User: Password:
|
|
Subscribe / Log in / New account

The Open Web: KDE frees the web from the browser

The Open Web: KDE frees the web from the browser

Posted Oct 17, 2009 12:59 UTC (Sat) by sebas (subscriber, #51660)
In reply to: The Open Web: KDE frees the web from the browser by pflugstad
Parent article: The Open Web: KDE frees the web from the browser

Well, read again: "Last but not least, Sebastian sees a security
advantage: by separating content and client-side application logic from
each other, it should be easier to build safer web applications."

Apart from that, the interview was long enough as it is, so we didn't dive
deeply into security issues (which is another pretty wide topic). If
you're interested in security aspects in project Silk, I'd encourage you
to join our mailinglist, or if you're more into hands-on stuff, feel free
to help us review code.

For the social desktop applet, we've decided to not automatically update
the location of the user on the server, but have the user do that by
pressing a button. That said, any website can find out the rough user's
location just by using the agent's IP (sent to the server in the HTTP
request) and then matching it against iplocationtools. For the Selkie
browser, we're currently playing with separate processes per webapp, we're
looking into separating password and cookie storage, and so on. There's
surely some interesting things we can do security wise, but as I said,
it's more tied to a specific case than to overall ideas (since those ideas
touch many different layers). Just shouting ".... eh security!!!!111"
doesn't really add a lot at this point.

re: ActiveDesktop ... can't say I care too much about this, or that I ever
actually used it. What exactly are you hinting at? (Hint: Silk has a much
broader scope than merely the desktop.)


(Log in to post comments)

The Open Web: KDE frees the web from the browser

Posted Oct 17, 2009 22:57 UTC (Sat) by pflugstad (subscriber, #224) [Link]

I read the article, and saw the comment about separating content from client-side application logic. And honestly, I'm not entirely sure what that means. The problem with most of the web is malicious content that exploits holes in the client side application. The more client side web applications there are, embedded EVERYWHERE as this seems to be, the more places malicious content has to look for exploits.

I know you're not trying to recreate Java/CLR, or even JavaScript, but in order to be compelling over browser based content, your application is going to have to provide content with similar features and ability to interact with the desktop.

And, to make an example: some malicious content crashes one applet, and now, thanks to the centralized identity management, it has access to ALL my online passwords, emails, etc. Yes, this is possible today, but the diversity of locations and mechanisms makes it much more difficult.

And that doesn't answer the other half of the security question: how secure is MY data when it's on the "web". This is where facebook falls flat - give one facebook application access to your data, and they get access to ALL your data, and your friends data and your friends friends data, or some such nonsense. Security was clearly an afterthought on that social network site. Is any thought being given to how to put up boundaries around the information we provide to the myriad of applets and web-integrated desktop you're creating.

W.r.t my ActiveDesktop comment: Microsoft tried to "integrate" the web into the desktop, 10 years ago. It flopped massively: it was a performance pig, and was just an incredibly bad idea from just about any angle you care to look at. I don't know that anything has changed in the last 10 years to make it any better of an idea - if anything, the increased threat level makes it a worse idea. So now when I fire up the KDE desktop, I'm going to get 10 more "applets" that chew up system resources, and if even one is unstable and causes problems, suddenly my whole desktop drags. Oh, and if some web server one of those applets goes to is compromised and serving up actual malicious content, the applet may crash and suddenly some cracker controls my desktop.

I guess my whole point is that security CANNOT be an afterthought on this kind of stuff. It needs to be thought about up front and included in every stage of development. My other point is that integrating the web into the desktop has been tried before... And while my shouting security may not be terribly helpful, hopefully it raises your awareness of it, and possibly others on this site.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds