TeXMaster]

I wonder if anybody has tried targeting the Opera Unite services for holes? Or is Opera still too irrelevant market-wise?

Re:A problem that I can see.

[TeXMaster]

Firefox is a hog because it's coded to be one, not because of the number of features. Opera provides hundreds more feature than FF (including a webserver) and it's much leaner.

Re:A problem that I can see.

[Adm.Wiggin]

But they need to hire a user interface designer that's completely devoid of web design work. I feel like I'm using a poorly designed "Killer Web 2.0 Application" when I try to navigate the Opera preferences screens. The browser underneath all that is fantastic, but the UI is a deal-breaker for me.

Re:A problem that I can see.

[palegray.net]

Only if the web server operated out of the sandbox of the browser. Any browser vendor implementing a feature like this without isolating it to a container within the browser would be insane. In other words, Microsoft should never try to implement something like this.

Re:A problem that I can see.

[thePowerOfGrayskull]

Even so - that doesn't account for compromised servers. Or, for that matter, poor coding on the server - there doesn't have to be malicious intent for thist o cause harm.

Re:A problem that I can see.

Safety not guaranteed?

Re:A problem that I can see.

I ask my xorg server that every time it requests instantiation of a client.

Re:A problem that I can see.

too much fuss for opera marketing aohi.

Re:A problem that I can see.

Every time it does what?

The names in the X protocol are correct. The server is listening on port 6000 (+display number), and the client connects to this port. Clients are started by other clients, e.g. the window manager or desktop manager, or from a regular shell (script or running in an xterm).

The confusion comes from server as "the big machine in the server room" and client as "the one on my desk". This is the wrong use of the terminology in this case. It's not about hardware, but about a client/server protocol. The server listens, the client connects. One server offers a service (in this case drawing graphics) to many clients (xterm, OOo...), the client uses these services.

Re:A problem that I can see.

[OolimPhon]

Congratulations, you've just reinvented passive FTP.

Re:A problem that I can see.

[Lord+Bitman]

It doesn't come from the association of "the big machine in the server room". If that were the case, we wouldn't ever have the confusion when running for normal single-machine desktop use. The confusion comes from the association of "provides a useful service". If the X protocol's client-server architecture was defined in the sane or useful way which everyone intuitively expects such a thing to be defined when they hear "X uses a client-server architecture", a Client would connect to a Server, send requests (mouse/keyboard events, etc) and receive replies (information about what to display). That is a client-server architecture.

X would be able to:

• restart without stupidly losing all connected applications
• easily share applications between different users, different devices, or (for fuck's sake) different monitors
• keep an application open when you leave work, opening it up again from home, seamlessly picking up where you left off
• Have security regarding what applications need to do in order to listen to "someone else's events"
• Not technically need to run "the thing which applications with a GUI talk to" as root
• just as a bonus: not confuse people with a backwards metaphor

all essentially for "free".

Instead, X is backwards, and things which should have been standard features decades ago can still only be gotten through ineffective hacks.

Re:A problem that I can see.

probably none since 'rm -rf /' would require root privs. You might try "-rf ~".

Re:A problem that I can see.

[kyofunikushimi]

They just hired a new UI designer... earlier this year, sometime (spring, maybe?) to work on v10. I haven't kept up on any UI changes that have been taking place in 10, though.

Re:A problem that I can see.

A problem that I can see is that web browsers already contain enough security holes, imagine if they contained a web server ;-)

A problem that I can see is that web browsers already contain enough security holes, so let's not worry over throwing in a web server ;-)

Connection, yes. Server, no.

[Animats]

There's nothing wrong with a browser establishing a persistent connection to a server which uses a non-HTTP protocol. Java applets have been doing that for a decade. That's how most chat clients work. Many corporate client/server apps work that way. In fact, what the article is really talking about is going back to "client-server computing", with Javascript applications in the browser being the client-side application instead of Java applets (2000) or Windows applications (1995).

But accepting incoming HTTP connections in the browser is just asking for trouble. There will be exploits that don't require any user action. Not a good thing. Every time someone puts something in Windows clients that accepts outside connections, there's soon an exploit for it.

Re:Connection, yes. Server, no.

[Scootin159]

While I agree with the parent, that accepting incoming connections is a bad thing - it may also be the "killer feature" to implement IPv6. Auto-configuring clients to support incoming connections is inherently difficult in NAT.

Re:Connection, yes. Server, no.

[gumbi+west]

I would actually expect more security problems on both sides! There is both a new server on the client and a new client on the server. Each will take some time to secure and inevitably open up vulnerabilities.

Re:Connection, yes. Server, no.

[ls671]

> But accepting incoming HTTP connections in the browser is just asking for trouble.

Exactly, transparent caching proxies would seem to solve issue in a simpler and easier to manage way. Then again, providers trying to implement caching proxies that I know of have all abandoned the idea after trying it. Their customers complained to much and it brings all sort of problems with the transactional behavior of an application.

So people do not like caching proxies, why would they like one in their browser ? Why would they like getting content from another user browser instead of from the original source ?

Also, we live in a economy where we try to boost demand. I observed this trend many years ago: The more we go into the future, the less we seem to be concerned about bandwidth. Bandwidth is getting cheaper and cheaper and providers want to sell more bandwidth ;-)

Bandwidth usage is meant to go up anyway so I do not see their concept fly. I mean if we are really concerned about bandwidth that much, let's start by design application properly and use what is already in place (cache, expiry headers, etc.) properly, which is seldom the case in the applications that I have seen.

 

Re:Connection, yes. Server, no.

[metaconcept]

So people do not like caching proxies, why would they like one in their browser ? Why would they like getting content from another user browser instead of from the original source ?

What if the other user's browser is the original source? Think something like Tiddlywiki instances running in the browser and synchronising peer-to-peer.

Re:Connection, yes. Server, no.

[raddan]

I don't think you're going to see people give up NATs easily. NAT is a bona fide security feature, not just a consequence of having a LAN. This is the same thing that makes detecting bad segmentation faults possible in an operating system, and from that perspective, a separate address space is very desirable.

Any kind of 'fundamental change' that happens on the Internet needs to accept that NATs part of good architecture. You really want your toaster on the same address space as your Cray?

Re:Connection, yes. Server, no.

[Abcd1234]

It's also a stupid, stupid idea. On top of the security concerns, it's a waste of resources, both along the network route, and at the endpoints (mmmm... even more sockets for the web server OS to keep track of). And it's a huge hassle for firewalls.

Honestly, I've been a defender of the whole thick-ish-web-client revolution, but this is just getting ridiculous. HTTP is a request-response protocol. If you need something interactive, use a frickin' interactive protocol. Why the hell would you shoehorn it into HTTP, save to prove that you can?

In short: re-inventing non-passive FTP using HTTP is stupid. Very very stupid.

Re:Connection, yes. Server, no.

[Tony+Hoyle]

No, they're really not. They don't add any security except a tiny bit of obscurity.

Re:Connection, yes. Server, no.

[zn0k]

NAT is not a bona fide security feature. NAT by itself can be traversed, NAT keeps no traffic information other than port numbers - NAT at best obfuscates network space, which is a welcome side effect but doesn't make things secure. A firewall is a security feature, and it's perfectly possible to firewall IPv6 traffic. Also, it's of course perfectly possible to subnet an IPv6 network and separate your Crays and your toasters, if you so desire.

Re:Connection, yes. Server, no.

[Dragonslicer]

NAT is a bona fide security feature, not just a consequence of having a LAN.

What security does it provide that a REJECT ALL firewall rule wouldn't?

Re:Connection, yes. Server, no.

[ls671]

How would this peer2peer like static content propagation be really useful in a modern web application ? It is not worth the security implications (basically the same as running any p2p client)

Most web applications have dynamic content nowadays you know.

Would you rather to get stale Slashdot articles from the browser running in your neighbor's computer or to get them fresh from Slashdot ?

Again, nothing here that caching proxies don't already do, and people do not like caching proxies as I explained above in the GP.

Re:Connection, yes. Server, no.

[bigredradio]

But my toaster is powered by a Cray

Re:Connection, yes. Server, no.

[metaconcept]

It'd be useful in the same way decentralised version control systems are useful by comparison with their centralised counterparts. The replication topologies are no longer constrained to the simple hub-and-spoke model. Think google wave, without the centralised server. Think google docs, without the centralised server.

Re:Connection, yes. Server, no.

[cripeon]

Heh, imagine throwing away all the heatsink hulla-baloo and using processors to toast bread!

Re:Connection, yes. Server, no.

[DiegoBravo]

> What security does it provide that a REJECT ALL firewall rule wouldn't?

The security that most users don't have any idea about how to configure a REJECT rule, even if they have a firewall at all.

Re:Connection, yes. Server, no.

[Korin43]

More like a huge amount of obscurity. Let's say you install Windows 2000 on a computer and don't install any patches or service packs. Connect it directly to a cable modem and you'll have viruses instantly. Do the same install on another computer and put it behind a router and you'll find that even without any patches you're fine. And my point isn't that patches aren't necessary, it's that the obscurity of being hidden behind a router protects you from threats that haven't been discovered yet, and that's the hardest ones to protect against.

Re:Connection, yes. Server, no.

[PitaBred]

The only thing I can think of is some opaqueness of the network behind the NAT, but that's not a huge win

Re:Connection, yes. Server, no.

[ls671]

I understand your point, you are basically saying that we should incorporated fancy p2p capabilities into web browsers ;-)

My point is that it is a bad idea security wise. I use p2p clients/servers to do p2p ( Note: p2p clients are also servers). I admire p2p algorithms just as much as you might do but let's use right tools for the right job.

A lot of people, especially big corporations, won't like the idea of having their employees running p2p clients/servers incorporated in their web browsers either ;-)

People running p2p clients/servers should understand the issues and risks. Computers are not sold with p2p clients/servers already installed into them. Computers are sold with pre-installed web browsers. Think about the "Grandma" type of users.

Cheers ;-)

Re:Connection, yes. Server, no.

[profplump]

NAT provides exactly the same security as a connection-tracking firewall -- there is no further benefit to address translation over a dynamic firewall with the same rules. Dropping the NAT part makes it about 11,000 times easier to run services on the inside, particularly if they use multiple connections (e.g. FTP, SIP) in the course of a session, and it removes the "only 1 person can run a service on the default port" limitation introduced when you put more than one system behind a single address.

Re:Connection, yes. Server, no.

[Agent+ME]

It's possible to have a NAT-like firewall, where the clients can't take incoming connections, but where all the clients have a global address, IPv6 style. Though that would still suck majorly (just slightly less than NAT). It's up to every IP-address holding device to filter their own connections.

Re:Connection, yes. Server, no.

[sjames]

Exactly. The only thing NAT gives you that a default policy of REJECT or DROP doesn't is extra latency and higher CPU load on the firewall.

NAT also makes it harder to figure out who the badguy is if one of the internal machines attacks a remote machine (for example, because it got a virus or some employee is running something they shouldn't be).

Re:Connection, yes. Server, no.

[Hurricane78]

Well, I already did persistent JavaScript-only connections in 2003-2005. I used an object tag, and then requested a page. that page did never end, and continued to include new JSON snippets which immediately executed. When it got too big, the response ended with a location.refresh().
A second object tag included a form with a "never ending" POST.

