Absolutely blown away by the number of things you can do from a web browser these days. All of this would've been unimaginable a mere 10 years ago, right around the time when Google Chrome was in its infancy (or just out of it, to be precise) and the web browser market was still dominated by Internet Explorer, with Opera, Firefox and Safari (back when there was a Windows version of Safari) taking up small slices of the market share.
Another cool site to check out: https://coveryourtracks.eff.org -- a great tool to see how unique your browser's 'fingerprint' is and how well it protects you from trackers and other annoyances online.
I'm so glad. I trust running whatsapp.com, messenger.com, slack.com, discord.com, bluejeans.com, zoom.com etc.. I do not trust installing the Whatsapp app, slack app, discord app, zoom app, or bluejeans app. In the browser I have control, native (at least on Windows) I don't. Those native apps, at least on windows, can basically do anything. Read my entire hard drive, scan my network, install a key logger, turn on my camera and mic, etc.... In the browser they can't
Facebook is the #1 offender in my opinion. I absolutely refuse to install any Facebook app. Back in the day, you could message people in the mobile browser without issue. Heck, it even loaded new messages without needing to refresh.
Then they decided you should need the app to message people.
Then they decided you should use a completely separate app to message people versus browse Facebook.
Now I have to use mbasic.facebook.com to message people. The quality of the experience dropped so much because, but I'm glad they don't have access to my contacts, text messages, location, etc. They get enough info about me from other sources.
Yup, this exact timeline of degraded experience on Facebook led me to disable my account. I haven't reactivated it in over a year, and I'm happier for it.
What kills me is I recall the mobile browser experience being better in the 2012 era than 2021. We've moved from alright 3G to widely available 4G with populous areas having 5G, and with home internet connections generally being much faster. The same website code could provide a much better experience simply from more bandwidth availability. Instead we've regressed because everything needs an app now.
Some forum software allows the owners to create an app then prompts you to install their app. Not sure which it is, but it's super annoying.
Over the last couple, reddit has significantly limited their mobile website utility, requiring login (like Instagram) and nagging you to download the app.
Marketing metrics seem to have overcome usability in terms of relative importance. It's really frustrating to see what the movie computing environment has become.
I asked my dad to send me a picture of his shed recently. He asked if I have WhatsApp. I reminded him I don't use any social media. And he said, uh, it's going to be very hard for me to figure out how to send it without WhatsApp..
No shed picture. But no compromises here either.
Also I find it totally hilarious that I'm 42 and I have never even seen WhatsApp's interface yet my 80 year old father is a social media expert in a lot of ways.
Yeah I agree with the spirit of that. There should be a name for that practice, something that makes it sound as bad as it is but catchy. Maybe, something like webhostaging. Reddit’s webapp on mobile is notorious for webhostaging you into downloading their native app. It’s literally unusable.
There should also be a name for ostensibly public social media sites that webhostage you into signing up. Instagram comes to mind.
"webhostaging" is a much catchier name than the other suggestions in sibling comments, I think, and more memorable because it sounds weird (a bit like "webhosting"?).
It's so clever I think I'll start using it, and also telling people I came up with it by myself.
I think a verb-oriented word is more powerful at shaming than a noun-oriented word. I think Crap is a little too vulgar to appeal to most people, some might feel uncomfortable at work saying crap for Instance. But try it out!
Yes there needs to be a single use site for this. Everyone is familiar with this , it just needs a catchy name so people on Twitter spread this and easily shame websites en masse for doing it. Webhijacking is too similar to webjacking IMO https://www.geeksforgeeks.org/web-jacking/
Slack, too. Slack has a perfectly good workspace sidebar in their web app, but they hide it unless you're on a Chromebook (where you can't install their native app).
Depends on your Chromebook, I have a Acer R13 and it's installed and running (just checked it). Android app's don't have a designated "runs on Chromebook" Flag as far I know, so you can't really block it.
But Chromebooks are sometimes a little bit special. I'm working on a app right now which is designed for tablets and wanted to check if I could run it on my Chromebook, because of the bigger screen (13" compared to Samsung S5/S6 with ~10") and I couldn't install it from the alpha channel. The thing was, it has a camera, a front camera, but the Manifest.xml required the default camera permission which was missing and this prevented me from even finding the app in the PlayStore.
