Is it just me? Browser based apps BAD IDEA

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Telmeanius

Member
Dec 10, 2020
10
1
I assume if you are here, then you listen to the Podcast "Security Now".
I was told of this podcast a few years ago but only started listening about 1 yr ago.

I started my IT career in Healthcare and around the year 2000 the company I worked for went from a terminal emulation end-point based app to a IE based (thanks to MSXML) health record system.

From the beginning my thought was... "Oh dear god,,, that just post a sign out front that says COME HACK ME"
As I listened over the past year with more and more browser based security flaws that are documented it just re-enforces my original thoughts.

I'm not saying don't host in the cloud, remote or wherever.
On-line gaming has shown us that fat-client web based apps can work well,,, and even under the load of thousands of users.
And I agree some browser base functions are needed... (ordering from "somebigbox.com")

Is it just me or when it come to Browser Based Applications we are doomed.
Thanks
Tel
 
I am old enough to look at all these modern web apps and think, what has really changed in the last 40 years. All we seem to have done is changed the protocols from 3270, async or Decnet to http, it is still a terminal accessing a server.
 
I think the following comments I posted in this other thread are relevant. I think the browser should be a WINDOW or PORTAL to a remote app. I don't think it should BE the app.

Brave and Chrome Browsers NOT Secure and Private by Default

"As @Steve mentioned on the podcast, Chrome now wants to run just like an app on your PC. That is a really, REALLY, * REALLY! * bad idea. I want web apps to be the MOST restricted things on my PC, not the least restricted."

...

"I turn everything strange off. Site wants to access my data - NO. Site wants to know my location - NO. Site wants to runs scripts - NO unless I really trust them. Site wants to run third party scripts - NO. Sites wants to access any parts of my PC - NO. Site wants to install "protocols" or "handlers" - NO. Etc. The answer is NO, NO, NO unless I have a reason to allow it. The default Firefox and Brave and presumably Chrome settings are WAY too promiscuous."

Ron
 
I respectfully disagree. The technologies made to address most applications is subpar at best. The web tech was a way to realize the write once run everywhere ideas with full flexibility of how that could be realized. People are creative and it is important to allow full creativity that to do so in most desktop application is a huge ask. Web tech offered so much out of the box that it is much easier and approachable for creatives to create.

That said web tech was originated from document tech and what it is these days although a blessing is not the best foundation for application code. However, I would like to state that there are some big advantages because the VM (the browser) is so readly available everywhere. Unlike how X Windows ran the program on the server but the client rendered the instructions the web works like that. I think it is a misnomer to think that the application code on the client is malicious by design.

Like any technology there are bad actors. And even more not so bright developers and even more managers, companies, industries who don't care about security. I don't think it is far to blame the technology when those who use and create in it keep making houses with no doors. SQRL can be made in JavaScript does that make SQRL insecure because it was written in JavaScript? No, it make it as secure as it could be based on who and how it was written.

Sure, some choices are strange (like using Windows XP on a Kiosk when Linux is better suited) I just don't think it is fair to poo poo the whole thing because of some bad choices when using the thing.

Personally I think there should a clear distinction between a webpage and a web app. And the two should be seperate and have different security implications and concerns. The idea that they are one and the same these days is just silly.

Disclaimer: I write web apps for a living and as a Hobby. I don't wish to use a different tech, I like the state it is in. I am also careful where and how I handle security based on the attach vectors for a given situation. Not many do.
 
I respectfully disagree. The technologies made to address most applications is subpar at best. The web tech was a way to realize the write once run everywhere ideas with full flexibility of how that could be realized. People are creative and it is important to allow full creativity that to do so in most desktop application is a huge ask. Web tech offered so much out of the box that it is much easier and approachable for creatives to create.

That said web tech was originated from document tech and what it is these days although a blessing is not the best foundation for application code. However, I would like to state that there are some big advantages because the VM (the browser) is so readly available everywhere. Unlike how X Windows ran the program on the server but the client rendered the instructions the web works like that. I think it is a misnomer to think that the application code on the client is malicious by design.

Like any technology there are bad actors. And even more not so bright developers and even more managers, companies, industries who don't care about security. I don't think it is far to blame the technology when those who use and create in it keep making houses with no doors. SQRL can be made in JavaScript does that make SQRL insecure because it was written in JavaScript? No, it make it as secure as it could be based on who and how it was written.

Sure, some choices are strange (like using Windows XP on a Kiosk when Linux is better suited) I just don't think it is fair to poo poo the whole thing because of some bad choices when using the thing.

Personally I think there should a clear distinction between a webpage and a web app. And the two should be seperate and have different security implications and concerns. The idea that they are one and the same these days is just silly.

Disclaimer: I write web apps for a living and as a Hobby. I don't wish to use a different tech, I like the state it is in. I am also careful where and how I handle security based on the attach vectors for a given situation. Not many do.
Hi Sukima.
Great reply.

As I had stated in my post... Browser based actions are needed and work really well in a lot of cases.
All I am trying to say is when it comes to Applications that truly have a need to be secure like Healthcare, or XYZ company budget item any and all "Browser Based Application" have a fundamental design that prevents a truly secure experience. Flexibility and Modulation.
But what we giving up for flexibility is security.
The Biggest hole in Browser security is the option for plugins and addons...

And yes, it is nice to go down to the local car lot and rent/lease a car purely for the "I don't need to do anything maintenance wise" the dealership handles all that mess from me... I just Fill it with fuel and go...
The Browsers do most of the heavy lifting and all we need to do is focus on the "Ask" what do I want my app to do??? then will the browser let me do it???

Back to the car rental or maybe even a subway.
We don't know what we don't know about who has already been in the Car.
Was it cleaned lately , or ever?

Not busting on All Browser Apps,,, just concerned about some apps that are Browser Based and maybe should not be.

Tel
 
Sukima's point about bad actors definitely is a good point. I will say, one advantage is Google/Firefox have more power and seem more willing to make the needed changes than Microsoft for security, not to mention the quality of code is better. That's one advantage of using a browser based app to a Win32/64 API driven app: the underpinnings are more stable and can be designed more secure/malleable.