But it did not work so great, so I changed it to single "packets" (form submissions and receivings). Which also allowed them to be done in a single object tag.
Then I went so far to abstract it into a network socket and lay a file system on top of it. The server was PHP. (Company requirement.)
I even had a compression and a encryption module. But since the whole thing was already very slow, and there was no actual point to it, I left them out.

The result was this mock "OS" including a "kernel", a widget library, and starting to get what you would expect from a OS.
Mind you that this is a early alpha, because the project got canceled when I left the company. Nobody else in the company understood or cared to understand how it worked.
Since the company is officially really really dead, I think it's OK to put it out there. :)

Re:Connection, yes. Server, no.

[Runaway1956]

Good point, security through obscurity. Place a Linux (or any) gateway machine behind a rather cheap router, with default paranoia settings. Someone wants to run some services from the LAN to the intartubez, but he's not discoverable. Since the cheap router is very limited in it's configuration, one might spend days trying to get everything to their liking.

Alternatively, one can do wan --disable firewall then configure everything on the Linux gateway machine. Firestarter does exactly what we ask it to do, with no limit to the number of rules.

Beating my head against a wall was the price for using the ISP supplied router, commonly found with a price tag of less than $60.

Re:Connection, yes. Server, no.

[drago]

What you mention is a general trend in IT. First we had a mainframe with dumb clients, then we wanted to use the computing power of our PCs and created rich clients (Windows applications mostly). We realized this is a maintenance hell with versions ever diverging, so we put our applications on the web and had dumb clients again (web browsers). Now, starting with Java applets and continuing with this webserver in a browser stuff, we are on the way to a rich client again. See the pendulum swinging? I'm curious what the next dumb client model will look like, 10-20 years in the future we will know.

Re:Connection, yes. Server, no.

[slash.duncan]

The only thing NAT gives you that a default policy of REJECT or DROP doesn't is extra latency and higher CPU load on the firewall.

Not exactly. Someone above argued, quite persuasively I might add, that had IPv6 been the norm before we got broadband, the differences in firewalls and how they are configured would have had support people simply saying "shut off the firewall", and people would, and it'd work, and they'd never turn it back on. With NAPT OTOH, once there was more than one computer behind it, shutting off the NAPT really wasn't an option at the consumer level, so application writers and their support people had to learn to deal... and that's just what they did! Meanwhile, NAPT got smarter as well, with various auto-configuration protocols like UPnP, etc. None of that would have happened if it was as simple as telling the user to shut off their firewall, and magically, everything worked.

See above for more. The post is high scored, and he said it better than I.

NAT also makes it harder to figure out who the badguy is if one of the internal machines attacks a remote machine (for example, because it got a virus or some employee is running something they shouldn't be).

Actually, that's a good part of the point. Behind the NAPT is private network, for those that run it to manage. It's nobody's business in front what the network behind the NAPT looks like, nor is it their business to trace the bad guy beyond the NAPT. They trace it /to/ the public IP, and take appropriate action from there. Said action should be contacting the administrator for that IP (or IP block, more likely), and letting them deal with it. If they don't, then stronger action, such as blocking the entire IP or IP block may be warranted. However, it's nobody's business but the folks behind and running that NAPT, what or who was doing whatever, because that's a private network. The NAPT therefore functions in much the same way as the NID in the POTS network. Beyond the NID, it's up to the owner. Beyond the NAPT, it's up to the owner. Let them worry about it, and react if necessary based on whether they do or don't stop the abuse from emanating.

Re:Connection, yes. Server, no.

[Jeremi]

Seems to me the ideal solution is to host the Java code on the server, but cache a copy of it on the client, so that the client auto-downloads any changed code modules as part of the application startup.

That way the diverging-versions problem is taken care of (it acts like a web-app), but you still minimize startup time (in the common case where the app hasn't been updated on the server, anyway) and get to run rich code on the client.

Re:Connection, yes. Server, no.

You are going to need a router anyway. Make it default to REJECT ALL, just like today it defaults to NAT ALL.

Same security, (way) fewer problems.

Re:Connection, yes. Server, no.

[Ant+P.]

most users don't have any idea about how to configure a REJECT rule

These are the same users who are apparently capable of configuring IPv4 address masquerading on their home LAN?

Re:Connection, yes. Server, no.

[huge]

I think you got this wrong.

Currently most of the users don't set up their NAT (which is usually PAT anyway) and just like others pointed out, REJECT rule could be default like the NAT rule is.

Only difference would be that if these inane users want to allow some remote applications (e.g. Torrent) to establish connection to their computer, they need to be tinkering around with port forwarding and need to dedicate different port for each computer and so on.

Without NAT and using the REJECT by default would allow users to use very similar point-and-click interface for enabling the connections to those computers they desire, much like they do with the port forwarding at the moment, but without a need to be tinkering around with the port settings on the application side.

Re:Connection, yes. Server, no.

[Crayon+Kid]

TFA is completely misguided.

Granted, there are web apps which would benefit from a push model as opposed to pull. But that main problem here is actually NAT, not the push/pull model of web apps. What they're trying to achieve, basically, has nothing to do with web browser or web apps, it has to do with seamless NAT traversal without having the server maintain a huge number of persistent connections initiated by the client.

Which is an entirely different type of fish and one which is STUPID to expect to solve by adding a server to the browser. That would do NOTHING to pass NAT. What you want is STUN or IPv6.

I love the way TFA says "let's put aside the NAT issue for now" and then goes on beating around the bush. :) NAT isn't just a minor quirk here, it's THE problem. And they're going the wrong way about it.

Re:Connection, yes. Server, no.

[DiegoBravo]

Yes, almost nobody configure the NAT because that's automatically assumed by the brand new routers. Some day we could have DSL routers that work the other way.

Now, another objection to the firewall approach is regarding the "failure case": if the REJECT rule is removed/lost, that will leave my machines as direct (directionable) targets from the outside. If the NAT fails, the consequence is that the machines just can't navigate. I prefer the last option.

Re:Connection, yes. Server, no.

[ls671]

100% agreed, I couldn't cover all aspects of this but I swear I thought about what you are mentioning.

Re:Connection, yes. Server, no.

[huge]

The point is that the last implicit rule of the rule set should be DROP ANY. This is the case with PIX, Checkpoint and most of the other firewalls I have seen.

To match the functionality of the current NAT devices, default rule set should

1. Allow all outbound traffic from Trusted interface to Internet
2. Allow inbound traffic if it is return packet for connection initiated from Trusted network.

If user then decides to remove all rules, failure mode will be exactly the same (all inbound/outbound packets will be dropped).

Re:Connection, yes. Server, no.

[SCHecklerX]

NAT is not a security feature. *sigh*

Re:Connection, yes. Server, no.

[DiegoBravo]

Of course, your scenario will work too.

Yet I have a sense of fear that some day a chinese hacker can access and take control of my (chinese) IPV6 enabled microwave oven, and kill me with the radiation :)

Re:Connection, yes. Server, no.

[sjames]

Actually, that's a good part of the point. Behind the NAPT is private network, for those that run it to manage. It's nobody's business in front what the network behind the NAPT looks like, nor is it their business to trace the bad guy beyond the NAPT. They trace it /to/ the public IP, and take appropriate action from there.

All the outside has is a single opaque number that may or may not be related to the machine's MAC address. However, the local admin who receives the complaint has the database that tells him exactly what machine was responsible.

Of course, an outsider can at least learn a few things about the network behind a NAT anyway. For example, put up a few funny pictures on a website and email someone at a business office a link. Use cookies to count unique visits from that IP.

I see what you are saying WRT turning the firewall off, but that sounds too much like the standard "ban because otherwise people can " and ignores that it's perfectly possible to add all sorts of unsafe rules to a NAT while thinking "I'm behind a NAT, what could go wrong?". Sometimes those rules get added through various auto configuration protocols without the user's knowledge.

Application writers would still have to just deal in the case where firewalls WON'T just turn off or the users refuse to do so. Even with NAT, many home router/firewalls will also effectively disable the firewall by setting any port not otherwise specified to go to a particular internal IP (probably an unsecured XP machine) for example.

Re:Connection, yes. Server, no.

Actually, if your browser incorporated a web-server, you'd just be back to days of napster/gnutella/limewire and all that p2p stuff, with a client/server model across a distributed node-graph.

And you'd still have to overcome NAT-traversal.

Re:Connection, yes. Server, no.

[badkarmadayaccount]

What's the issue of a having a simpler point and click interface for configuring port forwarding?

Re:Connection, yes. Server, no.

[deadkennedy]

I concur in that there really shouldn't be a need for an external library outside of the browser in order to maintain a server connection.

Problem?

[oldhack]

I thought dumping the load on the server was the desired design feature. What is the problem they are trying to solve? Good old rich client model has been around for some time now.

Re:Problem?

[ceoyoyo]

Ah, but the young 'uns have forgotten that anybody did anything before they came along. So "the network" is synonymous with "the web" and if you want to send any information it better be over HTTP. So bidirectional HTTP means you can communicate in both directions!

Next they're going to figure out that if you move the web app out of the browser you can have a much richer GUI experience.

Re:Problem?

[WinterSolstice]

This wouldn't be so funny if it weren't so true :D

At least I no longer have to use a teletype for my batch output...

Re:Problem?

[Slorv]

Heh, mod this up as both insightful and funny!

Re:Problem?

[CannonballHead]

What? There were computers before 1985?

Re:Problem?

[Tablizer]

What? There were computers before 1985?

Yes, but they were disguised as mere keyboards to fool you toddlers.
   

Re:Problem?

[digsbo]

The problem is that this is not funny, but painfully true. The problems of cross-platform client GUIs are all being solved again, but on top of several new layers of APIs with little value-add and a big performance hit. If you want to write a client-server app, please do so! Stop trying to make the browser the cross-platform widget toolkit.

I've seen good developers try to use UDP instead of TCP to save a few bytes of overhead, and they failed. How will web developers without any concept of network programming theory manage to recreate (or even use) a persistent, robust, and high-performance connection over HTTP? I doubt it will work well. We'll end up with more kludge layers between the browser, OS, browser plug-ins, etc....

Re:Problem?

[ceoyoyo]

You know, I've heard this cool idea being kicked around of using a printer to automatically produce a hard copy of the console output. Sort of like a log, but on paper. It seems it might just be the next big thing!

Re:Problem?

[ceoyoyo]

I once had a PhD supervisor who had a problem. He was setting up a database for this group who needed to be able to enter a few very simple bits of information for a clinical trial. I told him it would be no problem - whip up a little app in Python using Wx or QT that does nothing but display a few fields and create a new row in the database when you hit submit. Maybe do a little bit of checking and pop up a dialog box if it was a duplicate.

But no... it had to be a web app. So after hiring a database guy, setting up a hefty content management system and writing a bunch of code, the original group decided to use Access.

Re:Problem?

They are trying to use your PCs to push the "cloud" computing model forward, get it? They upload their website to your "client" and completely offload all the power, computing, and bandwidth liability to you, the end-user.

Why should Google have to pay for data-centers and concentrators anyway; when your Core2Duo sits mostly idle and everyone knows P2P is the best way to "deliver content?"

Re:Problem?

[WinterSolstice]

That would be especially useful whenever the system has a problem - then you would be able to read back the whole issue, and it wouldn't get deleted on reboot!

Re:Problem?

[oldhack]

If we can only figure out how to store the damn logs so that it can be retrieved after a reboot...

Re:Problem?

[ToasterMonkey]

Wait, there were computers before the Internet??!1

Re:Problem?

