Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Software The Internet

Smarter Clients Via ReverseHTTP and WebSockets 235

igrigorik writes "Most web applications are built with the assumption that the client / browser is 'dumb,' which places all the scalability requirements and load on the server. We've built a number of crutches in the form of Cache headers, ETags, and accelerators, but none has fundamentally solved the problem. As a thought experiment: what if the browser also contained a Web server? A look at some of the emerging trends and solutions: HTML 5 WebSocket API and ReverseHTTP."
This discussion has been archived. No new comments can be posted.

Smarter Clients Via ReverseHTTP and WebSockets

Comments Filter:
  • by ls671 ( 1122017 ) * on Tuesday August 18, 2009 @04:04PM (#29111435) Homepage

    A problem that I can see is that web browsers already contain enough security holes, imagine if they contained a web server ;-)

    • What if the web server were limited to only communicating with external web servers to which a connection was already made, refusing any unknown connections from the network?
      • Re: (Score:3, Interesting)

        by jellomizer ( 103300 )

        Are you trusting the site you connect to. That is the Active X mentality. If you went to the site then it is OK.

      • What if the web server were limited to only communicating with external web servers to which a connection was already made,

        How is it a server if it is the one requesting a connection? This is semantic abuse! I'm calling the definition police.

      • Then accidentally visiting a bad website would kill your computer.. :)
        • Only if the web server operated out of the sandbox of the browser. Any browser vendor implementing a feature like this without isolating it to a container within the browser would be insane. In other words, Microsoft should never try to implement something like this.
      • Even so - that doesn't account for compromised servers. Or, for that matter, poor coding on the server - there doesn't have to be malicious intent for thist o cause harm.
    • by 0racle ( 667029 )
      Opera wants to explore that particular 'what if.'
      • I wonder if anybody has tried targeting the Opera Unite services for holes? Or is Opera still too irrelevant market-wise?
    • Why is this any different from the classic thing?
      All it does is enables the "server" to send data even if the "client" doesn't request them each time (doesn't refresh). Instead of trusting AJAX code gotten from the server and "refreshing" parts of pages in set intervals, why not just trust the socket which will provide the info necessary for the "refresh"? I don't see any new problem introduced here.
      Please explain if you do.

      • by ls671 ( 1122017 ) *

        > Please explain if you do.

        Keeping the connection alive (keep alive) enables you to do just that without running a server (e.g. listening socket) in your web browser. Yet, people do not use it much. Allowing the server to connect back to you is even more complex and I do not think it would fly that much, you would now need more complex server applications. Paying the almost costless price to establish a new connection every time is the privileged option nowadays and most applications are built with that

  • by Animats ( 122034 ) on Tuesday August 18, 2009 @04:10PM (#29111495) Homepage

    There's nothing wrong with a browser establishing a persistent connection to a server which uses a non-HTTP protocol. Java applets have been doing that for a decade. That's how most chat clients work. Many corporate client/server apps work that way. In fact, what the article is really talking about is going back to "client-server computing", with Javascript applications in the browser being the client-side application instead of Java applets (2000) or Windows applications (1995).

    But accepting incoming HTTP connections in the browser is just asking for trouble. There will be exploits that don't require any user action. Not a good thing. Every time someone puts something in Windows clients that accepts outside connections, there's soon an exploit for it.

    • by Scootin159 ( 557129 ) on Tuesday August 18, 2009 @04:25PM (#29111645) Homepage
      While I agree with the parent, that accepting incoming connections is a bad thing - it may also be the "killer feature" to implement IPv6. Auto-configuring clients to support incoming connections is inherently difficult in NAT.
      • Re: (Score:3, Informative)

        by raddan ( 519638 ) *
        I don't think you're going to see people give up NATs easily. NAT is a bona fide security feature, not just a consequence of having a LAN. This is the same thing that makes detecting bad segmentation faults possible in an operating system, and from that perspective, a separate address space is very desirable.

        Any kind of 'fundamental change' that happens on the Internet needs to accept that NATs part of good architecture. You really want your toaster on the same address space as your Cray?
        • No, they're really not. They don't add any security except a tiny bit of obscurity.

