Smarter Clients Via ReverseHTTP and WebSockets

← Back to Stories (view on slashdot.org)

Smarter Clients Via ReverseHTTP and WebSockets

Posted by kdawson on Tuesday August 18, 2009 @09:01AM from the edges-are-not-dumb dept.

igrigorik writes "Most web applications are built with the assumption that the client / browser is 'dumb,' which places all the scalability requirements and load on the server. We've built a number of crutches in the form of Cache headers, ETags, and accelerators, but none has fundamentally solved the problem. As a thought experiment: what if the browser also contained a Web server? A look at some of the emerging trends and solutions: HTML 5 WebSocket API and ReverseHTTP."

30 of 235 comments (clear)

Min score:

Reason:

Sort:

A problem that I can see. by ls671 · 2009-08-18 09:04 · Score: 5, Insightful

A problem that I can see is that web browsers already contain enough security holes, imagine if they contained a web server ;-)

--
Everything I write is lies, read between the lines.
1. Re:A problem that I can see. by jellomizer · 2009-08-18 09:19 · Score: 2, Interesting
  
  Are you trusting the site you connect to. That is the Active X mentality. If you went to the site then it is OK.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:A problem that I can see. by cripeon · 2009-08-18 10:19 · Score: 2, Insightful
  
  And pray tell me how exactly you're going to encode a "/" in the file name?
Connection, yes. Server, no. by Animats · 2009-08-18 09:10 · Score: 4, Insightful

There's nothing wrong with a browser establishing a persistent connection to a server which uses a non-HTTP protocol. Java applets have been doing that for a decade. That's how most chat clients work. Many corporate client/server apps work that way. In fact, what the article is really talking about is going back to "client-server computing", with Javascript applications in the browser being the client-side application instead of Java applets (2000) or Windows applications (1995).
But accepting incoming HTTP connections in the browser is just asking for trouble. There will be exploits that don't require any user action. Not a good thing. Every time someone puts something in Windows clients that accepts outside connections, there's soon an exploit for it.
1. Re:Connection, yes. Server, no. by Scootin159 · 2009-08-18 09:25 · Score: 3, Interesting
  
  While I agree with the parent, that accepting incoming connections is a bad thing - it may also be the "killer feature" to implement IPv6. Auto-configuring clients to support incoming connections is inherently difficult in NAT.
2. Re:Connection, yes. Server, no. by ls671 · 2009-08-18 09:36 · Score: 2, Interesting
  
  > But accepting incoming HTTP connections in the browser is just asking for trouble.
  Exactly, transparent caching proxies would seem to solve issue in a simpler and easier to manage way. Then again, providers trying to implement caching proxies that I know of have all abandoned the idea after trying it. Their customers complained to much and it brings all sort of problems with the transactional behavior of an application.
  So people do not like caching proxies, why would they like one in their browser ? Why would they like getting content from another user browser instead of from the original source ?
  Also, we live in a economy where we try to boost demand. I observed this trend many years ago: The more we go into the future, the less we seem to be concerned about bandwidth. Bandwidth is getting cheaper and cheaper and providers want to sell more bandwidth ;-)
  Bandwidth usage is meant to go up anyway so I do not see their concept fly. I mean if we are really concerned about bandwidth that much, let's start by design application properly and use what is already in place (cache, expiry headers, etc.) properly, which is seldom the case in the applications that I have seen.
  
  --
  Everything I write is lies, read between the lines.
3. Re:Connection, yes. Server, no. by raddan · 2009-08-18 09:48 · Score: 2, Informative
  
  I don't think you're going to see people give up NATs easily. NAT is a bona fide security feature, not just a consequence of having a LAN. This is the same thing that makes detecting bad segmentation faults possible in an operating system, and from that perspective, a separate address space is very desirable.
  
  Any kind of 'fundamental change' that happens on the Internet needs to accept that NATs part of good architecture. You really want your toaster on the same address space as your Cray?
4. Re:Connection, yes. Server, no. by Dragonslicer · 2009-08-18 10:12 · Score: 4, Insightful
  
  NAT is a bona fide security feature, not just a consequence of having a LAN.
  What security does it provide that a REJECT ALL firewall rule wouldn't?
5. Re:Connection, yes. Server, no. by DiegoBravo · 2009-08-18 10:43 · Score: 3, Insightful
  
  > What security does it provide that a REJECT ALL firewall rule wouldn't?
  The security that most users don't have any idea about how to configure a REJECT rule, even if they have a firewall at all.
Problem? by oldhack · 2009-08-18 09:11 · Score: 4, Insightful

I thought dumping the load on the server was the desired design feature. What is the problem they are trying to solve? Good old rich client model has been around for some time now.

