We Need Browsers as Platforms

by jefftkjefftk2 min read9th Feb 20218 comments

15

Computer ScienceWorld Optimization
Personal Blog

It's fashionable to say that the web is bloated, and that the features built to support webapps make it too complex. You can divide the web into:

  • Documents: providing information. News, blog posts, documentation.

  • Apps: doing things. Email, spreadsheets, games.

(This is really a continuum, where a blog post with a comment section is pretty documenty but also a bit appy.)

On one hand, I completely agree that supporting apps makes the platform complex: browsers are incredibly complicated to build and work on, with such a high ongoing maintenance cost that we only have three rendering engines: Firefox's Gecko, Chrome's Blink, and Safari's Webkit (Blink is a fork of Webkit). On the other, supporting apps is much better than the alternatives.

Outside of a browser, there are essentially two models for getting applications:

  • Independent installation. You download the program for the manufacturers website, or loaded off a CD. The desktop model.

  • App store. Your OS has a list of programs that can be installed, and which have gone through some amount of review. The smartphone model.

Independent installation is decentralized, but also a security nightmare. Random users installing random software gives you botnets. App stores are centralized, which puts their operators in a position of enormous power over what users can run on their devices, and means governments can require them to take down apps.

The web has developed with the principle that it should always be safe to visit a site. As new capabilities have been added this has been critical to maintain. This means you don't need an app store, with power to reject your app.

Ten years ago Mozilla posted Booting to the Web:

Mozilla believes that the web can displace proprietary, single-vendor stacks for application development. To make open web technologies a better basis for future applications on mobile and desktop alike, we need to keep pushing the envelope of the web to include—and in places exceed—the capabilities of the competing stacks in question.
...
We want to take a bigger step now, and find the gaps that keep web developers from being able to build apps that are—in every way—the equals of native apps built for the iPhone, Android, and WP7.
The web platform has come so far in supporting apps over this decade; we couldn't have made Bucket Brigade without Web Audio or WebRTC. A web developer should be able to do anything native app developers can, making apps for any device, free from vendor veto.

15

8 comments, sorted by Highlighting new comments since Today at 7:23 PM
New Comment

There are a few places where the install-from-repository model fundamentally works better than the web model, or could work better if the repositories did a little better. One of the big ones is: when I download software (or load a webapp), I want to be sure I'm getting the same software/webapp as everyone else is. A webpage with a sandbox-escape vulnerability can serve malicious code to high-value target users, and avoid serving it to security researchers; whereas with something like apt-get or the Play Store, that sort of thing is much more difficult.

A repository/appstore also makes it feasible to refuse updates. A prototypical example of when you want this is illustrated by a recent Play Store security incident with a barcode scanner app: something which (1) doesn't have significant untrusted-network-data exposure so it isn't likely to need security updates, (2) has little room for actual improvement, and (3) is at risk of being taken over by a malicious actor, or its developer deciding to monetize it in a way that makes it worse. (I have Play Store auto-updates on my phone globally disabled for this reason, and am quite bothered by the inability to control auto-updates on a per-app basis. Chrome has a builtin outdated-version detector that will warn if using an insecure version, but most other apps with network exposure do not. So this is trading some RCE risk in order to reduce malicious-developer risk.)

Docker is not a security boundary.

It is not, but I do see people treating it that way.

(your IPFS link is wrong)

thanks, fixed

Random users installing random software gives you botnets.

This is only true in case of insufficient security mechanisms. Virtualization/containerization (for example, docker model) would allow users to run independently installed applications safely.

Similarly, I guess that the motivation for centralized store (apart from the financial motive of the store owner: Apple/Google) is to provide security through the process of vetting the apps. But again, if we had proper virtualization software, there would be no reason not to allow users to add unofficial repositories, maintained in a decentralized way.

Of course, virtualization/containerization done on the OS level is (currently) quite resource-intensive. But the alternative is even worse - with everything moved to the web, we are building (we have built...) OS inside OS! With all the problems that it entails: this "new OS" supporting really only one language, having extremely limted set of protocols, overall not having anything close to the full environment of the proper OS.

Summarizing: why would you advocate this all just to solve intercompatibility and safety problems (which, if I read your post correctly, are the reasons for moving apps to web), instead of dealing with them properly, on the OS level?

Android does allow sideloading APKs and installing third-party app stores (ex: https://f-droid.org/), though iOS does not. An unvetted mobile app is less risky than an unvetted traditional program (with full user-level access), but still more risky than a web app.

If Android and iOS (and Windows, Linux, macOS...) put in the effort to where loading a program was a safe as visiting a webpage, that would essentially be fine. I would prefer a world in which you could write for a single platform and then run on any device with a browser, but it's the gatekeeping I'm most concerned about.

On the other hand, I can't see iOS doing this when they don't even allow custom browsers.