[radish]

That just shows he doesn't know what he's doing. The exact same little python script could have generated a simple web form and submitted to the DB.

Re:Problem?

[ceoyoyo]

That still means writing a script, setting up a database AND setting up (and maintaining) a web server with the extras to both run Python and talk to the database. Just so you can type a URL into your web browser instead of double clicking on an icon.

Re:Problem?

[shish]

Next they're going to figure out that if you move the web app out of the browser you can have a much richer GUI experience.

Either that, or they move the browser into the webapp... (Seriously, I give it a year until someone writes a full-size GUI toolkit using the HTML canvas as a display device, and the GUI toolkit comes with an HTML rendering engine)

Re:Problem?

"I've seen good developers try to use UDP instead of TCP to save a few bytes of overhead, and they failed"

Let me guess - they ended up replicating TCP badly.

Re:Problem?

[arethuza]

Why on earth would you have a "hefty content management system" to host a simple web form? Sounds like a wildly over-engineered solution to a simple problem by someone who didn't know how to KISS.

Re:Problem?

[ceoyoyo]

You mean like Internet Explorer and Windows... whatever version of Windows that was?

Re:Problem?

[ceoyoyo]

Absolutely.

Re:Problem?

"If you want to write a client-server app, please do so! Stop trying to make the browser the cross-platform widget toolkit. "

You're kidding, right?

Take just about anything on Google - maps, docs, the search itself. Rather than having to download and install and (once every couple weeks) update four or five pieces of software on every computer I use (forget about ones where I don't have install access, like a kiosk or at the library), I just go to the web page. Sure, there are a few things that _really_ won't work as web based applications. But most will.

Do you think you'd simultaneously get Windows/Mac/Linux/BSD/Solaris/mobile device versions of client/server applications? With the web, as long as you have a decent browser, you're all set.

Re:Problem?

[digsbo]

There's a place for the browser, no question, that's not my point at all. But there is a limit to what should be done in the browser. The original article seems to about a group who are taking it too far, IMHO.

Re:Problem?

[digsbo]

Yes.

Re:Problem?

[numbski]

Well what do you propose? Cross platform GUI is always a thorn in a developer's side. Web browsers that conform to CSS and JavaScript are the most reliable fix unless you really want to do everything as a Flash app (not truly cross-platform in the sense that every platform can have it), or as a Java applet (see my argument about Flash).

So yeah - everything does wind up in a browser. :\

Re:Problem?

I thought dumping the load on the server was the desired design feature.

No, that gets you fired and possibly arrested.

Is this a follow-up to the previous story?

[gatekeep]

This seems to closely relate to the next story currently on the frontpage; Predicting Malicious Web Attacks

This sounds awesome!

Imagine if IE contained IIS...that would be awesome!

imagine indeed...

only in the mind of microsoft

Going backwards

[nurb432]

The whole point of 'the web' was to move processing out to the 'cloud' ( sorry for the buzzword use ). Ideas like this only would continue the backwards trend of moving the processing back onto the client, which personally i feel is the wrong direction.

Re:Going backwards

[Tynin]

I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.

Re:Going backwards

[Locklin]

The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

Re:Going backwards

[iron-kurton]

Sorry, I have to disagree. There is no right or wrong, as far as thin vs. thick clients are concerned -- it's really what's best for the job. Processing on the client side can be a good thing, as long as it's not abused (like it is with ajax).

Re:Going backwards

[tomhudson]

The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

Exactly. The original web was supposed to be read-write. A combination of companies that wanted to ream people for $50/month for hosting a simple hobby site and ISPs that wanted to upsell you a $100/month "business internet package with 1 static IP" are the guilty parties.

Of course, the Internet routes around such damage, so we have home servers operating on alternate ports, ultra-cheap hosting plans, and dynamic dns.

Re:Going backwards

[nurb432]

Disagree all you want, but you are wrong :) Terminals for everyone.

Re:Going backwards

[nurb432]

By linking the processing power, and accessing it via terminals, as it was in the beginning, id say i'm correct in its intent.

Re:Going backwards

[ToasterMonkey]

I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.

I disagree. The re-centralization of computing did not happen because of a lack of client horsepower. If anything, the aggregate client power to server power ratio has skyrocketed, and never stopped since decentralizing in the first place. I really do not understand the intent of the last decade or so of re-centralization. It makes zero sense to me. The only reason I have come up with is the browser is a mostly cross platform platform. Still, the number of webapps that run on a single browser on a single platform is dumbfounding. All the good reasons I can think of for centralization, ie collaboration, data protection, etc. hardly seem to be the focus of any webapp. It's as if the reason is "because everyone else is doing it."

I'm quietly waiting for the day silly things like save, undo, or reset become mandatory interface elements again. The main theme of centralized computing, manipulating a set of data, and submitting it.. the browser can't do right. Instead of all this AJAX bull crap, why aren't we making it easier just to fill out a GD form, save it, change, print, resubmit, cancel, etc. Instead, the only common browser interface we have, back, forward, bookmark, etc, doesn't work. You have an arbitrary amount of time to fill out a form before silent failure and complete re-entry. Printing is inconsistent. There is no logging or auditing for data submission, other than someone else's server.

Browsers are toys :\

Perhaps I just don't understand TFA, but...

[St.Creed]

I've been reading the blog-article and the linked websockets API description. The websockets proposal specifically states the protocol does not give access to the raw network, and does not allow an IRC client without intermediate server. So where's the whole enthusiasm coming from? Even with websockets, it doesn't look all that different from the Opera implementation.

As far as I understand websockets from the description, you still have to point the browser to the right place to connect to. Once connected, you can then accept incoming messages from the other side. Well, color me pink and tie me down, but I'm not sure the rapture has just arrived already because of someone writing up an API.

Websockets shouldn't have much of a problem with firewalls though, since you could use the existing tunnel. I wonder what this would do for security inside the company.

Scenario: I'm pointing my browser at a server I run at home. In my browser I run a small webserver that can access a commandshell. Cool, now I can work from home despite a firewall and lack of software :) Sorry dear sysadmin, your firewall just got a few new holes in it :)

Re:Perhaps I just don't understand TFA, but...

Scenario: I'm pointing my browser at a server I run at home. In my browser I run a small webserver that can access a commandshell. Cool, now I can work from home despite a firewall and lack of software :) Sorry dear sysadmin, your firewall just got a few new holes in it :)

Glad that nobody has figured out how to do that with ssh -R on port 80.

Re:Perhaps I just don't understand TFA, but...

[Locklin]

Scenario: I'm pointing my browser at a server I run at home. In my browser I run a small webserver that can access a commandshell. Cool, now I can work from home despite a firewall and lack of software :) Sorry dear sysadmin, your firewall just got a few new holes in it :)

I used to do that on my University's network with a reverse SSH tunnel. You could even do it over port 80 if they blocked outgoing 22. The only issue would be if you could install that webserver on a locked-down machine that has no SSH client.

Re:Perhaps I just don't understand TFA, but...

[St.Creed]

SSH isn't standard windows so would be a tad difficult for the average user to install and use. A browser point-and-click interface would be much easier to use and abuse.

But you're correct ofcourse.

Re:Perhaps I just don't understand TFA, but...

[scotch]

"tad" is correct.

I thought this was called Flash?

[ACMENEWSLLC]

Flash 10 has the ability to do advanced client side things. For example, it can update the screen with information from a server by posting to a website, by XML, etc. It's pretty good at doing this. 8e6 and Surfcontrol utilize this type of capability in their admin GUIs for example.

Beyond just nice GUIs, one can serve up a special Flash document on a website. When the user opens the web page, a reverse proxy tunnel can be established allowing access into the clients LAN through Flash, bypassing any firewall restrictions. I think that was a previous /. article.

It's got a lot of features many folks don't use.

Re:I thought this was called Flash?

[Per+Wigren]

It's also a proprietary, binary blob and an insanely buggy one at that. At least all versions that are currently usable in practice (Gnash/swfdec are only usable in theory).

Re:I thought this was called Flash?

[thePowerOfGrayskull]

By Flash you mean "Any client side technology". ActiveX controls. Java applets. Platform-specific exes. It's called "networking" - and there are methods far better suited for it than an environment that is designed to be "client-server" only - with the role of "client" and that of 'server' being fairly clearly defined. Sure, it's possible to create such a monstrosity as described in TFA - but why when there are so many better, more secure, and more efficient ways to do it?

HTTP isn't dumb, it's just minunderstood.

[EvilJohn]

So really....

HTTP isn't dumb, it's (mostly) Stateless. Instead of that, what about building net applications around stateful protocols instead of some stupid hack and likely security nightmare?

Re:HTTP isn't dumb, it's just minunderstood.

[iron-kurton]

Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections. But I do agree that the current model is inherently broken, and maybe we can get away with defining short-term stateful protocols that could revert back to stateless....?

Re:HTTP isn't dumb, it's just minunderstood.

[lennier]

I've wondered recently how come we can't get a protocol like HTTP, but 1) not based on 'pages' but arbitrarily small/large and recursively nestable chunks of data, and 2) not pull and client-driven but publish/subscribe and persistent, where you'd attach to a data chunk and then be notified with the new value whenever that chunk changes. The rise of social services like Twitter and Facebook (and particularly the use of both by applications as a sort of generic publish-subscribe information bus) seems to be indicating that there is a need for such a thing, and building it on top of proprietary websites designed for other purposes entirely seems like a waste of time.

I'd like to get away from the 'client/server' approach of the Web back to the 'every endpoint is a host' of the underlying Net, because that's important for the end-to-end principle (and I think it was a big mistake to ever lose it). Moving just one step up the protocol stack from 'fire and forget datagram (IP)' to 'stream (TCP)' to 'subscribable chunk' seems like it would obviate the need for a lot of AJAX hackery. We could keep HTML as a display layer on top, but we really need a way to visualise and connect a whole lot of little tiny paragraph-size chunks of data - like, say, each post in a blog, each comment in a forum, each edit in a wiki, or each row in a table.

If we make this middleman protocol stateful, such that the equivalent of 'web proxy' for it is required to keep a cache and only transfer data into the internal network from outside when it changes... we could still keep a really simple, policy-free network, but reduce the insane amount of duplication of packets that we do now. If someone inside your home network pulls down a movie from a given URL, fine, it should get transferred once from your ISP's network to your home proxy/cache... and then sit on the cache there and not get re-downloaded. The same idea should work down to the level of individual Slashdot comments.

If we then add a very simple pure-functional language into this protocol, so that every 'chunk' could also be a function over other chunks, then we could get a generic RESTful computing model for mashups and the like.

Google Wave seems to be heading sort of in this direction, so maybe it might evolve into a generic replacement for the Web.

Re:HTTP isn't dumb, it's just minunderstood.

[BitterOak]

Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections.

That's exactly what TCP was designed for: persistent 2-way connections over possibly unreliable networks. But I agree with your basic point, given that firewalls may be configured to only allow HTTP and other basic protocols through.

Re:HTTP isn't dumb, it's just minunderstood.

[am+2k]

Actually, you're mostly describing XMPP, which Google Wave is built upon. It's already there and it's in active use, although mostly for IM for now.

Re:HTTP isn't dumb, it's just minunderstood.

[DragonWriter]

I've wondered recently how come we can't get a protocol like HTTP, but 1) not based on 'pages' but arbitrarily small/large and recursively nestable chunks of data

HTTP isn't built around pages. HTTP can already do that.

