Smarter Clients Via ReverseHTTP and WebSockets 235
igrigorik writes "Most web applications are built with the assumption that the client / browser is 'dumb,' which places all the scalability requirements and load on the server. We've built a number of crutches in the form of Cache headers, ETags, and accelerators, but none has fundamentally solved the problem. As a thought experiment: what if the browser also contained a Web server? A look at some of the emerging trends and solutions: HTML 5 WebSocket API and ReverseHTTP."
A problem that I can see. (Score:5, Insightful)
A problem that I can see is that web browsers already contain enough security holes, imagine if they contained a web server ;-)
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:3, Interesting)
Are you trusting the site you connect to. That is the Active X mentality. If you went to the site then it is OK.
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:2)
So lets have it create a 120gig file called "-rf /" And lets see how many amateur Linux users will whip out their drives.
Re:A problem that I can see. (Score:2, Insightful)
And pray tell me how exactly you're going to encode a "/" [wikipedia.org] in the file name?
Re:A problem that I can see. (Score:2)
How is it a server if it is the one requesting a connection? This is semantic abuse! I'm calling the definition police.
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:2)
Re:A problem that I can see. (Score:2)
A problem that I can't see. (Score:2)
Why is this any different from the classic thing?
All it does is enables the "server" to send data even if the "client" doesn't request them each time (doesn't refresh). Instead of trusting AJAX code gotten from the server and "refreshing" parts of pages in set intervals, why not just trust the socket which will provide the info necessary for the "refresh"? I don't see any new problem introduced here.
Please explain if you do.
Re:A problem that I can't see. (Score:2)
> Please explain if you do.
Keeping the connection alive (keep alive) enables you to do just that without running a server (e.g. listening socket) in your web browser. Yet, people do not use it much. Allowing the server to connect back to you is even more complex and I do not think it would fly that much, you would now need more complex server applications. Paying the almost costless price to establish a new connection every time is the privileged option nowadays and most applications are built with that architecture in mind.
Even only allowing the server that you already connected to to connect back to you (listening socket in the browser) is a security risk.
More explanations:
http://slashdot.org/comments.pl?sid=1340213&cid=29111783&art_pos=2 [slashdot.org]
http://slashdot.org/comments.pl?sid=1340213&cid=29112163&art_pos=1 [slashdot.org]
http://slashdot.org/comments.pl?sid=1340213&cid=29112577 [slashdot.org]
Re:A problem that I can see. (Score:2)
Connection, yes. Server, no. (Score:5, Insightful)
There's nothing wrong with a browser establishing a persistent connection to a server which uses a non-HTTP protocol. Java applets have been doing that for a decade. That's how most chat clients work. Many corporate client/server apps work that way. In fact, what the article is really talking about is going back to "client-server computing", with Javascript applications in the browser being the client-side application instead of Java applets (2000) or Windows applications (1995).
But accepting incoming HTTP connections in the browser is just asking for trouble. There will be exploits that don't require any user action. Not a good thing. Every time someone puts something in Windows clients that accepts outside connections, there's soon an exploit for it.
Re:Connection, yes. Server, no. (Score:4, Interesting)
Re:Connection, yes. Server, no. (Score:3, Informative)
Any kind of 'fundamental change' that happens on the Internet needs to accept that NATs part of good architecture. You really want your toaster on the same address space as your Cray?
Re:Connection, yes. Server, no. (Score:2)
No, they're really not. They don't add any security except a tiny bit of obscurity.
Re:Connection, yes. Server, no. (Score:2)
Re:Connection, yes. Server, no. (Score:2)
Good point, security through obscurity. Place a Linux (or any) gateway machine behind a rather cheap router, with default paranoia settings. Someone wants to run some services from the LAN to the intartubez, but he's not discoverable. Since the cheap router is very limited in it's configuration, one might spend days trying to get everything to their liking.
Alternatively, one can do wan --disable firewall then configure everything on the Linux gateway machine. Firestarter does exactly what we ask it to do, with no limit to the number of rules.
Beating my head against a wall was the price for using the ISP supplied router, commonly found with a price tag of less than $60.
Re:Connection, yes. Server, no. (Score:5, Insightful)
NAT is a bona fide security feature, not just a consequence of having a LAN.
What security does it provide that a REJECT ALL firewall rule wouldn't?
Re:Connection, yes. Server, no. (Score:4, Insightful)
> What security does it provide that a REJECT ALL firewall rule wouldn't?
The security that most users don't have any idea about how to configure a REJECT rule, even if they have a firewall at all.