          • by Korin43 ( 881732 )
            More like a huge amount of obscurity. Let's say you install Windows 2000 on a computer and don't install any patches or service packs. Connect it directly to a cable modem and you'll have viruses instantly. Do the same install on another computer and put it behind a router and you'll find that even without any patches you're fine. And my point isn't that patches aren't necessary, it's that the obscurity of being hidden behind a router protects you from threats that haven't been discovered yet, and that's th
            • Good point, security through obscurity. Place a Linux (or any) gateway machine behind a rather cheap router, with default paranoia settings. Someone wants to run some services from the LAN to the intartubez, but he's not discoverable. Since the cheap router is very limited in it's configuration, one might spend days trying to get everything to their liking.

              Alternatively, one can do wan --disable firewall then configure everything on the Linux gateway machine. Firestarter does exactly what we ask it to d

        • by Dragonslicer ( 991472 ) on Tuesday August 18, 2009 @05:12PM (#29112149)

          NAT is a bona fide security feature, not just a consequence of having a LAN.

          What security does it provide that a REJECT ALL firewall rule wouldn't?

          • by DiegoBravo ( 324012 ) on Tuesday August 18, 2009 @05:43PM (#29112499) Journal

            > What security does it provide that a REJECT ALL firewall rule wouldn't?

            The security that most users don't have any idea about how to configure a REJECT rule, even if they have a firewall at all.

          • The only thing I can think of is some opaqueness of the network behind the NAT, but that's not a huge win
          • by pavon ( 30274 ) on Tuesday August 18, 2009 @06:23PM (#29112829)

            I actually do think that NATs have been a boon to end-user security, more so than firewalls would have been, because they created a (relatively) consistent ruleset that software developers were then forced to accommodate. Hear me out.

            Imagine an alternate universe where IP6 was rolled out before before broadband, and there was never any technical need for NAT. In that case the consumer routers would have all come with firewalls rather than NAT. First off it is very possible that router manufacturers would have shipped these with the firewall off to avoid confusion and misplaced blame: "I can't connect to the internet, this thing must be broken". If they were enabled by default, with common ports opened up, there would still be applications (server and P2P) that would need to have incoming ports manually configured to be open in order to work. Most users wouldn't be able to figure this out, and the common advice between users would become "If it doesn't work disable the firewall".

            And the fact of the matter is that requiring a novice user to configure his router just to use an application is not a good approach. There needs to be some sane form of auto-configuration. Even if the firewall tried to implement this internally, you would run into problems with different "smart firewalls" behaving differently, which would create even more headache for application developers.

            With NAT you have the same problem in that manually configuring port forwarding is confusing to users. The difference is that there is no option to disable NAT. So it became the application developers' problem by necessity, and this is a good thing, because they are better suited to handle technical problems than the end user is. It was a major pain in the ass, but eventually all the router manufactures all settled on similar heuristics on how to fill the NAT table based on previous traffic, and we learned strategies to initiate P2P traffic that didn't require user intervention.

            In end, default behavior of NAT (outgoing traffic always allowed, incoming only in response to outgoing) gave us the auto-configuration ability that we needed, and the result was something much more secure than would have existed if the firewall was optional.

            • Re: (Score:3, Insightful)

              by Hooya ( 518216 )

              > outgoing traffic always allowed, incoming only in response to outgoing

              thus began the end of the world wide web. in it's place we have the next gen *cable* with producers and consumers. no wonder comcast is looking to buy disney or other "content producers".

              just what is so horrid about having my computer serve content by allowing connections to it? someday we will be so damn secure that no one will be able to talk to anyone else.

              • Re: (Score:3, Insightful)

                by Nursie ( 632944 )

                YOU can, because you know what NAT is and how to port-forward and various other things.

                Most people don't. Leave them in their little walled gardens, it's safer for them there.

              • by radish ( 98371 )

                Nothing whatsoever, if that's what you choose. But 99% of users don't want to do that, and don't know how to configure things to allow it safely. In your case you can get a static IP or three, or even with NAT it's easy to setup port forwarding. I really don't see the loss unless you want every machine on your network to be a port 80 web server and don't want to pay for the static IPs, which is a pretty marginal case.

          • by sjames ( 1099 )

            Exactly. The only thing NAT gives you that a default policy of REJECT or DROP doesn't is extra latency and higher CPU load on the firewall.

            NAT also makes it harder to figure out who the badguy is if one of the internal machines attacks a remote machine (for example, because it got a virus or some employee is running something they shouldn't be).