2) not pull and client-driven but publish/subscribe and persistent, where you'd attach to a data chunk and then be notified with the new value whenever that chunk changes.

That's a pretty simple application of any asynchronous messaging protocol (most such protocols aren't built around that particular use case, but it would be trivial to support it in any of them.)

Re:HTTP isn't dumb, it's just minunderstood.

[reed]

Here's one: http://www.interreality.org/about ; http://interreality.org/wiki/VipDocumentation . Project is dormant for the past couple of years but could pick up again if there was interest.

The web-application-forever-trend?

[SplatMan_DK]

May I politely ask WHY anyone would one to continue making browsers "heavier" and "thicker" all the time, instead of simply making a good old fashioned rich client (thick client if you prefer)???

I am not looking to start a "Wep-app-vs-client-app" war here. I think there is a time and place for both thick client applications and web applications. And I am a very happy G-Mail user (among other web-app-things). But sometimes I am REALLY amazed when I see the lengths some web-developers will go to, in order to achieve PRECISELY the same goals that thick clients has been able to do for literally several decades!

The platforms and standards for making web applications are continuously MOLESTED in order to give them primitives abilities which, at the end of the day, are STILL only a shadow of the power a rich client has.

Stuff like AJAX hits the scene, and people call it a "milestone" or a "revolution". Wow. Now a user can get his screen updated async without hitting a "submit" button. Big stuff there.

Next thing will be ... what? Better graphics? Actual integration between applications? Easy third-party data integration? Ah, wait, maybe it will be an continuous (and actually working) user session? No no ... wait ... I got it ... it will be model-based programming. Yes. The revolutionary new "model-view-controller" design will totally change the landscape of web applications. It will be ground-breaking stuff to any web developer! Yeah!

The finest achievement any web application can get, is being described like it is "just as good as a rich client". Hasn't anybody stopped a moment to think about WHY that is? Perhaps it would be better just to use web clients where they make sense, and rich clients where they make sense?

Why on earth do some people continue to abuse the thin (read: skinny and bone-rattling) web standards for tasks that are clearly more suited for a traditional rich client application?

This is an honest question - technical answers are more than welcome. I genuinely want to understand what is going on in the minds of all these "progressive" web developers who are seriously proposing the introduction of advanced server-processes as part of a browser...

- Jesper

Re:The web-application-forever-trend?

You have to remember that HTTP is a stateless protocol, and as such has been a near failure. It's only through blind luck that HTTP is as popular as it is.

It's very important (mostly for buzzword compliant PHBs) that the world do whatever it can to make HTTP a pseudo-stateful protocol, so people can pretend that web pages are real applications (that magically disappear when you accidentally hit backspace while your input's focus is in the wrong spot).

Yes, the crippled (read: simple and easy to implement) HTTP protocol is slowing down the internet (read: stupid ideas) so we need to add 6-7 layers on top of it so it "works".

The OSI model is only a few layers. Wouldn't everything be better if it was a lucky number, like 13 layers?

HTTP + AJAX + GWT + HTML5 + Flash + ... + ... + ... = just write a desktop application already.

Re:The web-application-forever-trend?

[MBCook]

Crud. That way me, MBCook. Accidentally checked the wrong box.

Re:The web-application-forever-trend?

[Algan]

With thin clients, people already have a (somewhat) standardized client. You don't have to worry about deployment issues, software updates, system compatibility issues, etc. It's there and it mostly works. If you can develop your application within the constrains of a thin client, you have already bypassed a huge pile of potential headaches. Even more, your users won't have to go through the trouble of installing yet another piece of software, just to try your app.

Re:The web-application-forever-trend?

Because getting the obscenely large percentage of the world's population familiar with the World Wide Web to switch from the web they know to some new (or old) software uniformly across all platforms is a fool's errand?

Re:The web-application-forever-trend?

HTTP is successful precisely because it is stateless and simple. I would not call it a near failure if the whole WWW was built using it.

Re:The web-application-forever-trend?

[fuzzyfuzzyfungus]

"some web-developers will go to"

If you are a web developer, you pretty much have the choice of switching careers or doing your best to bludgeon as much functionality out of your toolset as possible.

More generally, though, "web" apps do have advantages, they are just almost universally in areas outside of their power as programs(and, to be fair, areas where conventional client apps could be made to match, if a whole lot of groundwork were done).

Assuming you haven't already, looking at some user's home machines is a genuinely edifying experience. Check the desktop. Not infrequently, you'll find it littered with old installer packages, sometimes multiple copies of the same thing, scattered there by the user's frantic clicking. They Just. Don't. Get. the installation procedure, even when the installer is an executable that, once triggered, pretty much leaps out and installs itself. Don't even dream about getting the user to make any configuration changes besides entering a username and password. And updates, of course. You can either add yet another voice to the chorus of horrible autoupdate tray apps, crying for attention, or bug the user when they start the program, or just deal with having 26 different versions in the wild.

If you want to appeal to such users, you have two options: try to solve ignorance, by maintaining a good-sized helpline for the entire life of your product, or trying to solve installation; by doing a bunch of webapp hacking upfront. This solves updating, as well. Next time they refresh, there they are.

This all goes double for users at work, at a web cafe, on a friend's computer, or whatever. There are, in fact, some very sophisticated offerings that allow full client applications to be added and removed freely from a system, without harming it. Essentially none of them are available to, or usable by, average users. Public or corporate computers generally run in some flavor of lockdown, so client apps can't be installed, and any time joe user installs something on somebody else's machine, he risks munging it, or leaving his config details all over the system. This, again, makes webapps attractive.

None of these issues are insurmountable, with sufficient cleverness and effort, an OS could offer sandboxed, optionally persistent, access to full(or nearly full) client app power with webapp ease of loading, updating, and purging. Until that actually happens, though, webapps are here to stay.

Re:The web-application-forever-trend?

[SplatMan_DK]

I totally disagree. Respectfully :-)

Your view is typical of a techie or CTO responsible for a software roll-out. The basic thought seems to be avoiding rich clients at all costs in order to make the whole thing "simpler".

But there are a ton of disadvantages for web clients. And in many (bot not all) cases they outweigh the advantages!

- They require MUCH more advanced back-end infrastructure to work, often including several servers and lots of monitoring/management
- much more complicated maintenance and upgrade
- much more complicated backup and disaster recovery procedures
- much more complex code in order to accomplish even the simplest things
- inferior user experience (this will become more visible as the complexity of the application increases)
- inferior 3rd party integration with the app (also more visible as the complexity increases)
- single point of failure (in fact a whole pile of server processes on top of each other)

I have deployed both web applications and classic client/server applications in medium-sized enterprises (500 - 5000 seats) for business use. I can honestly tell you that the most complex ones have been the web-based ones. They often depend on a ton of existing technology that has to match very precise specifications, and they very seldom work "out of the box". Because of the advanced back-end diagnosing a problem is virtually a nightmare and you have several technology vendors all pointing fingers at each others for problems that (according to all of them) are not even supposed to exist.

So yes, you DO have to worry about deployment issues. You DO have to worry about software updates (which are often very complex because of the extensive technology stack). And it most certainly DOES NOT "just work".

You are correct in stating that users don't need to install anything. But hey - the same goes for the rich client. The roll-out of any decent client application can be totally automated very easily. :-)

- Jesper

Re:The web-application-forever-trend?

[SplatMan_DK]

True and false.

It is a success for the things it was originally created to solve.

It is a failure (although very widespread) for the more modern things it is used for in advanced web applications... ;-)

Re:The web-application-forever-trend?

[tomhudson]

Because getting the obscenely large percentage of the world's population familiar with the World Wide Web to switch from the web they know to some new (or old) software uniformly across all platforms is a fool's errand?

3 words: Java Web Start.

Re:The web-application-forever-trend?

You phrased it truthfully and insightfully...

But all of that stated--how else can our sales guy be waiting in the airport, see somebody and "sell" them on a demo account of our product. They don't have to install anything, don't have to circumvent IT policy--don't need admin rights. "Just point your browser at this webpage and click "launch"". Yeah, it's *huge* maintenance for our dev team to get every possible browser working... possibly not worth it even. But it lets us sell to...anything.

No hassles about DLLs, no installers, no JVM or .Net version crap. If by some chance your system is really really dated, we can recommend firefox for "enhanced" performance. It just works on any system you can get a decent browser on.

Well--it used to anyway. Until the marketing fags discovered flash and had a design firm splash it all over the site, and try to "layer" it into the application. Well...we didn't actually have any users running linux other than the devs anyway. And I'm sure Mac support will never lag behind... And I'm going to fall over laughing at the first marketer who calls to tell me he can't demo the app on his iphone anymore.

sigh.

Re:The web-application-forever-trend?

[SplatMan_DK]

LOL.

Mjeah. Right. :-D

6 months later all the end-users are still happy with the application which provides them with the exact same and rich user experience as their favourite (rich) office application. Right? And they just LOVE the idea of paying monthly fees in order to use their software. Sure. And have no problems with the fact that their data are crossing the internet every time they access it. While not minding at all that the whole solution is nearly impossible to integrate with anything else. Poor performance is not an issue later - all screens open and close as fast as any one of them could wish for. Yep.

Paradise. Absolutely! :-D

Ask them to replace their MS Outlook client with "Exchange Web Access" too. And toss Microsoft Office out the window in favor of some obscure online spreadsheet/presentation/word-processor platform. I am sure they will love it. Its a much better user experience. And hey: much easier for the IT department as well. Hell, we could stop using computers at all and switch to ultra-thin clients!

Go for it. It will be great! :-D

Re:The web-application-forever-trend?

[Space_Pirate_Arrr]

As I see it, there are two main reasons why people want to deploy richer web apps rather than proper rich clients:

1) Ease of deployment. Anyone browsing the web must already have a web browser, and they are (despite the best efforts of certain corporations) quite highly standardised. The standards are also platform independent. Thus with a web app you can "write once, run anywhere".

2) Sandboxing: If you are trying to convince casual users to try out your service, they may be wary of installing a rich client. A web app, on the other hand, benefits from an additional layer of sandboxing that may make them more likely to give it a try.

I must say, though, I totally agree with your notion of using the right tool for the job. Things like bringing 3D to the browser (recently discussed here on /.) may not be steps in the right direction.

Re:The web-application-forever-trend?

[ceoyoyo]

With a given OS and an app, people already have a (somewhat) standardized client. You don't have to worry about compatibility issues, browser differences, etc. It's there and it mostly works. If you can develop your application within the constraints of an OS, you have already bypassed a huge pile of potential headache. Even more, your users won't have to go through the trouble of downloading the right browser, installing it, starting it, and navigating to your site, just to try your app. Also, you won't have to do to the trouble of setting up complicated web servers - just post the binary (or the source) on your web page.

Re:The web-application-forever-trend?

wah wah wah

Are you REALLY that clueless as to WHY they are doing it?
Here is a little hint for you: NOBODY BUT COMPUTER TECHIES KNOW WHAT A CLIENT IS, NEVERMIND A RICH ONE. (they will probably think of the price of it)
Everybody with a computer knows how to get on the web, everybody with that knows how to get to websites, therefore the developers all flock to browsers.
SIMPLE NOW, ISN'T IT? GOLLY GEE WHIZ THAT WAS SO HARD TO COMPREHEND.