Re:Connection, yes. Server, no. (Score:2)
Consistent and Manditory Ruleset. (Score:5, Insightful)
I actually do think that NATs have been a boon to end-user security, more so than firewalls would have been, because they created a (relatively) consistent ruleset that software developers were then forced to accommodate. Hear me out.
Imagine an alternate universe where IP6 was rolled out before before broadband, and there was never any technical need for NAT. In that case the consumer routers would have all come with firewalls rather than NAT. First off it is very possible that router manufacturers would have shipped these with the firewall off to avoid confusion and misplaced blame: "I can't connect to the internet, this thing must be broken". If they were enabled by default, with common ports opened up, there would still be applications (server and P2P) that would need to have incoming ports manually configured to be open in order to work. Most users wouldn't be able to figure this out, and the common advice between users would become "If it doesn't work disable the firewall".
And the fact of the matter is that requiring a novice user to configure his router just to use an application is not a good approach. There needs to be some sane form of auto-configuration. Even if the firewall tried to implement this internally, you would run into problems with different "smart firewalls" behaving differently, which would create even more headache for application developers.
With NAT you have the same problem in that manually configuring port forwarding is confusing to users. The difference is that there is no option to disable NAT. So it became the application developers' problem by necessity, and this is a good thing, because they are better suited to handle technical problems than the end user is. It was a major pain in the ass, but eventually all the router manufactures all settled on similar heuristics on how to fill the NAT table based on previous traffic, and we learned strategies to initiate P2P traffic that didn't require user intervention.
In end, default behavior of NAT (outgoing traffic always allowed, incoming only in response to outgoing) gave us the auto-configuration ability that we needed, and the result was something much more secure than would have existed if the firewall was optional.
Re:Consistent and Manditory Ruleset. (Score:3, Insightful)
> outgoing traffic always allowed, incoming only in response to outgoing
thus began the end of the world wide web. in it's place we have the next gen *cable* with producers and consumers. no wonder comcast is looking to buy disney or other "content producers".
just what is so horrid about having my computer serve content by allowing connections to it? someday we will be so damn secure that no one will be able to talk to anyone else.
Re:Consistent and Manditory Ruleset. (Score:3, Insightful)
YOU can, because you know what NAT is and how to port-forward and various other things.
Most people don't. Leave them in their little walled gardens, it's safer for them there.
Re:Consistent and Manditory Ruleset. (Score:2)
Nothing whatsoever, if that's what you choose. But 99% of users don't want to do that, and don't know how to configure things to allow it safely. In your case you can get a static IP or three, or even with NAT it's easy to setup port forwarding. I really don't see the loss unless you want every machine on your network to be a port 80 web server and don't want to pay for the static IPs, which is a pretty marginal case.
Re:Connection, yes. Server, no. (Score:2)
Exactly. The only thing NAT gives you that a default policy of REJECT or DROP doesn't is extra latency and higher CPU load on the firewall.
NAT also makes it harder to figure out who the badguy is if one of the internal machines attacks a remote machine (for example, because it got a virus or some employee is running something they shouldn't be).
Re:Connection, yes. Server, no. (Score:2)
Re:Connection, yes. Server, no. (Score:2)
NAT provides exactly the same security as a connection-tracking firewall -- there is no further benefit to address translation over a dynamic firewall with the same rules. Dropping the NAT part makes it about 11,000 times easier to run services on the inside, particularly if they use multiple connections (e.g. FTP, SIP) in the course of a session, and it removes the "only 1 person can run a service on the default port" limitation introduced when you put more than one system behind a single address.
Re:Connection, yes. Server, no. (Score:2)
Re:Connection, yes. Server, no. (Score:3, Interesting)
> But accepting incoming HTTP connections in the browser is just asking for trouble.
Exactly, transparent caching proxies would seem to solve issue in a simpler and easier to manage way. Then again, providers trying to implement caching proxies that I know of have all abandoned the idea after trying it. Their customers complained to much and it brings all sort of problems with the transactional behavior of an application.
So people do not like caching proxies, why would they like one in their browser ? Why would they like getting content from another user browser instead of from the original source ?
Also, we live in a economy where we try to boost demand. I observed this trend many years ago: The more we go into the future, the less we seem to be concerned about bandwidth. Bandwidth is getting cheaper and cheaper and providers want to sell more bandwidth ;-)
Bandwidth usage is meant to go up anyway so I do not see their concept fly. I mean if we are really concerned about bandwidth that much, let's start by design application properly and use what is already in place (cache, expiry headers, etc.) properly, which is seldom the case in the applications that I have seen.
Re:Connection, yes. Server, no. (Score:2)
How would this peer2peer like static content propagation be really useful in a modern web application ? It is not worth the security implications (basically the same as running any p2p client)
Most web applications have dynamic content nowadays you know.