And Slack as app is basically only the website. All the "native" apps seem to just render it (Linux, MacOs and Windows are Electron apps, the Android version feels like a WebView)
I think the eventual limitations on 3rd party apps are coming. A major part of the community has used/ is using the superior 3rd party alternatives, and they need to figure out how to nullify those advantages. It is inevitable because they want that sweet advertisement money for which 3rd party apps are a barrier.
It's a shame Firefox just ditched the SSB project instead of fixing the bugs and making it visible for PWA use. They say it's because people weren't using it, but it was another thing that was hidden behind about:config and had some glaring bugs which two strong reasons why people probably weren't using or even know about it.
Indeed. They're sandboxed and you can alter the webapps in the browser. I mildly edit the CSS of most of the websites I frequently use over time with Stylus.
As long as those apps will run in my web browser, I'll run them there. I don't install any of their "native" apps.. Although Google Meet is getting very difficult to run in Firefox. Crashes all the time.
I'm going to try to capture a crash report and send it to you.
I should note that it's not a "crash" -- it's just that I get immediately disconnected from the meeting when I have my video + audio on and then someone else joins. I'll try to get some repro steps and send to you!
Doesn't google meet not have a native app? We use Google Meet at work and using a browser to screen share a browser or IDE window seems to absolutely peg my CPU no matter which browser I use.
I have no love for Zoom but at least they have a desktop app so I can screen share without bogging down my whole machine
Google meet crashing is interesting. I use it literally every day for meetings and I run Firefox as my primary browser (on Linux though, if that matters). I can't recall ever having a crash from it.
I ran into the issue recently where Zoom's web client wouldn't display my camera's correct aspect ratio. Their full client (on a burner laptop, don't trust them) had a setting to fix it.
It’s true that installing a native app requires a lot of trust, but on the other side of the coin, it’s not currently possible to do end-to-end encryption securely in a web app, and content in web apps is vulnerable to browser extensions with blanket permissions (there are many ubiquitous ones). Web apps also don’t have access to the OS keychain or any ability to set file permissions, meaning they can’t store local data securely without help from a server.
So if you want real data privacy, you need a native app, despite the drawbacks you point out.
The key difference is running a signed, static bundle of code (or binary), rather than a bunch of code that is loaded dynamically from a server on every request, which can be modified without leaving any trace.
So running WASM wouldn't make any difference if you're relying on a server to deliver you that WASM on every request. A compromised (or subpoenaed) server could simply ship you a compromised WASM payload for a single request and you'd be extremely unlikely to ever find out. If Signal wanted to add a backdoor, otoh, they'd need to ship it as a signed update to all their users, with all the reputation risk that entails.
Whether a native app is simply a browser underneath doesn't matter, just how the code gets delivered to the user. Even a browser extension or chrome app could work, since they are run from a signed, static bundle rather than from a server.
Encrypted media streams seem like a DRM feature? I don't think they have any relevance to end-to-end encryption.
I completely agree. MacOS, atleast since Catalina, has been seeking more specific permissions for apps which is good.
One particular video conferencing software asked for permission to read key strokes from any process! A very weird request. The only non-nefarious use case I can think of is that they want to allow keyboard shortcuts to work even when their app isn't in the foreground.
That seems really problematic though. I could be on a text editor, or the terminal or anywhere else requiring text input and might not be expecting this behaviour.
I don't get why Apple doesn't provide an API for registering global key bindings. All it needs is user permission for a binding to be registered, and some kind of preference pane that shows you an overview of registered bindings.
They can't? There's a setting in Firefox "Block new requests asking to access your camera" that you have to enable explicitly.
I'd rather have a browser that cannot access these things at all. Now I've to hope that the permissions work and the implementation is bug-free (my trust in that is quite low, browsers are too large).
If you don't select that setting, is the default to always allow, or ask every time? If the latter, then the setting is just a convenience for those who always expect to select "deny", rather than any broadening of permissions.
But you can put your computer behind Pi-hole or add some of Pi-hole's lists to your hosts file, which would prevent them from communicating with tracking domains completely... unless they also bundle some sort of a proxy or a VPN.
whatsapp, messenger, slack and discord are all just electron, so almost identical anyway. Zoom has extra desktop features. Teams is has slightly more stuff on desktop, and it's electron.
Note that coveryourtracks will be biased towards people who are private. It's a good way of identifying information that you're leaking, but you'll also see stats like 1 in 11 users disabling Javascript, which is just not representative of most of the web -- 10% of users on most sites are not disabling JS.
