I Want More from Firefox
Back when Windows XP was in development, I wrote a column titled, "Ding, Dong, the Witch Is Dead (Almost)!" I was writing about how Windows 98 was soon to done in by a more stable, more secure version of Windows, and about how the new version would, alongside OS X and Linux, usher in an era in which applications would be more sanely isolated from each other. No longer would we have to worry about single applications crashing and taking down our whole systems. Lately, though, I've been displeased to find that misbehavior of certain applications I use is visited upon other, totally unrelated applications, leading to crashes, system resource problems and even potential security breaches on the machines I use. The problem is that a growing number of the applications I rely on are served up to me through my Web browser, and compared to operating systems, Web browsers do a lousy job playing host to applications. Case in point: A few months ago, while reading a post on a security blog, I carelessly clicked on a proof-of-concept exploit of a Google cross-site scripting vulnerability. Without realizing it, I'd allowed this code to configure my Gmail account to forward all messages to the author of the POC. Google fixed the gap, but didn't do much to advertise it to their users, and any unintended forwarding setups persisted after the fix occurred. Fortunately, I was too lame to get a golden ticket to the then invitation-only Gmail service until every possible permutation of my name had been claimed by someone else, so I only use that account as a destination for mailing list messages and quasi-junk mail. In any case, the exploit writer closed his e-mail account fairly quickly under the server strain of more inattentive Gmail users than he'd perhaps anticipated. Sure, I should have been clicking more carefully, but does computing in the software-as-a-service world have to mean settling for crude isolation between my blog reading and e-mail management applications? Even if I amp up my script-running vigilance--I've been getting acquainted with the NoScript plug-in for Firefox--I'll still have to worry that some Flash ad on a Web site in tab one will demolish the performance of the online Word processor I'm using in tab two, or even crash my whole browser session. Software as a service is turning Web browsers into the operating systems of the Internet. If they know what's good for them, Google, Salesforce.com, et al will start working more closely with groups such as the Mozilla Foundation to help deliver to us browsers to serve as the credible application hosts that we require. |
For more IT related content on the blogosphere, check out www.ithub.com
Comments (2)
Jason Brooks article on web apps working in browsers seems mislabeled - this isn't about Firefox as much as it is about the foolish coding practices of the programmers who are writing web apps that require a browser for delivery - in fact, Jason clearly admits that it was his OWN carelessness / negligence which resulted in problems with his Gmail account - that was NOT a Firefox problem - that was just dumb user error!
So don't blame this on Firefox - one of the greatest strengths of Firefox is its open architecture and the fact that there are so many really great extensions that are constantly being developed to add new security and functionality. If Mr. Brooks had spent the time to properly configure and use NoScript, Flash-based XSS scripts would have been blocked from running in the first place - but there is NOTHING that will prevent a user from overriding security settings.
Cheers
Posted by Robb S. | January 18, 2008 10:10 AM
Robb --
There will always be security holes in applications, Web-based or not. Our operating systems have evolved to shield us from some of the failings of the applications we run. That's what I want from my Web app OS of choice, Firefox.
Jason
Posted by Jason Brooks | January 18, 2008 11:20 AM