Would you rather to get stale Slashdot articles from the browser running in your neighbor's computer or to get them fresh from Slashdot ?
Again, nothing here that caching proxies don't already do, and people do not like caching proxies as I explained above in the GP.
Re:Connection, yes. Server, no. (Score:2)
I understand your point, you are basically saying that we should incorporated fancy p2p capabilities into web browsers ;-)
My point is that it is a bad idea security wise. I use p2p clients/servers to do p2p ( Note: p2p clients are also servers). I admire p2p algorithms just as much as you might do but let's use right tools for the right job.
A lot of people, especially big corporations, won't like the idea of having their employees running p2p clients/servers incorporated in their web browsers either ;-)
People running p2p clients/servers should understand the issues and risks. Computers are not sold with p2p clients/servers already installed into them. Computers are sold with pre-installed web browsers. Think about the "Grandma" type of users.
Cheers ;-)
TCP, by any other name, would thou smell as sweet? (Score:2)
This is yet another stupid patch for the fundamental design flaw of HTTP: I was never supposed to used to mimic a persistent connection. Why keep running through ever more complicated mazes, and just build a freakin browser that maintains a connection with the host? (rhetoric, I'm not really asking this as a question...)
if you want plain HTML, use a browser. If you want a TCP/IP connection, use a HTTP connection with AJAX, Java applets, server state, cookies, keep alive headers, hidden form values and viewstate to SIMULATE ONE...
Re:Connection, yes. Server, no. (Score:2)
It's also a stupid, stupid idea. On top of the security concerns, it's a waste of resources, both along the network route, and at the endpoints (mmmm... even more sockets for the web server OS to keep track of). And it's a huge hassle for firewalls.
Honestly, I've been a defender of the whole thick-ish-web-client revolution, but this is just getting ridiculous. HTTP is a request-response protocol. If you need something interactive, use a frickin' interactive protocol. Why the hell would you shoehorn it into HTTP, save to prove that you can?
In short: re-inventing non-passive FTP using HTTP is stupid. Very very stupid.
Re:Connection, yes. Server, no. (Score:2)
Well, I already did persistent JavaScript-only connections in 2003-2005. I used an object tag, and then requested a page. that page did never end, and continued to include new JSON snippets which immediately executed. When it got too big, the response ended with a location.refresh().
A second object tag included a form with a "never ending" POST.
But it did not work so great, so I changed it to single "packets" (form submissions and receivings). Which also allowed them to be done in a single object tag.
Then I went so far to abstract it into a network socket and lay a file system on top of it. The server was PHP. (Company requirement.)
I even had a compression and a encryption module. But since the whole thing was already very slow, and there was no actual point to it, I left them out.
The result was this mock "OS" including a "kernel", a widget library, and starting to get what you would expect from a OS [radiantempire.com]. :)
Mind you that this is a early alpha, because the project got canceled when I left the company. Nobody else in the company understood or cared to understand how it worked.
Since the company is officially really really dead, I think it's OK to put it out there.
Problem? (Score:5, Insightful)
Re:Problem? (Score:5, Funny)
Ah, but the young 'uns have forgotten that anybody did anything before they came along. So "the network" is synonymous with "the web" and if you want to send any information it better be over HTTP. So bidirectional HTTP means you can communicate in both directions!
Next they're going to figure out that if you move the web app out of the browser you can have a much richer GUI experience.
Re:Problem? (Score:2)
This wouldn't be so funny if it weren't so true :D
At least I no longer have to use a teletype for my batch output...
Re:Problem? (Score:2)
You know, I've heard this cool idea being kicked around of using a printer to automatically produce a hard copy of the console output. Sort of like a log, but on paper. It seems it might just be the next big thing!
Re:Problem? (Score:2)
That would be especially useful whenever the system has a problem - then you would be able to read back the whole issue, and it wouldn't get deleted on reboot!
Re:Problem? (Score:2)
Re:Problem? (Score:2, Funny)
Yes, but they were disguised as mere keyboards [wikimedia.org] to fool you toddlers.
Re:Problem? (Score:2)
Wait, there were computers before the Internet??!1
Re:Problem? (Score:3, Informative)
I've seen good developers try to use UDP instead of TCP to save a few bytes of overhead, and they failed. How will web developers without any concept of network programming theory manage to recreate (or even use) a persistent, robust, and high-performance connection over HTTP? I doubt it will work well. We'll end up with more kludge layers between the browser, OS, browser plug-ins, etc....