--
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
1. Re:Problem? by ceoyoyo · 2009-08-18 09:19 · Score: 5, Funny
  
  Ah, but the young 'uns have forgotten that anybody did anything before they came along. So "the network" is synonymous with "the web" and if you want to send any information it better be over HTTP. So bidirectional HTTP means you can communicate in both directions!
  Next they're going to figure out that if you move the web app out of the browser you can have a much richer GUI experience.
2. Re:Problem? by Tablizer · 2009-08-18 10:03 · Score: 2, Funny
  
  What? There were computers before 1985?
  Yes, but they were disguised as mere keyboards to fool you toddlers.
  
  --
  Table-ized A.I.
3. Re:Problem? by digsbo · 2009-08-18 10:18 · Score: 2, Informative
  
  The problem is that this is not funny, but painfully true. The problems of cross-platform client GUIs are all being solved again, but on top of several new layers of APIs with little value-add and a big performance hit. If you want to write a client-server app, please do so! Stop trying to make the browser the cross-platform widget toolkit.
  
  I've seen good developers try to use UDP instead of TCP to save a few bytes of overhead, and they failed. How will web developers without any concept of network programming theory manage to recreate (or even use) a persistent, robust, and high-performance connection over HTTP? I doubt it will work well. We'll end up with more kludge layers between the browser, OS, browser plug-ins, etc....
4. Re:Problem? by ceoyoyo · 2009-08-18 10:29 · Score: 2, Insightful
  
  I once had a PhD supervisor who had a problem. He was setting up a database for this group who needed to be able to enter a few very simple bits of information for a clinical trial. I told him it would be no problem - whip up a little app in Python using Wx or QT that does nothing but display a few fields and create a new row in the database when you hit submit. Maybe do a little bit of checking and pop up a dialog box if it was a duplicate.
  But no... it had to be a web app. So after hiring a database guy, setting up a hefty content management system and writing a bunch of code, the original group decided to use Access.
5. Re:Problem? by radish · 2009-08-18 13:08 · Score: 2, Informative
  
  That just shows he doesn't know what he's doing. The exact same little python script could have generated a simple web form and submitted to the DB.
  
  --
  ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Is this a follow-up to the previous story? by gatekeep · 2009-08-18 09:11 · Score: 3, Funny

This seems to closely relate to the next story currently on the frontpage; Predicting Malicious Web Attacks
Re:Going backwards by Tynin · 2009-08-18 09:26 · Score: 3, Insightful

I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.
HTTP isn't dumb, it's just minunderstood. by EvilJohn · 2009-08-18 09:28 · Score: 4, Insightful

So really....
HTTP isn't dumb, it's (mostly) Stateless. Instead of that, what about building net applications around stateful protocols instead of some stupid hack and likely security nightmare?

--

Less Talk, More Beer.
1. Re:HTTP isn't dumb, it's just minunderstood. by iron-kurton · 2009-08-18 09:52 · Score: 3, Insightful
  
  Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections. But I do agree that the current model is inherently broken, and maybe we can get away with defining short-term stateful protocols that could revert back to stateless....?
  
  --
  Change is inevitable, except from a vending machine -- Robert C. Gallagher
Re:Going backwards by Locklin · 2009-08-18 09:29 · Score: 3, Insightful

The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

--
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
Re:Perhaps I just don't understand TFA, but... by Locklin · 2009-08-18 09:37 · Score: 2, Informative

Scenario: I'm pointing my browser at a server I run at home. In my browser I run a small webserver that can access a commandshell. Cool, now I can work from home despite a firewall and lack of software :) Sorry dear sysadmin, your firewall just got a few new holes in it :)
I used to do that on my University's network with a reverse SSH tunnel. You could even do it over port 80 if they blocked outgoing 22. The only issue would be if you could install that webserver on a locked-down machine that has no SSH client.

--
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
Re:The web-application-forever-trend? by Algan · 2009-08-18 09:45 · Score: 3, Insightful

With thin clients, people already have a (somewhat) standardized client. You don't have to worry about deployment issues, software updates, system compatibility issues, etc. It's there and it mostly works. If you can develop your application within the constrains of a thin client, you have already bypassed a huge pile of potential headaches. Even more, your users won't have to go through the trouble of installing yet another piece of software, just to try your app.