It's still very useful, but don't take every single number it reports as gospel. It's tracking how unique you are among people who purposefully visit a fingerprint testing site.
I casually browse with Js disabled. Everyone should. It’s a security nightmare to casually surf the web with Js enabled once you realize the frequency of WebKit/blink zero days being disclosed per month. iOS watering hole attacks are especially prevalent, even if those exploits tend not to be persistent. They just need to steal all your info once. Exhibit A: https://www.bleepingcomputer.com/news/security/google-warns-...
There are a lot of advantage to browsing casually with Javascript disabled, assuming you're OK with needing to manually fix some of the sites you visit. I browse that way myself as well; that's why I can see the results I see when I load up the tracking site. Side note that UMatrix is officially deprecated at this point, but it's still a great resource for disabling scripts globally and enabling them site-by-site as needed.
But 1 in 11 people on the web are not disabling Javascript.
I just tried cover your tracks. What's blowing my mind are the "System Fonts" field. As a designer, I constantly download fonts, and it makes my browser extremely unique it seems.
This is why Safari only exposes pre-installed fonts that come with the system to web content; it removes what can be a very unique fingerprinting data point.
I found out about screen-sharing through browser when I started using Discord app on the web. Was a very revealing moment for me when it came to insane advances in web technology.
10 years ago it would have been unimaginable, but 20 years ago you could have done all of this with ActiveX controls.
(Oh and yeah 20 years ago I had AJAJ by just loading the target URL in a hidden/offscreen iframe and reading its contents programmatically. Never mind the fact that I could also read contents from the user's hard drives ... although I didn't use it for this)
You say that like the web hasn't been. Hell, even if everything always worked properly, there were not XSS attacks, and users weren't easily fooled, the web would still be full of malicious actors in the form of tracking and advertisement.
Remember, we invented pop-up blockers because advertisers abused it, and we've been in an arms race with those assholes ever since. Tracking and ads in desktop apps came from the web ecosystem and now we're stuck with it.
I don’t think you can equate the two. ActiveX was barely sandboxed... in fact I’d like to say they were not sandboxed at all. They were native code running basically as root on your machine.
It was something that came back when Microsoft was still convinced the internet would be a fad. Those activeX things could do all sorts of fun exciting things on your computer.
Oh ActiveX was definitely worse, I should know since I was using the internet plenty when it was prominent. My point is, though, that malicious actors still basically control the web. They may not be executing native code without any controls, but that doesn't mean that the modern web isn't still their playground.
Oh yeah speaking of popups I once made a horrendous bouncing image script for IE 5.5 that allowed images to fly around your screen outside the browser window.
There are many negative things that could correctly be said about Javascript.
But this? This comment is absolutely special.
ActiveX controls were native code, with full system access by design. Possibly even worse, it was an absolutely blatant attempt by Microsoft to monopolize the web and maintain Windows' and Internet Explorer's dominance, as the controls were of course (in practice) intimately tied to IE on Windows on x86.
It was incredibly common to see Windows installs utterly compromised by ActiveX controls doing god-knows-what, to both the infected computer and every other computer on the corporate network.
The damage to individuals and the economy in terms of lost productivity and compromised personal information directly attributable to ActiveX's "compromise my system by design" nature is incalculable.
To compare that to Javascript is rather spectacular.
If you want to argue that Javascript has been able to wreak more damage over time precisely because it's not as objectively insane and immediately destructive as ActiveX, well fine. It could be said that Javascript is Covid-19 to ActiveX's ebolavirus. Ebola is so wantonly destructive that it kills many of its victims before they have a chance to infect others, whereas Covid's less-awful nature has actually allowed it to harm more people over time and is now probably here to stay, like influenza.
Flash was an abonimation, yet you could disable it with barely any consequences. Same with ActiveX.
This was very nearly not the case.
IE/Win had close to 100% market share at one point. We were a hair's breadth away from a future where you could, in fact, not disable ActiveX without shutting yourself off from much of the web, like Javascript today.
South Korea was actually there for a time. If you wanted to spend money online, various regulations meant running ActiveX was a requirement.
Not that common. A bigger plague (though somewhat later if my memory seves me right) was toolbars that was sneaked into every other application.
The power consumption alone of JavaScript easily shadows that. Pretty much no desktop computer in the world can go in lower sleep states because of javascript "idling" in the background. And a decent percentage of CPU cores are constantly pegged at 100%. Imagine the number of batteries that has prematurely died because of the stress of javascript - when all the user wanted was to read static text.