All you people who whine all the time about the web evolving to suit the needs of the developers need to grow a fucking brain, let go of the past already!
You will never get your rich client, the browser will continue to evolve as the developers need it, plain and simple.
That is unless schools begin teaching kids about computers more in-depth, and to be honest, that is just "+5 Funny" material.

Some new additions likely to be added is more GUI control similar to the likes of XUL. (Open in Gecko-based browser to see)
Next big thing after that will be creating a (new) standard for 3D.
And better communication between servers and other clients, perhaps some sort of limited server on the client-end similar to what is in Opera Unite.

Sorry to be a bit of a dick about it, but if you couldn't see such a simple reason, then god help you.

Re:The web-application-forever-trend?

[Algan]

Don't get me wrong, I agree with many of the points you're making. As a matter of fact, I am currently involved in the development of a rich client/server architecture.

However, I still maintain that the costs of dealing with server side deployment/scalability/upgrade issues is lower than dealing with rich clients in many instances.

I admit that my stance is biased by the fact that we use only basic open source building blocks for our deployments and we code the rest in house. We don't have to deal with various vendors and if something doesn't work quite right, we can always patch it up. We try to use tools like Erlang/OTP as much as we can for our server side business logic, which makes deployments and maintenance a breeze and helps a lot with scaling and redundancy.

I believe it is all a matter of costs and benefits. I can see certain applications that would not make sense in a browser, but for others, if you can get away with it, it makes a lot of sense to push them into "the cloud"

Re:The web-application-forever-trend?

[turbidostato]

"NOBODY BUT COMPUTER TECHIES KNOW WHAT A CLIENT IS, NEVERMIND A RICH ONE."

Still they use them everyday, which is what counts.

"Sorry to be a bit of a dick about it, but if you couldn't see such a simple reason, then god help you."

Don't be so sorry. You are a dick because you are a dick -with an absolute lack of imagination on top of that. That you are able to regurgitate the last info you got from a "tech blog" makes you an informed dick, not an knowledgeable expert.

Re:The web-application-forever-trend?

[Tablizer]

Perhaps much of the infrastructure you talk about is the RDBMS that has to be there anyhow if there's any significant data sharing between users. Thus, it's not a difference-maker for comparing.

Further, source code has to be backed-up regardless of web or desktop, and thus is also not a difference-maker.

If you want to keep the web application portion simple, you can if you stay close to default configs. True, it can be foobarred under bad developers, but so can desktop apps. Maybe your shop just happened to have good desktop developers but crappy web developers. It happens sometimes. (Or they picked a bad tool stack.)

Desktop apps still often suffer from DLL-hell and their newer equivalents, and seem to falter easily under all the viruses and malware users pick up along the way. They also have the time-consuming install-at-each-client step that web apps generally don't. With web apps you may be dealing with 2 funky computers instead of 200.

I agree that the GUI design features/standards of current web apps suck, but I'll leave that discussion to other threads.
   

Re:The web-application-forever-trend?

I think that what you are saying holds only when you are in a business environment where you can just roll out new versions to your employees. But for a consumer app, the user matters much more than your deployment needs. Setting up the hosting environment is something that you do once, in exchange for not having to sort through issues on potentially millions of individual clients' machines.

So if desktop clients are superior in most ways to web clients, why aren't we seeing more of them rather than fewer?

Re:The web-application-forever-trend?

1) If in today's world, you can't build a web GUI that rivals a native GUI, you're doing it wrong.

2) HTTPS.

3) Not possible to integrate? How much easier can it be to write an application that consumes a properly laid out webservice? Not much.

4) OWA runs just as fast as that piece of shit does natively. And it does it on linux, freebsd, and os x, too.

5) STFU.

Re:The web-application-forever-trend?

[Jeremi]

Why on earth do some people continue to abuse the thin (read: skinny and bone-rattling) web standards for tasks that are clearly more suited for a traditional rich client application?

There's only one real reason: having to download, install, and (every so often) upgrade an application is a pain in the ass. It's much more convenient to just point your (already-installed) web browser at the right URL and get right to doing (whatever it is the application does).

Re:The web-application-forever-trend?

[badkarmadayaccount]

Flash is orthogonal, out of stack, if you will. GWT is a development tool, AJAX is an interface standard (to the XMLHTTPRequest object). So, web apps boil down to UI and persistence (HTML 5), a method of communicating (HTTP (those layers on top of it are gonna be implemented one way or the other) (I'm a Lisp fan BTW)) and basic UI manipulations and control (JavaScript). Seems a reasonable stack to me. The browser is just taking X11's place, and I don't think that is an issue. The protocol is simplified, and with better compactness (mod_gzip, anyone?), better performance on UI interface manipulations when dealing with WAN type latency, and JS interpreters are scary fast and getting faster.

Re:The web-application-forever-trend?

[badkarmadayaccount]

Mod parent up.

I run www.reversehttp.net

[metaconcept]

From www.reversehttp.net:

"[...] we need to be able to act as if being able to respond to HTTP requests was within easy reach of every program, so that we can notify interested parties of changes by simply sending an HTTP request to them. This is the core idea of web hooks. We need to push the messy business of dealing with long-polling away from the core and toward the edge of the network, where it should be. We need to let programs dynamically claim a piece of URL space [...] and handle requests sent to URLs in that space [...]. Once that's done suddenly asynchronous notification of events is within reach of any program [...], and protocols and services layered on top of HTTP no longer have to contort themselves to deal with the asymmetry of HTTP. They can assume that all the world's a server, and simply push and pull content to and from whereever they please."

The details of getting the requests through the gateway to the serving application are pretty trivial and interchangeable. The new idea is in registering endpoint names. UPNP and STUN cover some of the same space, but IP's addressing is fundamentally different to HTTP's URL-based addressing in that it's possible with URLs to have recursive delegations of portions of the namespace -- something that IP just can't do (because it's flat).

Re:I run www.reversehttp.net

[thePowerOfGrayskull]

TOnce that's done suddenly asynchronous notification of events is within reach of any program [...], and protocols and services layered on top of HTTP no longer have to contort themselves to deal with the asymmetry of HTTP. They can assume that all the world's a server, and simply push and pull content to and from whereever they please."

I'm missing the part where this is a good idea. I want to trust unknown server(s) that I happen to visit to do more than provide HTML for consumption? Why on earth would I want to expose myself that way?

If you want true interactivity, code a "thick client" designed to work with the servers or services in question. Don't try to shoehorn it a web browser using HTTP transactions- and creating a whole new platform for security risks.

Re:I run www.reversehttp.net

[metaconcept]

If you weren't aware that your browser already has very rich network interaction capabilities, I suggest reading up on AJAX. Reversehttp, when running in a browser, is built from sandboxed javascript code, running in a page, using XMLHttpRequest, just like everything else.

It's also not actually browser specific, and applies equally well to thick clients (think Skype, or practically anything that wants to receive messages rather than just send them; you might make a broad comparison with UPNP or STUN). It's just a happy coincidence that it can be used to lift the browser up to equal status with other programming environments.

Already possible with httptunnel

http://www.nocrew.org/software/httptunnel.html

Might as well just use Jabber

If you're going to build an httpd into the browser, and also the NAT people need some fixed proxy out thre somewhere, then you might as well just make it Jabber.

ReverseHTTP?

Is that similar to INTERCAL's COME FROM instruction?

Re:ReverseHTTP?

[metaconcept]

Yes :-)

Opera Browser Has Web Server

Here is a /. story about Opera's inclusion of a web server:
http://apache.slashdot.org/story/09/06/19/0227249/Opera-Unite-Web-Server-Benchmarked

You might want to look at RESTful Web Services, too.

Re:Opera Browser Has Web Server

[tomhudson]

You might want to look at RESTful Web Services, too.

Thanks, but I'd rather slit my wrists. Why not learn Java and build a real application, where you don't have to deal with the browser at all?

Re:Opera Browser Has Web Server

Or any other decent development language. C, C++, C#, Delphi, etc.

Please explain ...

[SplatMan_DK]

Can you please explain WHY you would want to molest the primitive HTTP protocol in this way? Seriously: why not use another protocol that is actually suited for the task at hand, and then let the client initiate the connection (thereby automatically solving a gazillion security issues and technical challenges imposed by NAT based consumer routers)? Why - please - WHY do you want to take "web application concepts" and transmogrify them (read: totally molest them) into something they are not... while clearly ignoring that A LOT of existing technology has already solves most of these issues? Why choose a web/HTTP implementation BEFORE analysing the task at hand instead of getting a clear picture of the task and THEN choosing an appropriate technology afterwords? - Jesper

Re:Please explain ...

[metaconcept]

Huh? Did you read the spec draft? The metacircular use of HTTP is a cute hack, but in no way central to the idea. If you like, think of reversehttp as a kind of "remote CGI" -- like what people already do with apache's reverse proxying, but dynamically configurable.

Re:Please explain ...

[SplatMan_DK]

I think I understand it. I will admit that I am not a network expert, just plain and simple business app developer.

And I still don't understand why I would want my own machine to answer HTTP calls of any form, or why I should allow my (hardware) firewall to allow incoming requests of that nature. The security implication alone is a nightmare.

I would never want to give any outside party the ability to execute "remote CGI" on my machine(s) nor would I want them to have the properties of a webserver.

Can you explain a scenario where such a set-up makes sense (from a business or usability perspective) and where other protocols are unable to get the job done?

- Jesper

Re:Please explain ...

[metaconcept]

Can you explain a scenario where such a set-up makes sense (from a business or usability perspective) and where other protocols are unable to get the job done?

Anywhere you'd otherwise be configuring apache/DNS/firewall/CGI/reverseproxy rules by hand. There aren't any protocols for that other than reversehttp yet. The goal was to make it as easy to get a name/URL and become a full server in the HTTP network as it is to anonymously participate as a client. Particularly interesting is the way it makes short-lived services suddenly viable: previously, you'd either have to reconfigure your gateway apache instance (or similar) each time a service came and went (or moved!), or ad-hoc up some way of doing roughly what reversehttp does, but on a case-by-case basis.

(It's also, by the way, no more difficult to secure the gateway than it is to secure any other web service -- the demo server hands out URL space pretty freely, but obviously if you were deploying it yourself you'd apply normal HTTP access control policies to limit who was allowed to register which names and so on.)

Re:Please explain ...

[SplatMan_DK]

It sounds like a kick-ass method for making stuff than can bypass police-state/dictator censor crap and web filtering. Absolutely!

I still don't see any use that would be beneficial for normal users like myself, my girlfriend, daughter, mom, dad, ... etc. :-)

Re:Please explain ...

[metaconcept]

Well, the next time you, your girlfriend, daughter, mom, dad etc writes a web service, perhaps they'll get some leverage out of it :-)

(One interesting demo, not linked on the site but present in the source code on github, is a PubSubHubBub endpoint in the browser, which can subscribe to PubSubHubBub's feed update notifications for real-time feed tracking. (PSHB deliberately doesn't include any long-polling ad-hockery, so this is otherwise not possible.) The URL of the page is subscribed to the PSHB hub, and when new atom entries arrive, they're POSTed directly to the page -- or rather, as direct as possible given that there's the reversehttp gateway relaying the POST on.)

TCP, by any other name, would thou smell as sweet?

[TiggertheMad]

Regardless if you are maintaining a persistent connection via a non-HTTP protocol, or setting up a dual web servers to chatter back and forth, you are still missing the point.