Re:Problem? (Score:3, Insightful)
I once had a PhD supervisor who had a problem. He was setting up a database for this group who needed to be able to enter a few very simple bits of information for a clinical trial. I told him it would be no problem - whip up a little app in Python using Wx or QT that does nothing but display a few fields and create a new row in the database when you hit submit. Maybe do a little bit of checking and pop up a dialog box if it was a duplicate.
But no... it had to be a web app. So after hiring a database guy, setting up a hefty content management system and writing a bunch of code, the original group decided to use Access.
Re:Problem? (Score:3, Informative)
That just shows he doesn't know what he's doing. The exact same little python script could have generated a simple web form and submitted to the DB.
Re:Problem? (Score:2)
That still means writing a script, setting up a database AND setting up (and maintaining) a web server with the extras to both run Python and talk to the database. Just so you can type a URL into your web browser instead of double clicking on an icon.
move the web app out of the browser (Score:2)
Too late.
http://labs.mozilla.com/prism/ [mozilla.com]
http://www.adobe.com/products/air/ [adobe.com]
http://silverlight.net/ [silverlight.net]
http://www.zimbra.com/products/desktop.html [zimbra.com]
http://desktop.google.com/plugins/ [google.com]
http://widgets.yahoo.com/ [yahoo.com]
http://www.apple.com/downloads/dashboard/ [apple.com]
http://www.microsoft.com/windows/windows-vista/features/sidebar-gadgets.aspx [microsoft.com]
http://www.screenlets.org/index.php/Screenshots [screenlets.org]
Re:Problem? (Score:2)
Next they're going to figure out that if you move the web app out of the browser you can have a much richer GUI experience.
Either that, or they move the browser into the webapp... (Seriously, I give it a year until someone writes a full-size GUI toolkit using the HTML canvas as a display device, and the GUI toolkit comes with an HTML rendering engine)
Is this a follow-up to the previous story? (Score:4, Funny)
Going backwards (Score:2)
The whole point of 'the web' was to move processing out to the 'cloud' ( sorry for the buzzword use ). Ideas like this only would continue the backwards trend of moving the processing back onto the client, which personally i feel is the wrong direction.
Re:Going backwards (Score:3, Insightful)
Re:Going backwards (Score:2)
I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.
I disagree. The re-centralization of computing did not happen because of a lack of client horsepower. If anything, the aggregate client power to server power ratio has skyrocketed, and never stopped since decentralizing in the first place. I really do not understand the intent of the last decade or so of re-centralization. It makes zero sense to me. The only reason I have come up with is the browser is a mostly cross platform platform. Still, the number of webapps that run on a single browser on a single platform is dumbfounding. All the good reasons I can think of for centralization, ie collaboration, data protection, etc. hardly seem to be the focus of any webapp. It's as if the reason is "because everyone else is doing it."
I'm quietly waiting for the day silly things like save, undo, or reset become mandatory interface elements again. The main theme of centralized computing, manipulating a set of data, and submitting it.. the browser can't do right. Instead of all this AJAX bull crap, why aren't we making it easier just to fill out a GD form, save it, change, print, resubmit, cancel, etc. Instead, the only common browser interface we have, back, forward, bookmark, etc, doesn't work. You have an arbitrary amount of time to fill out a form before silent failure and complete re-entry. Printing is inconsistent. There is no logging or auditing for data submission, other than someone else's server.
Browsers are toys :\
Re:Going backwards (Score:4, Insightful)
The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.
Re:Going backwards (Score:3, Insightful)
Exactly. The original web was supposed to be read-write. A combination of companies that wanted to ream people for $50/month for hosting a simple hobby site and ISPs that wanted to upsell you a $100/month "business internet package with 1 static IP" are the guilty parties.
Of course, the Internet routes around such damage, so we have home servers operating on alternate ports, ultra-cheap hosting plans, and dynamic dns.
Re:Going backwards (Score:2)
By linking the processing power, and accessing it via terminals, as it was in the beginning, id say i'm correct in its intent.
Re:Going backwards (Score:2)
Re:Going backwards (Score:2)
Disagree all you want, but you are wrong :) Terminals for everyone.
I thought this was called Flash? (Score:2)
Flash 10 has the ability to do advanced client side things. For example, it can update the screen with information from a server by posting to a website, by XML, etc. It's pretty good at doing this. 8e6 and Surfcontrol utilize this type of capability in their admin GUIs for example.
Beyond just nice GUIs, one can serve up a special Flash document on a website. When the user opens the web page, a reverse proxy tunnel can be established allowing access into the clients LAN through Flash, bypassing any firewall restrictions. I think that was a previous /. article.
It's got a lot of features many folks don't use.
Re:I thought this was called Flash? (Score:2)
It's also a proprietary, binary blob and an insanely buggy one at that. At least all versions that are currently usable in practice (Gnash/swfdec are only usable in theory).