Enabling ActiveX for your bank site is hardly the same. The real issue was running it on another OS than windows. Happily trade it for what we have today though.
I miss the old internet too. But think about the way things were trending, and the way they have trended.
Online commerce, content delivery, and advertising are what, multiple trillions of dollars' worth of business?
Once the web/internet became established and began trending toward ubiquity, companies were clearly always going to invest a lot into vying for our dollars and eyeballs. Without viable competition in the form of web standards, Javascript, and operating systems besides Windows it's almost certain that the evolving web would have leaned into ActiveX and/or Flash and made them essentially a requirement in much the way that Javascript is currently a requirement today.
The timeline we're living in is not ideal, and I really dislike Javascript for a number of reasons, but it's also one of the primary reasons we're not living in an even worse timeline.
There was always going to be something like Facebook. Now imagine Facebook... except powered by ActiveX instead of Javascript. Apologies if you just vomited as violently as I did while typing that. But when you talk about gladly trading Javascript for ActiveX, that's the sort of absolutely ruined world you're pining for.
But ActiveX didn't die because of competition, it died because it was terrible. The same fate happened to java applets. There was no real mainstream momentum for either.
For sure things would have been different if Microsoft had really tried to exploit their monopoly. But they just left it there as if waiting for the competition to catch up and surpass.
Flash could have been it, not that flash was much better but at least you could read text without it.
It could be that anything would be made to suck. But it doesn't really follow that money means tracking to this extent and come with such poor user experience. With trillions of dollars on the line we make it so slow it is barely usable. Oftentimes there are many layers of popups and checkboxes just to get at the content. And somehow that is worth it? The incentives are insane. Tragedy of the commons is putting it kindly.
Dark patterns are at an all time high. The techniques in the nineties used by criminals to trick you into running that attached executable in outlook express are now finessed by the largest corporations to trick you into allowing them to track you even more. On top of that the monoculture situation is pretty terrifying.
I wouldn't bet on humanity not being able to make it worse but it is hard to accept the state that we are in.
> South Korea was actually there for a time. If you wanted to spend money online, various regulations meant running ActiveX was a requirement.
This playbook is happening again in China now. Not with ActiveX but with WeChat and AliPay. It's increasingly difficult to live there without either of the two apps and I think it does not bode well for the future for society to be reliant on two private corporation apps for basic needs, in the same way that it was not a good idea for the world to be dependent on ActiveX 20 years ago.
Tons of business apps were written in ways that required activeX. It was one of the main reasons so many companies held on to ancient versions of IE.
Sure you could disable activeX but in practice it would have been rare.
People bitch that sites don’t support people who disable JavaScript but it really isn’t worth catering to that type of person. I’ve been in multiple shops where we had the debate about how to handle non-JavaScript clients and every single time all the developers agreed it wasn’t worth the hassle.
This includes companies who had blind developers using screen readers and companies that had major legal liability if the site wasn’t accessible. The “screen readers don’t support JavaScript” argument has been dead for years now. The only people without JavaScript are those who intentionally disable it.
It’s just not worth building what is almost a second website for incredibly tiny amount of non-JavaScript viewers out there.
Yes, and that was for internal use on the intranet. And yes, it was a huge problem that they insisted on using such old versions of IE, but that was the issue - not ActiveX.
Perhaps the question should have been, why make a special version for the ones with javascript?
Year after year the web remains my favorite platform to use and develop for. No other platform comes even close to the compatibility, reach, staying power as the web. Here's to 100 more years of the web (or something web-like in the future).
But I'm afraid we're in its dying days, at least as far as the original ideals of the web were concerned.
In our rush to make browsers more powerful application platforms rivaling operating systems themselves, we raised the bar so high that we ensured the web's destruction: by guaranteeing that it would eventually be effectively controlled by a single browser maker.
In practice, this was probably always going to be Google, but if it wasn't Google it would simply have been some other Google-sized player.
I'm still trying to figure out whether these capabilities are a good thing or a bad thing. On the positive side, what can be done through a web browser is absolutely amazing and web browsers offer finer grained control over resource access than the typical desktop operating system. On the negative side, most of these capabilities have privacy and security risks that are disproportionate to their value in a medium that is primarily used for media consumption.
Another cool site to check out: https://coveryourtracks.eff.org -- a great tool to see how unique your browser's 'fingerprint' is and how well it protects you from trackers and other annoyances online.