This is yet another stupid patch for the fundamental design flaw of HTTP: I was never supposed to used to mimic a persistent connection. Why keep running through ever more complicated mazes, and just build a freakin browser that maintains a connection with the host? (rhetoric, I'm not really asking this as a question...)

if you want plain HTML, use a browser. If you want a TCP/IP connection, use a HTTP connection with AJAX, Java applets, server state, cookies, keep alive headers, hidden form values and viewstate to SIMULATE ONE...

It already exists

[Tablizer]

...it's called a "Zombie".

Will never happen

[nulled]

This is the same concept as BitTorrent...where you spread the load out to anyone downloading the software. BitTorrent uploads the parts you downloaded, therefore spreading the load to the clients.

1) Bittorrent is already getting a lot of black listing from major cable companies, because people are downloading DVD movies and not paying for them using pay-per-view.

2) ISPs do not allow a home user to set up a web server and will block or ban your account if it finds port 80 or http/https (amoung others as well like ftp excessively used)

3) how is your browser going to access a Database like mysql with php, local on your machine? The pages would have to be cached and static or some other wizard way of doing it.

I am by no means saying that the idea isnt possible or even not a good idea. It sounds like a nice idea... however too many factors are at play, including co-location centers and the notion of a 'server' itself being discounted in favor of a 'super browser'.

The only reason this subject has come up is to try to combat DDoS attacks. Twitter and Facebook and the whitehouse.gov attacks.

No, what needs to happen is to get rid of the Microsoft Windows ZOMBIE botnet computers, which allow the DDoS attacks to happen with greater ease and frequency.

Re:Will never happen

[metaconcept]

3) how is your browser going to access a Database like mysql with php, local on your machine? The pages would have to be cached and static or some other wizard way of doing it.

There's nothing that limits reversehttp to the browser. Any HTTP client library can use it. The demo implementation has clients not just for browser-hosted Javascript but also for Python and Java. Besides the clients included with the demo implementation, Paul Jones has written hookout, for Ruby programs, and Tatsuhiko Miyagawa has written AnyEvent-ReverseHTTP for exposing HTTP services via reversehttp from programs written in Perl.

Re:Will never happen

[Pop69]

2) ISPs do not allow a home user to set up a web server and will block or ban your account if it finds port 80 or http/https (amoung others as well like ftp excessively used)

Your ISPs may not allow home users to do this, mine allows web servers, mail servers, the whole shooting match on their home accounts. They'll even allocate you a block of 8 static IPs to do it properly.

Re:Will never happen

[DragonWriter]

ISPs do not allow a home user to set up a web server

Some ISPs don't allow those things. Those ISPs suck.

how is your browser going to access a Database like mysql with php, local on your machine?

Many browsers already embed databases to do HTML5 local storage or perform other functions (admittedly, that's a database more like -- and often exactly -- SQLite than MySQL.) If there's a demand for it, of course, browsers could provide drivers for external databases or provide hooks for them to be pluggable.

Re:Will never happen

[badkarmadayaccount]

So, all you'd need is a server-side $Programming_language_du_jure-to-Javascript compiler.

FAT CLIENT is NOT the right FIX

[Tablizer]

What's needed is a "GUI Browser" standard that is meant for C.R.U.D. screens (business screens and forms) instead of what HMTL is: An e-brochure format bent like hell to fit everything else. You can only bend the e-brochure model so far. We don't need "fat clients" really to solve most of the problem, but really just a better GUI browser so that we are not sending over 100,000 lines of version-sensitive JavaScript just to emulate (poorly) a combo-box, data grid, or folder/file outline tree widget. That's like inventing a cell-phone just to call your next-door neighbor.
   

Re:FAT CLIENT is NOT the right FIX

[SplatMan_DK]

So why not make a client/server solution, and make good clients for each of the platforms you want to support?

Compared to the absolutely massive resources needed to build an advanced web application with roughly the same capabilities as rich clients on those same OS'es it should not be too hard to do!

Why do we need a "GUI browser"? How would you describe such a thing anyway? The presentation layer of any modern OS already has all the things we need PLUS a ton of very useful local integration with with other applications?

- Jesper

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

Because people don't want the "install" step, for both time and security reasons.

How would you describe such a thing anyway?

Kind of like HTML, but with more widgets, more declarative "events" for common actions, standard ess-expression-based field validation, an MDI option, and a "stay until removed" aspect of drawing screens instead of redraw-page-per-post of regular HTML.

The presentation layer of any modern OS already has all the things we need [for GUIs]

So does the Tk-kit-family and Java for the most part. A "generic" GUI-browser could probably be built with them.
         

Re:FAT CLIENT is NOT the right FIX

...so that we are not sending over 100,000 lines of version-sensitive JavaScript just to emulate (poorly) a combo-box, data grid, or folder/file outline tree widget.

Isn't that what Java applets are for?

Re:FAT CLIENT is NOT the right FIX

[SplatMan_DK]

I am sorry but I still don't understand the concept of this "GUI browser". It sounds like you are focusing a lot on the presentation layer and ignoring all the other aspects a rich client has.

What about 3rd party integration? Or a visual layout which matches the operating system? Or hotkeys and interactive behavior matching the OS? Or the ton of rich functionality provided by the OS to all local applications (security features, networking, local system access, core functionality like cross-application object embedding, etc)?

What exactly makes this "GUI browser" any better than just making a Flash 11 application and what are the benefits from using it? Which issues/problems does it solve?

- Jesper

Re:FAT CLIENT is NOT the right FIX

That sounds a lot like XUL which Firefox has supported for a while and nobody uses (except for Firefox extensions). If you are developing an intranet application, you may be able to get away with using it.

Re:FAT CLIENT is NOT the right FIX

[ceoyoyo]

"So does the Tk-kit-family and Java for the most part. A "generic" GUI-browser could probably be built with them."

Yes, you've described a Java applet.

Re:FAT CLIENT is NOT the right FIX

[Qzukk]

Actually, I think he's describing MS Access. Including the "generic" part.

Re:FAT CLIENT is NOT the right FIX

[turbidostato]

"That sounds a lot like XUL which Firefox has supported for a while and nobody uses (except for Firefox extensions)."

Obviously not. XUL was a very founded idea: that both developers and users want a standard deployment platform. Whenever a 'de facto' standard rises, you get to see its success aggregating developer efforts being it Windows at the OS level, Access at the DB frontend, "the browser" at the Internet level, etc.

Users like it because they find it an easy concept to grasp; developers like it because they give them a consistent platform to program against. XUL was meant to be that "standard platform" for Internet-based rich applications by perusing the "internet browser" concept. But then, in order to gain adepts it forcibly needed to run on "the browsers" which, at the time, mainly meant "internet explorer". Since XUL never run on IE (I can understand whil not share Microsoft's position 'ut ActiveX ut nihil') it never run in practice on "the browser" and that meant a clash in paradigms. No wonder it failed.

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

With Java applets, most of the programming for configuring and controlling the applet GUI also has to be downloaded. With a more declarative approach, only less-common events have to be downloaded as handling code. Also, applets are not very incremental in nature. If you use only 2 screens of a potentially 100-screen app, you should only have to download those 2, not all 100. (Maybe they fixed that feature since, but it used to seem like all or nothing. Also, it's generally more difficult to make static languages be incremental.)

Further, a (good) markup language approach is less likely to start an app language war, which would ruin the acceptance of a GUI Browser.

Like I said, Java may be useful for building a general GUI browser, but that's different than a custom applet for each app.
   

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

What exactly makes this "GUI browser" any better than just making a Flash 11 application

Non-proprietary.

As far as those other features, even desktop GUI's have a hard time with them if you make an app that is not OS-specific. It's not a "problem" specific to a GUI browser, but rather tied to targeting multi OS's.

As what would be a common use of "cross-application object embedding"? What percent of apps need that? I don't see a common need for it that cannot be handled some other way, such as web services and/or ODBC.

You seem to be saying unless it's perfect, nobody will accept it. I don't buy that. The current approach to get rich web apps is ugly, version-sensitive, crashy, jittery, and code-intensive for even basic desktop-like behavior that we already expected 20 years ago.
       

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

I found XUL convoluted and lacking support for common GUI behavior that one normally needs, at least in apps I work with. Also, the communication between client and server seemed poorly planned and tested. Perhaps they improved that, but it sucked when I looked into it.

     

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

I addressed the applet comparison in a nearby message.

Re:FAT CLIENT is NOT the right FIX

[ceoyoyo]

Congratulations.

Re:FAT CLIENT is NOT the right FIX

[gbjbaanb]

no. That's not what is required. HTML does a passable job of displaying data, it could be easier, or better forms could be developed, but that's a never-ending target. Even in a thick client, those 100,000 lines of data would still need to be sent to the GUI, and the GUI application too.

What is needed is push updates from the server to the client. The typical application that uses this is the old stock quotes one, where you want the stock that's just changed to be sent to your browser to display. Not every minute when the browser polls for changes, as that either gives you data that is stale, or a massive load on the server and network (depending how often you poll).

So a standard mechanism for sending data back to the client is all that's needed. Not AJAX which is just polling in the background, but a way for a client-initiated connection to the server to be kept open and used to send data back to the client. If we could change HTTP to be a connection-oriented protocol (rather than a optimised connectionless one, with keepalives) then we'd be able to use the web as a full GUI platform.

We wouldn't need operating systems then. Google would take over as the new Microsoft and Microsoft would fade into the history books.

Re:FAT CLIENT is NOT the right FIX

[arethuza]

"standard that is meant for C.R.U.D. screens" - well there was XForms - which doesn't seem to have been very popular. Actually, if you look at the way things like SAP interact with your client applications it is similar both to ye olden mainframe terminals and the Web.

Re:FAT CLIENT is NOT the right FIX

[Tablizer]

Honest?

Re:FAT CLIENT is NOT the right FIX

xhtml was dead in the water thanks to long-term non-support from IE making everyone jump through a trillion hoops just to get IE to pretend it was HTML and still render it like shit.

I had so hoped for html5 to rescue xforms, because HTML's forms are basically bullshit for anything more complex than entering your name.

Re:FAT CLIENT is NOT the right FIX

[badkarmadayaccount]

Those lines of code need to be executed, and since the major OS vendor(s) can't be arsed to standardize, everything is DIY. You can avoid resending with a persistent ( [browser] || {cache)[ing proxy}.

Re:FAT CLIENT is NOT the right FIX

[badkarmadayaccount]

Can't people just use a single lower level AJAX toolkit that's always in cache?

Re:FAT CLIENT is NOT the right FIX

[badkarmadayaccount]

I'd really like to see a driver written in javascript. Honestly, I'm curious, I see no reason for that not to exist, I just want to see it.

move the web app out of the browser

[TwinkieStix]

Too late.
http://labs.mozilla.com/prism/
http://www.adobe.com/products/air/
http://silverlight.net/
http://www.zimbra.com/products/desktop.html
http://desktop.google.com/plugins/
http://widgets.yahoo.com/
http://www.apple.com/downloads/dashboard/
http://www.microsoft.com/windows/windows-vista/features/sidebar-gadgets.aspx
http://www.screenlets.org/index.php/Screenshots

A problem that I can't see.

[paxcoder]

Why is this any different from the classic thing?
All it does is enables the "server" to send data even if the "client" doesn't request them each time (doesn't refresh). Instead of trusting AJAX code gotten from the server and "refreshing" parts of pages in set intervals, why not just trust the socket which will provide the info necessary for the "refresh"? I don't see any new problem introduced here.
Please explain if you do.