Re:I thought this was called Flash? (Score:2)
HTTP isn't dumb, it's just minunderstood. (Score:5, Insightful)
So really....
HTTP isn't dumb, it's (mostly) Stateless. Instead of that, what about building net applications around stateful protocols instead of some stupid hack and likely security nightmare?
Re:HTTP isn't dumb, it's just minunderstood. (Score:4, Insightful)
Re:HTTP isn't dumb, it's just minunderstood. (Score:2)
Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections.
That's exactly what TCP was designed for: persistent 2-way connections over possibly unreliable networks. But I agree with your basic point, given that firewalls may be configured to only allow HTTP and other basic protocols through.
Re:HTTP isn't dumb, it's just minunderstood. (Score:2)
I've wondered recently how come we can't get a protocol like HTTP, but 1) not based on 'pages' but arbitrarily small/large and recursively nestable chunks of data, and 2) not pull and client-driven but publish/subscribe and persistent, where you'd attach to a data chunk and then be notified with the new value whenever that chunk changes. The rise of social services like Twitter and Facebook (and particularly the use of both by applications as a sort of generic publish-subscribe information bus) seems to be indicating that there is a need for such a thing, and building it on top of proprietary websites designed for other purposes entirely seems like a waste of time.
I'd like to get away from the 'client/server' approach of the Web back to the 'every endpoint is a host' of the underlying Net, because that's important for the end-to-end principle (and I think it was a big mistake to ever lose it). Moving just one step up the protocol stack from 'fire and forget datagram (IP)' to 'stream (TCP)' to 'subscribable chunk' seems like it would obviate the need for a lot of AJAX hackery. We could keep HTML as a display layer on top, but we really need a way to visualise and connect a whole lot of little tiny paragraph-size chunks of data - like, say, each post in a blog, each comment in a forum, each edit in a wiki, or each row in a table.
If we make this middleman protocol stateful, such that the equivalent of 'web proxy' for it is required to keep a cache and only transfer data into the internal network from outside when it changes... we could still keep a really simple, policy-free network, but reduce the insane amount of duplication of packets that we do now. If someone inside your home network pulls down a movie from a given URL, fine, it should get transferred once from your ISP's network to your home proxy/cache... and then sit on the cache there and not get re-downloaded. The same idea should work down to the level of individual Slashdot comments.
If we then add a very simple pure-functional language into this protocol, so that every 'chunk' could also be a function over other chunks, then we could get a generic RESTful computing model for mashups and the like.
Google Wave seems to be heading sort of in this direction, so maybe it might evolve into a generic replacement for the Web.
Re:HTTP isn't dumb, it's just minunderstood. (Score:2)
Actually, you're mostly describing XMPP, which Google Wave is built upon. It's already there and it's in active use, although mostly for IM for now.
Re:HTTP isn't dumb, it's just minunderstood. (Score:2)
HTTP isn't built around pages. HTTP can already do that.
That's a pretty simple application of any asynchronous messaging protocol (most such protocols aren't built around that particular use case, but it would be trivial to support it in any of them.)
The web-application-forever-trend? (Score:2, Interesting)
May I politely ask WHY anyone would one to continue making browsers "heavier" and "thicker" all the time, instead of simply making a good old fashioned rich client (thick client if you prefer)???
I am not looking to start a "Wep-app-vs-client-app" war here. I think there is a time and place for both thick client applications and web applications. And I am a very happy G-Mail user (among other web-app-things). But sometimes I am REALLY amazed when I see the lengths some web-developers will go to, in order to achieve PRECISELY the same goals that thick clients has been able to do for literally several decades!
The platforms and standards for making web applications are continuously MOLESTED in order to give them primitives abilities which, at the end of the day, are STILL only a shadow of the power a rich client has.
Stuff like AJAX hits the scene, and people call it a "milestone" or a "revolution". Wow. Now a user can get his screen updated async without hitting a "submit" button. Big stuff there.
Next thing will be ... what? Better graphics? Actual integration between applications? Easy third-party data integration? Ah, wait, maybe it will be an continuous (and actually working) user session? No no ... wait ... I got it ... it will be model-based programming. Yes. The revolutionary new "model-view-controller" design will totally change the landscape of web applications. It will be ground-breaking stuff to any web developer! Yeah!
The finest achievement any web application can get, is being described like it is "just as good as a rich client". Hasn't anybody stopped a moment to think about WHY that is? Perhaps it would be better just to use web clients where they make sense, and rich clients where they make sense?
Why on earth do some people continue to abuse the thin (read: skinny and bone-rattling) web standards for tasks that are clearly more suited for a traditional rich client application?