        • But my toaster is powered by a Cray
        • NAT provides exactly the same security as a connection-tracking firewall -- there is no further benefit to address translation over a dynamic firewall with the same rules. Dropping the NAT part makes it about 11,000 times easier to run services on the inside, particularly if they use multiple connections (e.g. FTP, SIP) in the course of a session, and it removes the "only 1 person can run a service on the default port" limitation introduced when you put more than one system behind a single address.

    • I would actually expect more security problems on both sides! There is both a new server on the client and a new client on the server. Each will take some time to secure and inevitably open up vulnerabilities.
    • Re: (Score:3, Interesting)

      by ls671 ( 1122017 ) *

      > But accepting incoming HTTP connections in the browser is just asking for trouble.

      Exactly, transparent caching proxies would seem to solve issue in a simpler and easier to manage way. Then again, providers trying to implement caching proxies that I know of have all abandoned the idea after trying it. Their customers complained to much and it brings all sort of problems with the transactional behavior of an application.

      So people do not like caching proxies, why would they like one in their browser ? Wh

    • Regardless if you are maintaining a persistent connection via a non-HTTP protocol, or setting up a dual web servers to chatter back and forth, you are still missing the point.

      This is yet another stupid patch for the fundamental design flaw of HTTP: I was never supposed to used to mimic a persistent connection. Why keep running through ever more complicated mazes, and just build a freakin browser that maintains a connection with the host? (rhetoric, I'm not really asking this as a question...)

      if you wa
    • It's also a stupid, stupid idea. On top of the security concerns, it's a waste of resources, both along the network route, and at the endpoints (mmmm... even more sockets for the web server OS to keep track of). And it's a huge hassle for firewalls.

      Honestly, I've been a defender of the whole thick-ish-web-client revolution, but this is just getting ridiculous. HTTP is a request-response protocol. If you need something interactive, use a frickin' interactive protocol. Why the hell would you shoehorn it

    • Well, I already did persistent JavaScript-only connections in 2003-2005. I used an object tag, and then requested a page. that page did never end, and continued to include new JSON snippets which immediately executed. When it got too big, the response ended with a location.refresh().
      A second object tag included a form with a "never ending" POST.

      But it did not work so great, so I changed it to single "packets" (form submissions and receivings). Which also allowed them to be done in a single object tag.
      Then I

  • Problem? (Score:5, Insightful)

    by oldhack ( 1037484 ) on Tuesday August 18, 2009 @04:11PM (#29111517)
    I thought dumping the load on the server was the desired design feature. What is the problem they are trying to solve? Good old rich client model has been around for some time now.
  • by gatekeep ( 122108 ) on Tuesday August 18, 2009 @04:11PM (#29111519)
    This seems to closely relate to the next story currently on the frontpage; Predicting Malicious Web Attacks [slashdot.org]
  • The whole point of 'the web' was to move processing out to the 'cloud' ( sorry for the buzzword use ). Ideas like this only would continue the backwards trend of moving the processing back onto the client, which personally i feel is the wrong direction.

    • Re: (Score:3, Insightful)

      by Tynin ( 634655 )
      I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.
      • I mostly agree, however I believe much of the initial push to move processing out to the 'cloud' was because clients likely had limited hardware. Now days client hardware is rather beefy and could handle some more of the load that the server doesn't need. That said, I think a web browser that opens ports and is listening for connections on my computer would make me more than slightly wary.

        I disagree. The re-centralization of computing did not happen because of a lack of client horsepower. If anything, the aggregate client power to server power ratio has skyrocketed, and never stopped since decentralizing in the first place. I really do not understand the intent of the last decade or so of re-centralization. It makes zero sense to me. The only reason I have come up with is the browser is a mostly cross platform platform. Still, the number of webapps that run on a single browser on a sin

    • Re:Going backwards (Score:4, Insightful)

      by Locklin ( 1074657 ) on Tuesday August 18, 2009 @04:29PM (#29111687) Homepage

      The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

      • Re: (Score:3, Insightful)

        by tomhudson ( 43916 )

        The point of the web was not to move processing out to the cloud, it was to build a multi-way communications medium (hence web) that anyone on the Internet could participate in. Moving processing to "the cloud" (i.e., someone else's computer) is the point of Google, not the web.