Re:A problem that I can't see.

[ls671]

> Please explain if you do.

Keeping the connection alive (keep alive) enables you to do just that without running a server (e.g. listening socket) in your web browser. Yet, people do not use it much. Allowing the server to connect back to you is even more complex and I do not think it would fly that much, you would now need more complex server applications. Paying the almost costless price to establish a new connection every time is the privileged option nowadays and most applications are built with that architecture in mind.

Even only allowing the server that you already connected to to connect back to you (listening socket in the browser) is a security risk.

More explanations:

http://slashdot.org/comments.pl?sid=1340213&cid=29111783&art_pos=2

http://slashdot.org/comments.pl?sid=1340213&cid=29112163&art_pos=1

http://slashdot.org/comments.pl?sid=1340213&cid=29112577

Re:A problem that I can't see.

[Mozk]

Polling at intervals is unnecessary and wasteful. Long polling is a better way to do this, and the only downside is that the server must maintain the connection till data is available.

Re:A problem that I can't see.

[paxcoder]

Thanks for the links. If you want, check out my reply there.

FTP anyone

[Imagix]

Doesn't anyone remember FTP? And why Passive-mode FTP was developed? All of the same reasons why this isn't a good idea. Your web browser ends up behind a NAT firewall and poof, this no longer works. (Without some deep packet inspection on the firewall to automatically open the ports, or UPnP, or SOCKS, or some other protocol for the web client to negotiate with the firewall to allow the connections).

Re:FTP anyone

[metaconcept]

You've missed the point: this is one of the situations when reversehttp actually saves the day. The reversehttp gateway is outside the firewall. Services inside the firewall contact the gateway to get it to relay requests in to them, using long-polling (or any other method, current or yet to be invented). The point is that the gateway is in exactly the right place to dole out names/URLs and to handle the routing, filtering and relaying.

Re:FTP anyone

[julesh]

Doesn't anyone remember FTP? And why Passive-mode FTP was developed? All of the same reasons why this isn't a good idea. Your web browser ends up behind a NAT firewall and poof, this no longer works.

Did you actually read the article? Or are you just responding to the one-line throwaway description in the summary, without even bothering to think for one second what the title ("ReverseHTTP") might actually mean?

Re:FTP anyone

[Imagix]

Yep, in fine /. tradition, I didn't RTFA. However now it's proposing that an ISP runs a large proxy for their clients. So the FTP issue goes away, but now you've got an intentional man-in-the-middle server in your ISP. Why bother hacking individual clients when you can hack these proxy and get access to hundreds to thousands of users?

Re:FTP anyone

[badkarmadayaccount]

Uhhh, I'm starting to regret that the TCP/IP stack is... well, a stack. Aspect-oriented programming with message passing FTW!

Check out...

CE-HTML 3rd party notifications. It's what this is.

Violates many ISP terms of use

Many ISPs prohibit running any kind of server on a home customer connection, and they will regularly port scan you and disconnect you if they find one.

Consistent and Manditory Ruleset.

[pavon]

I actually do think that NATs have been a boon to end-user security, more so than firewalls would have been, because they created a (relatively) consistent ruleset that software developers were then forced to accommodate. Hear me out.

Imagine an alternate universe where IP6 was rolled out before before broadband, and there was never any technical need for NAT. In that case the consumer routers would have all come with firewalls rather than NAT. First off it is very possible that router manufacturers would have shipped these with the firewall off to avoid confusion and misplaced blame: "I can't connect to the internet, this thing must be broken". If they were enabled by default, with common ports opened up, there would still be applications (server and P2P) that would need to have incoming ports manually configured to be open in order to work. Most users wouldn't be able to figure this out, and the common advice between users would become "If it doesn't work disable the firewall".

And the fact of the matter is that requiring a novice user to configure his router just to use an application is not a good approach. There needs to be some sane form of auto-configuration. Even if the firewall tried to implement this internally, you would run into problems with different "smart firewalls" behaving differently, which would create even more headache for application developers.

With NAT you have the same problem in that manually configuring port forwarding is confusing to users. The difference is that there is no option to disable NAT. So it became the application developers' problem by necessity, and this is a good thing, because they are better suited to handle technical problems than the end user is. It was a major pain in the ass, but eventually all the router manufactures all settled on similar heuristics on how to fill the NAT table based on previous traffic, and we learned strategies to initiate P2P traffic that didn't require user intervention.

In end, default behavior of NAT (outgoing traffic always allowed, incoming only in response to outgoing) gave us the auto-configuration ability that we needed, and the result was something much more secure than would have existed if the firewall was optional.

Re:Consistent and Manditory Ruleset.

[Hooya]

> outgoing traffic always allowed, incoming only in response to outgoing

thus began the end of the world wide web. in it's place we have the next gen *cable* with producers and consumers. no wonder comcast is looking to buy disney or other "content producers".

just what is so horrid about having my computer serve content by allowing connections to it? someday we will be so damn secure that no one will be able to talk to anyone else.

Re:Consistent and Manditory Ruleset.

[Nursie]

YOU can, because you know what NAT is and how to port-forward and various other things.

Most people don't. Leave them in their little walled gardens, it's safer for them there.

Re:Consistent and Manditory Ruleset.

[zn0k]

>>In end, default behavior of NAT (outgoing traffic always allowed, incoming only in response to outgoing) gave us the auto-configuration ability that we needed, and the result was something much more secure than would have existed if the firewall was optional.

How is that better than shipping a stateful firewall with a default configuration that allows all outgoing traffic, allows all related inbound traffic (i.e. all traffic in connections initiated by an inside machine), and drops everything else?

Re:Consistent and Manditory Ruleset.

[radish]

Nothing whatsoever, if that's what you choose. But 99% of users don't want to do that, and don't know how to configure things to allow it safely. In your case you can get a static IP or three, or even with NAT it's easy to setup port forwarding. I really don't see the loss unless you want every machine on your network to be a port 80 web server and don't want to pay for the static IPs, which is a pretty marginal case.

Re:Consistent and Manditory Ruleset.

[MadMaverick9]

just what is so horrid about having my computer serve content by allowing connections to it?

How can I be sure that the content you are serving is the same as on the original server? How can I be sure that you are not messing with the content before serving it to me?

That's the problem with this.

Re:Consistent and Manditory Ruleset.

[Techman83]

I'm not sure why this post is modded insightful, because if you take NAT (or really PAT -> Port Address Translation) out of the equation, what you are left with is a firewall with Allow All outbound, accept related + established inbound. NAT/PAT is an ugly ugly hack that is incredibly inefficient. We could significantly reduce the load on our home routers if they didn't have to store the Port mappings that make it all possible and also remove so many ugly hacks that have had to be concocted because some protocols simply don't work with NAT.

Wikipedia has some light reading on the subject and there are plenty of resources out there. NAT/PAT != security and the thought that application writers would blame the "firewall" on the router for the problems is ridiculous, even Smoothwall comes with the option to have "Allow All Outbound" and I dare say home routers would be setup with that as default.

Re:Consistent and Manditory Ruleset.

[gbjbaanb]

I know what you're saying - its fortunate that we had NAT because then manufacturers *had* to ship with it, which in effect, made routers ship with a 'allow all outgoing, reject all incoming' firewall rule in place.

If we could have trusted them to ship with a firewall with those rules, we could have gone straight to IPv6 without any difference to what we have today.

Re:Consistent and Manditory Ruleset.

. First off it is very possible that router manufacturers would have shipped these with the firewall off to avoid confusion and misplaced blame

The netgear I bought from best buy had a fire turned on by default with REJECT ALL.

If they were enabled by default, with common ports opened up, there would still be applications (server and P2P) that would need to have incoming ports manually configured to be open in order to work

Ever hear of upnp?

Re:Consistent and Manditory Ruleset.

If we'd have had IPv6 before NAT, why would we use routers at home at all?

With IPv4 (and the inherent lack of enough IP addresses) we're using routers because we only get one public IP per end-user, so we have to share it among all the network-enabled devices in the household.

But if all those devices could have their own public IP the only problem remaining is that you get a single physical connection end-point which you have to share. A problem which is solved by a simple switches, no need for routers in the household.

Re:Consistent and Manditory Ruleset.

[pavon]

You're right of course. I was misusing "router" to mean "that multi-purpose box the user has that does DHCP, NAT, firewall, and stuff". Sometimes that box is the broadband modem, sometimes it's a wireless access point. In the case of IPv6 it wouldn't need to be a router at all. I suppose you could even do away with DHCP and let the ISP handle that, although they way I've had it explained to me, the ISP will assign the modem a block and it is up to the user (equipment) to divvy up addresses from there.

Re:Consistent and Manditory Ruleset.

[flonker]

What GP is saying is that, NAT has the same security characteristics as a firewall configured in a specific, fairly secure way. And because NAT can't be "punctured" as easily as a firewall, developers were forced to deal with the issues of running a firewall with those security characteristics. It's similar to what Microsoft is attempting with UAC. By forcing developers to deal with security, we end up with more secure programs and protocols.

If NAT never existed, most people would be using software firewalls only, and if you think NAT isn't a firewall, (you didn't say this, but I've heard it said many times), I'm sure you have strong opinions about software firewalls.

Re:Consistent and Manditory Ruleset.

[badkarmadayaccount]

How about just a standardized protocol for querying the router? From the application layer, of course. Something XML based right under a POST targeted at 192.168.1.1 ought to do it.

Instant SETI

[hey]

Could be neat. Just browser to the SETI site. click on volunteer some cycles and right away your browser (and computer) are peers working away on the problem. Nothing to install. When you are done, just navigate away.

Re:Instant SETI

[Tablizer]

In Soviet SETI, aliens find you.

Re:Instant SETI

"ReverseHTTP" in the topic title, and this is the only (lame) Soviet joke? Slashdotters are slippin' I tell ya.

Re:Instant SETI

[igrigorik]

Hmm, you don't need even ReverseHTTP for this. You can get this functionality with JavaScript and existing browsers: http://www.igvita.com/2009/03/03/collaborative-map-reduce-in-the-browser/

Re:Instant SETI

[badkarmadayaccount]

The parent's point was to get inter-node communication, which plain AJAX can't do. Though some Javascript libs can change that.

Why HTTP?

[DragonWriter]

If you want a browser to be able to send and receive asynchronous messages, rather than work on a request/response model, why not just build browsers that use a protocol designed for that use (like XMPP), rather than trying to torture HTTP into serving in that role? Its not like HTML, XML, JSON, or anything other data the browser might need to handle cares what protocol its transported over.

Simpsons did it

[rob101]

Sorry folks, old news:

Coopnet did it years ago, and HTTP(p2p) did it differently but more recently.

http(p2p)

LET ME OFF!!!!