This is an honest question - technical answers are more than welcome. I genuinely want to understand what is going on in the minds of all these "progressive" web developers who are seriously proposing the introduction of advanced server-processes as part of a browser...
- Jesper
Re:The web-application-forever-trend? (Score:4, Insightful)
With thin clients, people already have a (somewhat) standardized client. You don't have to worry about deployment issues, software updates, system compatibility issues, etc. It's there and it mostly works. If you can develop your application within the constrains of a thin client, you have already bypassed a huge pile of potential headaches. Even more, your users won't have to go through the trouble of installing yet another piece of software, just to try your app.
Re:The web-application-forever-trend? (Score:2)
I totally disagree. Respectfully :-)
Your view is typical of a techie or CTO responsible for a software roll-out. The basic thought seems to be avoiding rich clients at all costs in order to make the whole thing "simpler".
But there are a ton of disadvantages for web clients. And in many (bot not all) cases they outweigh the advantages!
- They require MUCH more advanced back-end infrastructure to work, often including several servers and lots of monitoring/management
- much more complicated maintenance and upgrade
- much more complicated backup and disaster recovery procedures
- much more complex code in order to accomplish even the simplest things
- inferior user experience (this will become more visible as the complexity of the application increases)
- inferior 3rd party integration with the app (also more visible as the complexity increases)
- single point of failure (in fact a whole pile of server processes on top of each other)
I have deployed both web applications and classic client/server applications in medium-sized enterprises (500 - 5000 seats) for business use. I can honestly tell you that the most complex ones have been the web-based ones. They often depend on a ton of existing technology that has to match very precise specifications, and they very seldom work "out of the box". Because of the advanced back-end diagnosing a problem is virtually a nightmare and you have several technology vendors all pointing fingers at each others for problems that (according to all of them) are not even supposed to exist.
So yes, you DO have to worry about deployment issues. You DO have to worry about software updates (which are often very complex because of the extensive technology stack). And it most certainly DOES NOT "just work".
You are correct in stating that users don't need to install anything. But hey - the same goes for the rich client. The roll-out of any decent client application can be totally automated very easily. :-)
- Jesper
Re:The web-application-forever-trend? (Score:2)
Don't get me wrong, I agree with many of the points you're making. As a matter of fact, I am currently involved in the development of a rich client/server architecture.
However, I still maintain that the costs of dealing with server side deployment/scalability/upgrade issues is lower than dealing with rich clients in many instances.
I admit that my stance is biased by the fact that we use only basic open source building blocks for our deployments and we code the rest in house. We don't have to deal with various vendors and if something doesn't work quite right, we can always patch it up. We try to use tools like Erlang/OTP as much as we can for our server side business logic, which makes deployments and maintenance a breeze and helps a lot with scaling and redundancy.
I believe it is all a matter of costs and benefits. I can see certain applications that would not make sense in a browser, but for others, if you can get away with it, it makes a lot of sense to push them into "the cloud"
Re:The web-application-forever-trend? (Score:2)
LOL.
Mjeah. Right. :-D
6 months later all the end-users are still happy with the application which provides them with the exact same and rich user experience as their favourite (rich) office application. Right? And they just LOVE the idea of paying monthly fees in order to use their software. Sure. And have no problems with the fact that their data are crossing the internet every time they access it. While not minding at all that the whole solution is nearly impossible to integrate with anything else. Poor performance is not an issue later - all screens open and close as fast as any one of them could wish for. Yep.
Paradise. Absolutely! :-D
Ask them to replace their MS Outlook client with "Exchange Web Access" too. And toss Microsoft Office out the window in favor of some obscure online spreadsheet/presentation/word-processor platform. I am sure they will love it. Its a much better user experience. And hey: much easier for the IT department as well. Hell, we could stop using computers at all and switch to ultra-thin clients!
Go for it. It will be great! :-D
Re:The web-application-forever-trend? (Score:2)
With a given OS and an app, people already have a (somewhat) standardized client. You don't have to worry about compatibility issues, browser differences, etc. It's there and it mostly works. If you can develop your application within the constraints of an OS, you have already bypassed a huge pile of potential headache. Even more, your users won't have to go through the trouble of downloading the right browser, installing it, starting it, and navigating to your site, just to try your app. Also, you won't have to do to the trouble of setting up complicated web servers - just post the binary (or the source) on your web page.
Re:The web-application-forever-trend? (Score:2)
If you are a web developer, you pretty much have the choice of switching careers or doing your best to bludgeon as much functionality out of your toolset as possible.