        Exactly. The original web was supposed to be read-write. A combination of companies that wanted to ream people for $50/month for hosting a simple hobby site and ISPs that wanted to upsell you a $100/month "business internet packa

      • by nurb432 ( 527695 )

        By linking the processing power, and accessing it via terminals, as it was in the beginning, id say i'm correct in its intent.

    • Sorry, I have to disagree. There is no right or wrong, as far as thin vs. thick clients are concerned -- it's really what's best for the job. Processing on the client side can be a good thing, as long as it's not abused (like it is with ajax).
  • Flash 10 has the ability to do advanced client side things. For example, it can update the screen with information from a server by posting to a website, by XML, etc. It's pretty good at doing this. 8e6 and Surfcontrol utilize this type of capability in their admin GUIs for example.

    Beyond just nice GUIs, one can serve up a special Flash document on a website. When the user opens the web page, a reverse proxy tunnel can be established allowing access into the clients LAN through Flash, bypassing any fire

    • It's also a proprietary, binary blob and an insanely buggy one at that. At least all versions that are currently usable in practice (Gnash/swfdec are only usable in theory).

    • By Flash you mean "Any client side technology". ActiveX controls. Java applets. Platform-specific exes. It's called "networking" - and there are methods far better suited for it than an environment that is designed to be "client-server" only - with the role of "client" and that of 'server' being fairly clearly defined. Sure, it's possible to create such a monstrosity as described in TFA - but why when there are so many better, more secure, and more efficient ways to do it?
  • by EvilJohn ( 17821 ) on Tuesday August 18, 2009 @04:28PM (#29111669) Homepage

    So really....

    HTTP isn't dumb, it's (mostly) Stateless. Instead of that, what about building net applications around stateful protocols instead of some stupid hack and likely security nightmare?

    • by iron-kurton ( 891451 ) on Tuesday August 18, 2009 @04:52PM (#29111951)
      Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections. But I do agree that the current model is inherently broken, and maybe we can get away with defining short-term stateful protocols that could revert back to stateless....?
      • Here's the thing: stateless works everywhere there is any internet connectivity. Imagine having to define a long-lasting stateful protocol around slow and unreliable internet connections.

        That's exactly what TCP was designed for: persistent 2-way connections over possibly unreliable networks. But I agree with your basic point, given that firewalls may be configured to only allow HTTP and other basic protocols through.

    • by lennier ( 44736 )

      I've wondered recently how come we can't get a protocol like HTTP, but 1) not based on 'pages' but arbitrarily small/large and recursively nestable chunks of data, and 2) not pull and client-driven but publish/subscribe and persistent, where you'd attach to a data chunk and then be notified with the new value whenever that chunk changes. The rise of social services like Twitter and Facebook (and particularly the use of both by applications as a sort of generic publish-subscribe information bus) seems to be

      • by am 2k ( 217885 )

        Actually, you're mostly describing XMPP, which Google Wave is built upon. It's already there and it's in active use, although mostly for IM for now.

      • I've wondered recently how come we can't get a protocol like HTTP, but 1) not based on 'pages' but arbitrarily small/large and recursively nestable chunks of data

        HTTP isn't built around pages. HTTP can already do that.

        2) not pull and client-driven but publish/subscribe and persistent, where you'd attach to a data chunk and then be notified with the new value whenever that chunk changes.

        That's a pretty simple application of any asynchronous messaging protocol (most such protocols aren't built around that pa

  • May I politely ask WHY anyone would one to continue making browsers "heavier" and "thicker" all the time, instead of simply making a good old fashioned rich client (thick client if you prefer)???

    I am not looking to start a "Wep-app-vs-client-app" war here. I think there is a time and place for both thick client applications and web applications. And I am a very happy G-Mail user (among other web-app-things). But sometimes I am REALLY amazed when I see the lengths some web-developers will go to, in order to

    • by Algan ( 20532 ) on Tuesday August 18, 2009 @04:45PM (#29111869)

      With thin clients, people already have a (somewhat) standardized client. You don't have to worry about deployment issues, software updates, system compatibility issues, etc. It's there and it mostly works. If you can develop your application within the constrains of a thin client, you have already bypassed a huge pile of potential headaches. Even more, your users won't have to go through the trouble of installing yet another piece of software, just to try your app.

      • I totally disagree. Respectfully :-)

        Your view is typical of a techie or CTO responsible for a software roll-out. The basic thought seems to be avoiding rich clients at all costs in order to make the whole thing "simpler".