OK, I was with you guys when you said lets make these hyper linked documents connected around the world. I was along for the ride when you said lets post the request stream to the CGI bin and let a binary dynamically generate the HTML response. I was even with you when you said that if we move the dynamic stuff to a scripting language and mixed it up with the HTML it would be more agile, I gave you a funny look but I went along. Then you told me I needed a MVC framework to manage the complexity and to get all of that mix of content and code away from each other from that scripting idea . I thought you where a little crazy, but I agreed that we may have not went down the right path with that asp, php type stuff, so I went along. They you told me that the MVC stuff was to restrictive and strongly typed and that I should do my front end in javascript and just use the back end for services and get rid of the page post model. The last time you where so dead on with a recommendation, was back in those days when you recommended the CGI posty thingy. The Ajax UI with the service backend actually worked, even though it looked like a hack to me, never the less it was really easy to be productive again, come to think of it the CGI thing was a hack too and it really was the last time I felt productive. Anyway, I don't want to hurt your feelings or anything, but I think that this one is a little crazy and kind of defeats the whole concept of the web and if you don't mind I think I want to get off of the internet now. No offense but I really am starting to get the impression that you guys HAVE NO FUCKING CLUE.

invasive tech on every web device: no thanks

[keneng]

Java plugins in the Web browser may be considered as "Vulnerable software" because it provides the "system" API among many other APIs which enables your so-called "smarter client" which people in 1994 called "fat client". We had the power to use serversockets then but we didn't. Javascript BY-DESIGN is not permitted to use the "system" api because it is part of the "thin client" design. As a result, artsy web page designers got tools that could use javascript, but not java because everyone concerned agreed it was safe-enough. That's why Java/Javascript has been mostly disabled on my browser since 1994. The combination of these two enabled is quite dangerous on a localhost.

The primary reason for http has been and always will be simply a way to link web pages to other pages. Keeping the web browser design simple allows mostly everyone a better opportunity to learn how the tools work. When everything is obfuscated, you make everything about it look like magic and exclusive to the technocrats. With SMARTER CLIENT ideas like this proposed topic, firefox and all the web browsers are all risking slowly becoming like "MS-Internet Explorer" which is plastered with undocumented vulnerabilities/opportunities open to a select illuminated few.

Popularity for software depends on its merit. Since Linux has merits, it has become popular. The different packages in linux are different in popularity because there are "different strokes for different folks". Simple to use, but sophisticated software is popular like vi, emacs, gedit, postit-notes, calendar, evince, wget, firefox, thunderbird, mplayer, ffmpeg2theora, audacity, lame, apache, shorewall, gimp and openoffice. Vulnerably complex software is not popular like MPI, PVM, Plan9, SCALA, flash-plugins. I've experimented with flash/ming and discovered first hand the flash engine can crash not only the application, but also the OS. I understand the politics of flash being used is to somehow protect the media industry because it is proprietary technology geared to provide a pay per use intenet business model for the entertainment industry. It is important to be aware that flash technology is used on most movie DVD's sold today for the menu subsystems along with helping with the obfuscation to reduce the dvd-ripping piracy. I also understand that the movie industry does everything to undermine the trend to use open-source theora format video files and ogg format audio files. Thankfully theora/ogg are the defaults in all the current Linux distributions.

You have a take a leap of faith to use a lot of these more advanced pieces of software, but if you're in a position where you need to guarantee something works and you use internet explorer with java/flash and your so-called smarter client api plugins, GOOD LUCK with that and I'll be looking for news about your company's bankruptcy notice in the following months.

Think one tool, one job. Hammer the nail. Not everything is a nail. For example you search for stuff by starting your firefox, going to google and typing the key words. You expect a response with links to other pages. That's it. There's nothing in this recipe that demands a web server in your web browser. Not everything needs to be a hammer. Not everything needs to be in the cloud either.
The one tool is firefox being the client.
The other tool is google being the web page server.
An email agent sends/receives email to the email server. That's one tool for one job.
If you want a web page server, install apache. That's the one tool for the one job.

I'm a strong believer in a clear separation of concerns because my private family pictures, although I am very proud of them are none of anyone's concern and should not ever accidently find themselves on the net. If a web browser somehow becomes a web server with your ideas, my pictures might accidently fall into unintended audiences. It's not a big deal but the fact that this accident could happen because of a software vulnerability really would piss me off. I

Serve Trade Secrets to Web Client?

[nimble_gnomi]

For many modern companies, how they do what they do is their added value.

From a commercial perspective, one of the beauties of having your software on your own server (HTTP or otherwise) as opposed to distributing an executable application is that the distributed exe is much easier to reverse engineer than when it is on a black box many routers and a few firewalls away from the hopeful reversing engineer.

Make sure you're not delivering business logic/intellectual property/key processes to all of their web clients. /gg

This guy is running an SW dev effort?

What a fundamental lack of understaning you convey concerning programming in the real world. You can use many many different variations of interprocess communication and have as many various daemons that you would like on both sides of an internet session. You merely need to get your users to agree to run the various daemons. These daemons would open sockets with daemons on a server, and you would have your smart client side thing going on. But really, given your fundamental misunderstanding about networking, and that HTTP is but one of many possible protocols, you run a company?
Really? You are running a development effort? Seriously, dude, you are not qualified. You need to go back to clown college. Must be nice to be a member of the Builder-bergs.

WASSUP DAWG

I herd you like to browse the web so we put a web server and a proxy in your web browser so you can serve web pages while you browse!

Sockets

[RAMMS+EIN]

Does this mean we're finally getting proper sockets, instead of having to do everything through HTTP requests? I've been advocating this for years ...

Re:Sockets

[julesh]

Does this mean we're finally getting proper sockets, instead of having to do everything through HTTP requests? I've been advocating this for years ...

Yes. And no. The HTML5 spec includes a sockets-like API. However, it's intentionally crippled so that you can't use it to communicate with an application that hasn't been specifically enabled to communicate with it (i.e. it uses its own handshake protocol to ensure it's talking to a system that's designed to talk to it).

Through thick and thin

[some-old-geek]

Remember the old days, when the browser was superior because it was a thin client? Maybe we need a term for the thickening of clients... Americanisation?

Web server for mobile phone

[Ecyrd]

You can try a web server for your phone: http://www.mymobilesite.net/.

Web application

[Max_W]

Some application will always rely on local computing power: something like GIMP, or even using PHP scripts in XAMPP on local machine for, say producing miniatures of larger photos.

But distributed business network application can realistically exist only via server-client model.

If they want rely on an installed software on client's side - let them try it. I've been there. It is insane. PCs get broken, installed EXE stop working for unexplainable reasons, and so on and so forth. All I had to do is: install and re-install, endlessly. Sometimes somebody got a good idea and they moved to thin clients at that office. I had to install EXE for 4 hours on the thin client! Searching missing DLLs all over Internet.

Now we moved to server-SSL-client model. I do not care what is going on locally. Here is your login and password and it's you life.

Besides even in the server-client model a lot of things are done on local PC: rendering pages, handling javascript.

Re:Web application

[Max_W]

Sometimes even browsers does not work in remote offices. But since these are well-known applications somehow it always possible to get one of them working.

So we can tell a user now - call us when you can open a web page from Internet, any web-page in any browser. And somehow it is almost always successful, somehow they can always get it.

Certainly, local IT should look that an anti-virus is installed, OS is updated and that dubious sites are not visited, since if a machine is infected with a trojan - forget about any security either it server-client or EXE.

Re:Web application

[DragonWriter]

But distributed business network application can realistically exist only via server-client model.

A distributed P2P model certainly works better for distributed business applications; server-client is inherently highly centralized rather than distributed. "Centralized applications serving remote users" and "distributed applications" are two very different problem domains.

Re:Web application

[Max_W]

Thank you for pointing it out. I certainly meant server-client application for remote users, not P2P distributed application.

If users of your application are technologically advanced and you have control over proxy settings in your remote offices, over IT policies on PCs you can try different approaches.

In my case, I had to explain over telephone where to type URL address in browser to a user who had been using this web application for several months. It was just his start page and after the OS re-installation he was lost.

Still I could explain him what is the address bar in browser (white horizontal line at the top of the window). To explain how to install P2P EXE and configure it would be impossible. I would have to ask local IT colleague do his for me, but they are busy with many other things. So it would be my problem to make things work in a remote office.

These are the problems of the real world, and often developers write solutions thinking of users of a solution as of computer geeks. But often they are not and they have little patience with convoluted installations and configurations of EXEs.

As we moved from EXEs based application to server-client it was the end of a nightmare, of insanity, the end of jumping up at night wide awake. Now we are insulated of these problems, - "call us as soon as you get on your PC working browser, any browser, IE, Firefox, Chrome. Just get to the point that you are able to open a web-page on Internet and then call us." That's it.

Upgrading is also easy, just upgrade in one place and everyone gets it.

Re:Web application

[DragonWriter]

Thank you for pointing it out. I certainly meant server-client application for remote users, not P2P distributed application.

So, what you meant when you said that client-server architecture was the only way to make "distributed applications" work, what you really meant was that client-server architecture was the only way to make cleint-server applications work?

That's obviously and trivially true, of course, but not all that meaningful.

In my case, I had to explain over telephone where to type URL address in browser to a user who had been using this web application for several months. It was just his start page and after the OS re-installation he was lost.

Still I could explain him what is the address bar in browser (white horizontal line at the top of the window). To explain how to install P2P EXE and configure it would be impossible.

Of course, if P2P application hosting capabilities were built in to browsers, "installing and configuring" a node of a distributed P2P application could, potentially, be made nearly as easy as accessing a web page.

Re:Web application

[Max_W]

I meant that the users of a business application are distributed over a large geographical area. I certainly did not meant an abstraction of a P2P distribution.

I think that P2P has its place like EXE application, say GIMP, or FileZilla, or Excel.

But a business application, which involves e-commerce, sales, etc., several offices, a server-client model by my experience, not exhaustive certainly, is the only working solution.

If you and me were the users of an application we would make something smart and fancy certainly, but for a real world setup server-client is the way to go.

Re:Web application

[DragonWriter]

But a business application, which involves e-commerce, sales, etc., several offices, a server-client model by my experience, not exhaustive certainly, is the only working solution.

Client-server is probably the dominant model for the user-facing front-end, but distribution of all kinds of backend function between nodes which are functionally peers (whether its called P2P or server-server) has been common for some time in all kinds of business environments, is a major use for asynchronous messaging-based middleware, and as best I can tell is increasingly common in a wider range of applications, because they enable richer interaction between separated components than client-server does.

You cant be serious

[SplatMan_DK]

Really. You can't be serious.

And the fact that you have chosen to post as "Anonymous Coward" but at the same time show the signs of a regular ./ reader which probably has a user account, says even more than your post.

More than 3/4 of the things end-users love about computers are from rich client experiences. I very much doubt that will change. Browser are playing a catchup-game in order to approximate the most primitive things that rich clients are already capable of. And at the same time (thankfully) man-machine interfaces are evolving into new and great areas which will never fit into a browser.

If you think browser will ever get on level with the rich client you would also have to assume that the rich clients stop at their current level of evolution. And I just don't see that hapening. :-)

- Jesper

Assume the client is dumb ...

works magnificently for politicians and bankers. Also if the client contained both a browser and a web server, wouldn't that be like playing with yourself ? Of course it would facilitate working offline.

Re:Connection, yes. Server, no|There's more to it!

[paxcoder]

The key word here is: decentralization. Get a fresh webapp from a website (say, an instant messenger), and then connect user-to-user, and avoid the middle man. Faster, more secure, more private.
I understand this seems an over-feature for web browsers at this point. But unless there is an objective reason why this should be deprecated, the fact that we're used to browsers the way they are now, doesn't mean that is better for software.

Granted, for most things long polling is sufficient, but for decentralization, a web server is a must. Rationalize to see if fear of the unknown is useful in this case. Try weighing 'security' and privacy, and established standards against the opportunities.

--paxcoder