Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype For Microsoft Edge Will Work From the Browser, No Plug-Ins Required

Posted by timothy on from the good-idea dept.

We mentioned a few months back Microsoft's beta of a browser-based intrerface to Skype. Now, reports Engadget, Skype will be able to work without a plug-in (as was required for the beta). However, it will work -- at least at first -- only with Microsoft's Edge browser. The latest Windows 10 Insider Preview build comes with Object RTC API. That's the element that allows real-time audio and video communication without the need for any installation not just for Skype for Web and Outlook.com, but also for other WebRTC-compatible services. To note, Chrome, Firefox and Safari all support WebRTC standards, but it's unclear if and when Skype will enable a plug-in-less experience for those browsers, as well.

14 of 89 comments (clear)

  1. Separate code from data by Anonymous Coward · · Score: 5, Insightful

    Please don't run executable code inside my document viewer.

    kthxbye

    1. Re:Separate code from data by ChunderDownunder · · Score: 2

      Plugin Framework??? That is sooooooooo last millennium. We've killed off Flash, Java and the Acrobat Plugin because they were security nightmares.

    2. Re:Separate code from data by Dutch+Gun · · Score: 2, Insightful

      The entire reason we want these things as plugins is so that I don't have to have them installed if I don't use them. Turning executable code a plugin does NOT make it insecure. The only thing a plug-in does is to make that code *optional* for each user. You want a minimal default attack surface, and adding built-in extras broadens that surface unnecessarily.

      The reason Flash, Java, and Acrobat Reader plugins are insecure is because they were written long before internet security was a thing. Even today we're seeing new zero-day exploits in Flash that give arbitrary data user-level access. Why does anyone believe that the Skype codebase won't be subject to the same sort of attacks and vulnerabilities once it becomes part of the browser?

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:Separate code from data by phantomfive · · Score: 2

      Please don't run executable code inside my document viewer.

      Welcome to......Javascript? It's a little late for that, really.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Separate code from data by westlake · · Score: 2

      >Please don't run executable code inside my document viewer.

      The mainstream web browser ceased to be a simple document viewer a long time back. The browser is an ananomoly

    5. Re:Separate code from data by ChunderDownunder · · Score: 3, Insightful

      Why does anyone believe that the Skype codebase won't be subject to the same sort of attacks and vulnerabilities once it becomes part of the browser?

      Because with plugins you're relying on a separate sandbox model from the rest of the browser.

      I'd sleep more soundly at night knowing that the executable code used to make video calls through webRTC was running through exactly the same sandbox as other executable code such as asm.js. or that the inbuilt pdf viewer in Firefox (dog slow that it may be) was running with the same javascript security execution model rather than relying on an external engine (and yes Mozilla do have a flash implementation that works in a similar way to PDF.js)

      There will be security holes in any implementation but there's one attack surface for the entire web platform rather than one for each browser plugin. And at the end of the day I'd rather trust Mozilla or Google to release timelier fixes for their web-browsers than rely on Microsoft's skype plugin to be updated.

      So broadly I'm in favour of cross platform technologies such as video chat 'bloating' the HTML5 spec rather than relying on proprietary browser plugins.

    6. Re:Separate code from data by Anonymous Coward · · Score: 2

      This.

      Apparently Microsoft looked at the way Mozilla is handling Firefox and thought now was the time to throw their hat into the ring by including more crap into the broswer. Even though, as already pointed out, they should know better by now because of things like ActiveX.

      There really needs to be a solid basic web browser with no cruft. Perhaps allow a plugin system for features users want on a per user basis, but nothing built in. That browser should then be promoted everywhere by everyone as a good alternative. (In case I need to say it: Anyone that knows of such a browser feel free to post a link.)

      As for the reason why the Flash, Java, and Acrobat Reader plugins are unsafe, it's not because of when they were written. It's because of what they are designed to do. Both Java and Flash (via ActiveScript) are virtual machines that execute arbitrary programs. Of course if you randomly execute something from the internet without checking it first you are asking for trouble. That's why Java and Flash never should have been permitted on the web to begin with. They auto-execute anything that the browser downloads that says it's a program for it. (Or at least that was the case originally.)

      Adobe Acrobat is a document editing application. An application has no purpose consuming random data from the internet without it being checked first. Otherwise yes, it can contain a payload for a bug in the program and use it to exploit the system. Automating the opening of what should be a desktop application with data from the internet was (and still is) a very stupid idea. That warning was brushed aside by managers that wanted faster document opening and didn't care about nor have the technical knowledge to know about the consequences of such decisions.