More generally, though, "web" apps do have advantages, they are just almost universally in areas outside of their power as programs(and, to be fair, areas where conventional client apps could be made to match, if a whole lot of groundwork were done).
Assuming you haven't already, looking at some user's home machines is a genuinely edifying experience. Check the desktop. Not infrequently, you'll find it littered with old installer packages, sometimes multiple copies of the same thing, scattered there by the user's frantic clicking. They Just. Don't. Get. the installation procedure, even when the installer is an executable that, once triggered, pretty much leaps out and installs itself. Don't even dream about getting the user to make any configuration changes besides entering a username and password. And updates, of course. You can either add yet another voice to the chorus of horrible autoupdate tray apps, crying for attention, or bug the user when they start the program, or just deal with having 26 different versions in the wild.
If you want to appeal to such users, you have two options: try to solve ignorance, by maintaining a good-sized helpline for the entire life of your product, or trying to solve installation; by doing a bunch of webapp hacking upfront. This solves updating, as well. Next time they refresh, there they are.
This all goes double for users at work, at a web cafe, on a friend's computer, or whatever. There are, in fact, some very sophisticated offerings that allow full client applications to be added and removed freely from a system, without harming it. Essentially none of them are available to, or usable by, average users. Public or corporate computers generally run in some flavor of lockdown, so client apps can't be installed, and any time joe user installs something on somebody else's machine, he risks munging it, or leaving his config details all over the system. This, again, makes webapps attractive.
None of these issues are insurmountable, with sufficient cleverness and effort, an OS could offer sandboxed, optionally persistent, access to full(or nearly full) client app power with webapp ease of loading, updating, and purging. Until that actually happens, though, webapps are here to stay.
FAT CLIENT is NOT the right FIX (Score:3, Interesting)
What's needed is a "GUI Browser" standard that is meant for C.R.U.D. screens (business screens and forms) instead of what HMTL is: An e-brochure format bent like hell to fit everything else. You can only bend the e-brochure model so far. We don't need "fat clients" really to solve most of the problem, but really just a better GUI browser so that we are not sending over 100,000 lines of version-sensitive JavaScript just to emulate (poorly) a combo-box, data grid, or folder/file outline tree widget. That's like inventing a cell-phone just to call your next-door neighbor.
Re:FAT CLIENT is NOT the right FIX (Score:2)
So why not make a client/server solution, and make good clients for each of the platforms you want to support?
Compared to the absolutely massive resources needed to build an advanced web application with roughly the same capabilities as rich clients on those same OS'es it should not be too hard to do!
Why do we need a "GUI browser"? How would you describe such a thing anyway? The presentation layer of any modern OS already has all the things we need PLUS a ton of very useful local integration with with other applications?
- Jesper
Re:FAT CLIENT is NOT the right FIX (Score:2)
Because people don't want the "install" step, for both time and security reasons.
Kind of like HTML, but with more widgets, more declarative "events" for common actions, standard ess-expression-based field validation, an MDI option, and a "stay until removed" aspect of drawing screens instead of redraw-page-per-post of regular HTML.
So does the Tk-kit-family and Java for the most part. A "generic" GUI-browser could probably be built with them.
Re:FAT CLIENT is NOT the right FIX (Score:2)
I am sorry but I still don't understand the concept of this "GUI browser". It sounds like you are focusing a lot on the presentation layer and ignoring all the other aspects a rich client has.
What about 3rd party integration? Or a visual layout which matches the operating system? Or hotkeys and interactive behavior matching the OS? Or the ton of rich functionality provided by the OS to all local applications (security features, networking, local system access, core functionality like cross-application object embedding, etc)?
What exactly makes this "GUI browser" any better than just making a Flash 11 application and what are the benefits from using it? Which issues/problems does it solve?
- Jesper
Re:FAT CLIENT is NOT the right FIX (Score:2)
"So does the Tk-kit-family and Java for the most part. A "generic" GUI-browser could probably be built with them."
Yes, you've described a Java applet.
Re:FAT CLIENT is NOT the right FIX (Score:2)
Actually, I think he's describing MS Access. Including the "generic" part.
Re:FAT CLIENT is NOT the right FIX (Score:2)
Congratulations.
Re:FAT CLIENT is NOT the right FIX (Score:2)
"That sounds a lot like XUL which Firefox has supported for a while and nobody uses (except for Firefox extensions)."
Obviously not. XUL was a very founded idea: that both developers and users want a standard deployment platform. Whenever a 'de facto' standard rises, you get to see its success aggregating developer efforts being it Windows at the OS level, Access at the DB frontend, "the browser" at the Internet level, etc.