        But there are a ton of disadvantages for web clients. And in many (bot not all) cases they outweigh the advantages!

        - They require MUCH more advanced back-end infrastructure to work, often including several servers and lots of monitoring/management
        - much more complicated maintenance and upgr

        • by Algan ( 20532 )

          Don't get me wrong, I agree with many of the points you're making. As a matter of fact, I am currently involved in the development of a rich client/server architecture.

          However, I still maintain that the costs of dealing with server side deployment/scalability/upgrade issues is lower than dealing with rich clients in many instances.

          I admit that my stance is biased by the fact that we use only basic open source building blocks for our deployments and we code the rest in house. We don't have to deal with vario

      • by ceoyoyo ( 59147 )

        With a given OS and an app, people already have a (somewhat) standardized client. You don't have to worry about compatibility issues, browser differences, etc. It's there and it mostly works. If you can develop your application within the constraints of an OS, you have already bypassed a huge pile of potential headache. Even more, your users won't have to go through the trouble of downloading the right browser, installing it, starting it, and navigating to your site, just to try your app. Also, you won

    • "some web-developers will go to"

      If you are a web developer, you pretty much have the choice of switching careers or doing your best to bludgeon as much functionality out of your toolset as possible.

      More generally, though, "web" apps do have advantages, they are just almost universally in areas outside of their power as programs(and, to be fair, areas where conventional client apps could be made to match, if a whole lot of groundwork were done).

      Assuming you haven't already, looking at some user's h
    • What's needed is a "GUI Browser" standard that is meant for C.R.U.D. screens (business screens and forms) instead of what HMTL is: An e-brochure format bent like hell to fit everything else. You can only bend the e-brochure model so far. We don't need "fat clients" really to solve most of the problem, but really just a better GUI browser so that we are not sending over 100,000 lines of version-sensitive JavaScript just to emulate (poorly) a combo-box, data grid, or folder/file outline tree widget. That's li

      • So why not make a client/server solution, and make good clients for each of the platforms you want to support?

        Compared to the absolutely massive resources needed to build an advanced web application with roughly the same capabilities as rich clients on those same OS'es it should not be too hard to do!

        Why do we need a "GUI browser"? How would you describe such a thing anyway? The presentation layer of any modern OS already has all the things we need PLUS a ton of very useful local integration with with other

        • by Tablizer ( 95088 )

          Because people don't want the "install" step, for both time and security reasons.

          How would you describe such a thing anyway?

          Kind of like HTML, but with more widgets, more declarative "events" for common actions, standard ess-expression-based field validation, an MDI option, and a "stay until removed" aspect of drawing screens instead of redraw-page-per-post of regular HTML.

          The presentation layer of any modern OS already has all the things we need [for GUIs]

          So does the Tk-kit-family and Java for the most pa

          • I am sorry but I still don't understand the concept of this "GUI browser". It sounds like you are focusing a lot on the presentation layer and ignoring all the other aspects a rich client has.

            What about 3rd party integration? Or a visual layout which matches the operating system? Or hotkeys and interactive behavior matching the OS? Or the ton of rich functionality provided by the OS to all local applications (security features, networking, local system access, core functionality like cross-application objec

          • by ceoyoyo ( 59147 )

            "So does the Tk-kit-family and Java for the most part. A "generic" GUI-browser could probably be built with them."

            Yes, you've described a Java applet.

  • Doesn't anyone remember FTP? And why Passive-mode FTP was developed? All of the same reasons why this isn't a good idea. Your web browser ends up behind a NAT firewall and poof, this no longer works. (Without some deep packet inspection on the firewall to automatically open the ports, or UPnP, or SOCKS, or some other protocol for the web client to negotiate with the firewall to allow the connections).
  • Could be neat. Just browser to the SETI site. click on volunteer some cycles and right away your browser (and computer) are peers working away on the problem. Nothing to install. When you are done, just navigate away.

  • Why HTTP? (Score:3, Insightful)

    by DragonWriter ( 970822 ) on Tuesday August 18, 2009 @06:48PM (#29113045)

    If you want a browser to be able to send and receive asynchronous messages, rather than work on a request/response model, why not just build browsers that use a protocol designed for that use (like XMPP), rather than trying to torture HTTP into serving in that role? Its not like HTML, XML, JSON, or anything other data the browser might need to handle cares what protocol its transported over.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...