      Long story short, if you accept random data (or worse programs) from the internet and start using it without doing any form of basic safety / security checking on it, then yes you can (and probably will) get hacked by it. Web browsers are for viewing documents from untrusted sources. It's an abuse of web browsers to be using them for other purposes, and yes it's extremely dangerous to use a web browser in place of what should be a desktop application. Putting more crap into web browsers that should be desktop applications (like skype) is NOT what we should be doing if we want to protect the internet and it's users.

  2. mmm surveillance. by Last+Warrior · · Score: 3, Insightful

    I suspect well be getting the always on, talk to your web browser functionality so you dont have to click anything when you want ot make a call. You can just say "skype, call my mom" and and bing, skype will inform microsoft, the nsa, and your mom that you want to talk. And when you dont want ot talk to mom, skype will make sure any naughty keywords you use while sitting at your computer are also promptly forwarded to the NSA as well.

    1. Re:mmm surveillance. by Kjella · · Score: 4, Funny

      And when you dont want ot talk to mom, skype will make sure any naughty keywords you use while sitting at your computer are also promptly forwarded to the NSA as well.

      As long as the NSA isn't forwarding the naughty keywords to my mom....

      --
      Live today, because you never know what tomorrow brings
  3. Not gonna help Edge get market share by ITRambo · · Score: 4, Informative

    With Windows 10 at ~9% market share of desktop OS's, Edge is currently at ~2%. Incorporating Skype isn't going to help Edge attract many more users, if any, since it still is not compatible with many websites and crashes more than other browsers. I use Edge solely to open my Outlook.com mail since the Mail app in Windows 10 won't do the job. The whole Windows 10 situation is quite fubar, it seems to me.

  4. Re:Too late by Anonymous Coward · · Score: 3, Insightful

    Unfortunately, Microsoft has completely ruined Skype, and they will probably never be able to recover the users they lost. My grandparents got locked out when Microsoft started requiring a Microsoft ID, so I switched them to gchat. Plugins are easy enough to install and unless Microsoft fixes the ridiculous Microsoft ID requirement, I can't see many people using Skype ever again. Let's face it, Microsoft is just not competive with the new generation of tech companies and the only reason they lasted as long as they did is because they had a near monopoly, maintained by compatibility issues, for decades.

    I've multiple Skype accounts since ages. Never been forced to require a Microsoft ID. Stop spouting bullshit.

  5. Re:Seriously, who cares? by gstoddart · · Score: 2

    Short version: Microsoft is going to bake in the security holes so low that it will be exploitable in epic ways.

    Just like every time Microsoft decides to embed this stuff at a level nobody else can ... and there will be much pwning.

    --
    Lost at C:>. Found at C.
  6. Re:eeeee by dave420 · · Score: 2

    Extinquish? I knew you weren't playing with a full deck of cards, but still...

  7. Re:Microsoft is embracing and extending WebRTC by Lennie · · Score: 2

    You are partly correct.

    WebRTC has 2 parts: protocols & codecs (RTCWeb WorkingGroup at the IETF) and the browser API (WebRTC at the W3C). Al lot of the people are the same people.

    All parts of WebRTC was already being worked on before Microsoft really got involved. And Microsoft wanted a more low level browser API than the other WebRTC browser API that was already being worked on. Microsoft wanted this for things like Skype.

    Eventually a new community group (not workgroup) was formed at the W3C to work on a new API called ORTC.

    The working group at W3C that works on WebRTC have committed themselves to adopt ORTC. So now WebRTC has 2 APIs, only Microsoft has an implementation of ORTC. Firefox, Chrome/Chromium and Opera have an other. And it looks like WebKit/Safari will get WebRTC support too.

    The older API is easier to use, because the newer API is more low level, but there are or will be Javascript libraries which will present you with one API which should work with both.

    Having a low level isn't such a strange thing any more in browser/webdevelopment land, because as it turns out you can have Javascript libraries which abstract the stuff most don't need to know. Because a lot of times webdevelopers use those anyway, to abstract the differences between browsers.

    It's starting to look like more and more browser APIs will be more low level, so high level APIs can be built on top and changed more easily.

    Lots of people/companies who work together at the W3C have now basically made this policy:
    https://extensiblewebmanifesto...

    --
    New things are always on the horizon