Users like it because they find it an easy concept to grasp; developers like it because they give them a consistent platform to program against. XUL was meant to be that "standard platform" for Internet-based rich applications by perusing the "internet browser" concept. But then, in order to gain adepts it forcibly needed to run on "the browsers" which, at the time, mainly meant "internet explorer". Since XUL never run on IE (I can understand whil not share Microsoft's position 'ut ActiveX ut nihil') it never run in practice on "the browser" and that meant a clash in paradigms. No wonder it failed.
Re:The web-application-forever-trend? (Score:2)
True and false.
It is a success for the things it was originally created to solve.
It is a failure (although very widespread) for the more modern things it is used for in advanced web applications... ;-)
Re:The web-application-forever-trend? (Score:2)
3 words: Java Web Start.
Re:The web-application-forever-trend? (Score:2)
"NOBODY BUT COMPUTER TECHIES KNOW WHAT A CLIENT IS, NEVERMIND A RICH ONE."
Still they use them everyday, which is what counts.
"Sorry to be a bit of a dick about it, but if you couldn't see such a simple reason, then god help you."
Don't be so sorry. You are a dick because you are a dick -with an absolute lack of imagination on top of that. That you are able to regurgitate the last info you got from a "tech blog" makes you an informed dick, not an knowledgeable expert.
FTP anyone (Score:2)
Instant SETI (Score:2)
Could be neat. Just browser to the SETI site. click on volunteer some cycles and right away your browser (and computer) are peers working away on the problem. Nothing to install. When you are done, just navigate away.
Why HTTP? (Score:3, Insightful)
If you want a browser to be able to send and receive asynchronous messages, rather than work on a request/response model, why not just build browsers that use a protocol designed for that use (like XMPP), rather than trying to torture HTTP into serving in that role? Its not like HTML, XML, JSON, or anything other data the browser might need to handle cares what protocol its transported over.
Re:Perhaps I just don't understand TFA, but... (Score:3, Informative)
Scenario: I'm pointing my browser at a server I run at home. In my browser I run a small webserver that can access a commandshell. Cool, now I can work from home despite a firewall and lack of software :) Sorry dear sysadmin, your firewall just got a few new holes in it :)
I used to do that on my University's network with a reverse SSH tunnel. You could even do it over port 80 if they blocked outgoing 22. The only issue would be if you could install that webserver on a locked-down machine that has no SSH client.
Re:Perhaps I just don't understand TFA, but... (Score:2)
Please explain ... (Score:2)
Re:Please explain ... (Score:2)
I think I understand it. I will admit that I am not a network expert, just plain and simple business app developer.
And I still don't understand why I would want my own machine to answer HTTP calls of any form, or why I should allow my (hardware) firewall to allow incoming requests of that nature. The security implication alone is a nightmare.
I would never want to give any outside party the ability to execute "remote CGI" on my machine(s) nor would I want them to have the properties of a webserver.
Can you explain a scenario where such a set-up makes sense (from a business or usability perspective) and where other protocols are unable to get the job done?
- Jesper
Re:Please explain ... (Score:2)
It sounds like a kick-ass method for making stuff than can bypass police-state/dictator censor crap and web filtering. Absolutely!
I still don't see any use that would be beneficial for normal users like myself, my girlfriend, daughter, mom, dad, ... etc. :-)
Re:I run www.reversehttp.net (Score:2)
TOnce that's done suddenly asynchronous notification of events is within reach of any program [...], and protocols and services layered on top of HTTP no longer have to contort themselves to deal with the asymmetry of HTTP. They can assume that all the world's a server, and simply push and pull content to and from whereever they please."
I'm missing the part where this is a good idea. I want to trust unknown server(s) that I happen to visit to do more than provide HTML for consumption? Why on earth would I want to expose myself that way?
If you want true interactivity, code a "thick client" designed to work with the servers or services in question. Don't try to shoehorn it a web browser using HTTP transactions- and creating a whole new platform for security risks.
Re:Opera Browser Has Web Server (Score:2)
Thanks, but I'd rather slit my wrists. Why not learn Java and build a real application, where you don't have to deal with the browser at all?
Re:Will never happen (Score:2)
Your ISPs may not allow home users to do this, mine allows web servers, mail servers, the whole shooting match on their home accounts. They'll even allocate you a block of 8 static IPs to do it properly.
Re:Sockets (Score:3, Interesting)
Does this mean we're finally getting proper sockets, instead of having to do everything through HTTP requests? I've been advocating this for years ...
Yes. And no. The HTML5 spec includes a sockets-like API. However, it's intentionally crippled so that you can't use it to communicate with an application that hasn't been specifically enabled to communicate with it (i.e. it uses its own handshake protocol to ensure it's talking to a system that's designed to talk to it).