--
If con is the opposite of pro, is Congress the opposite of progress?
Re:Going backwards by tomhudson · 2009-08-18 10:07 · Score: 2, Insightful

The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

Exactly. The original web was supposed to be read-write. A combination of companies that wanted to ream people for $50/month for hosting a simple hobby site and ISPs that wanted to upsell you a $100/month "business internet package with 1 static IP" are the guilty parties.
Of course, the Internet routes around such damage, so we have home servers operating on alternate ports, ultra-cheap hosting plans, and dynamic dns.
FAT CLIENT is NOT the right FIX by Tablizer · 2009-08-18 10:16 · Score: 2, Interesting

What's needed is a "GUI Browser" standard that is meant for C.R.U.D. screens (business screens and forms) instead of what HMTL is: An e-brochure format bent like hell to fit everything else. You can only bend the e-brochure model so far. We don't need "fat clients" really to solve most of the problem, but really just a better GUI browser so that we are not sending over 100,000 lines of version-sensitive JavaScript just to emulate (poorly) a combo-box, data grid, or folder/file outline tree widget. That's like inventing a cell-phone just to call your next-door neighbor.

--
Table-ized A.I.
A problem that I can't see. by paxcoder · 2009-08-18 10:28 · Score: 2

Why is this any different from the classic thing?
All it does is enables the "server" to send data even if the "client" doesn't request them each time (doesn't refresh). Instead of trusting AJAX code gotten from the server and "refreshing" parts of pages in set intervals, why not just trust the socket which will provide the info necessary for the "refresh"? I don't see any new problem introduced here.
Please explain if you do.
Consistent and Manditory Ruleset. by pavon · 2009-08-18 11:23 · Score: 5, Insightful

I actually do think that NATs have been a boon to end-user security, more so than firewalls would have been, because they created a (relatively) consistent ruleset that software developers were then forced to accommodate. Hear me out.
Imagine an alternate universe where IP6 was rolled out before before broadband, and there was never any technical need for NAT. In that case the consumer routers would have all come with firewalls rather than NAT. First off it is very possible that router manufacturers would have shipped these with the firewall off to avoid confusion and misplaced blame: "I can't connect to the internet, this thing must be broken". If they were enabled by default, with common ports opened up, there would still be applications (server and P2P) that would need to have incoming ports manually configured to be open in order to work. Most users wouldn't be able to figure this out, and the common advice between users would become "If it doesn't work disable the firewall".
And the fact of the matter is that requiring a novice user to configure his router just to use an application is not a good approach. There needs to be some sane form of auto-configuration. Even if the firewall tried to implement this internally, you would run into problems with different "smart firewalls" behaving differently, which would create even more headache for application developers.
With NAT you have the same problem in that manually configuring port forwarding is confusing to users. The difference is that there is no option to disable NAT. So it became the application developers' problem by necessity, and this is a good thing, because they are better suited to handle technical problems than the end user is. It was a major pain in the ass, but eventually all the router manufactures all settled on similar heuristics on how to fill the NAT table based on previous traffic, and we learned strategies to initiate P2P traffic that didn't require user intervention.
In end, default behavior of NAT (outgoing traffic always allowed, incoming only in response to outgoing) gave us the auto-configuration ability that we needed, and the result was something much more secure than would have existed if the firewall was optional.
1. Re:Consistent and Manditory Ruleset. by Hooya · 2009-08-18 11:44 · Score: 2, Insightful
  
  > outgoing traffic always allowed, incoming only in response to outgoing
  thus began the end of the world wide web. in it's place we have the next gen *cable* with producers and consumers. no wonder comcast is looking to buy disney or other "content producers".
  just what is so horrid about having my computer serve content by allowing connections to it? someday we will be so damn secure that no one will be able to talk to anyone else.
2. Re:Consistent and Manditory Ruleset. by Nursie · 2009-08-18 12:00 · Score: 2, Insightful
  
  YOU can, because you know what NAT is and how to port-forward and various other things.
  Most people don't. Leave them in their little walled gardens, it's safer for them there.
Why HTTP? by DragonWriter · 2009-08-18 11:48 · Score: 2, Insightful

If you want a browser to be able to send and receive asynchronous messages, rather than work on a request/response model, why not just build browsers that use a protocol designed for that use (like XMPP), rather than trying to torture HTTP into serving in that role? Its not like HTML, XML, JSON, or anything other data the browser might need to handle cares what protocol its transported over.
Re:Sockets by julesh · 2009-08-18 21:18 · Score: 2, Interesting

Does this mean we're finally getting proper sockets, instead of having to do everything through HTTP requests? I've been advocating this for years ...
Yes. And no. The HTML5 spec includes a sockets-like API. However, it's intentionally crippled so that you can't use it to communicate with an application that hasn't been specifically enabled to communicate with it (i.e. it uses its own handshake protocol to ensure it's talking to a system that's designed to talk to it).