Future of a SAFE Browser and node/webAPIs


#41

My point is that if MaidSafe provide what people need, which will be most people’s first means of accessing SAFE, far less people will end up using alternatives which we both expect will not be as secure as a MaidSafe solution.


#42

Your argument was already addressed here:

Too much energy would be required to create both a great UX and airtight security that caters to people who will likely adopt the technology months after its release. It is during THAT time expansion of the browsers’ capabilities should be considered and coded with the help of a much larger enthusiastic and capable community.


#43

After reading a recent post on the general forum about a safe site opening clearnet links, I put together a little safe site to showcase why I think allowing the Safe browser to handle http requests is a very bad idea :

safe://http-trap

Please note that this will really leak your IDs and IP on clearnet, in clear http text: please do not use any important IDs for this test ! Stay assured that I don’t log anything, though.

The code is in index.hml

EDIT : if you want to check what it does, without triggering the trap, open safe://httptrap in your safe browser, and deny container permission when asked by the authenticator. Then you can safely browse the code sources in the console.


#44

I think being able to open http:// links is a necessary feature for it’s wide adoption. If you look at the bigger picture, no one will be motivated to download and use safebrowser otherwise besides the developers or maybe the 5000 people in the forums.

The browser just have to be more secure regarding when opening http links. The example outlined by @nice could be an issue that can be updated in a security patch. Maybe even if the browser can not open any http, there could still be security exploits which people can do to collect browsers IP addresses.


#45

Not so sure really, if you look at weechat for instance, a whole economy + app ecosystem in a single app. It is huge and others follow, like facebook + messenger (no out side calls to other systems AFAIK), or signal again no outside calls or whatsapp or …

All very well spawning an OS association for HTTP traffic, but it is not necessary inside a secure ecosystem (app/platform) for a secured app to allow a data/access API that can be abused from an insecure network.

[EDIT] Perhaps the confusion is the word browser, a SAFE browser is for browsing SAFE only, a web browser browses http (+ some other limited protocols) traffic which is a different network really. People have their own web browser and are happy with it, we don’t necessarily need to get in their way or demand our apps / platforms work in that browser. I n many ways it is much better to keep these distant.


#46

Coming from a Chinese background i often use the app, especially when in China and I know how it started and what it does, it’s not the same as SAFE, at all, so you can’t infer SAFE’s success based on Wechat’s success, SAFE may be successful, but it definitely is not related to Wechat.

When phone companies were charging for calls and texts, Wechat came out as an alternative, people quickly downloaded and used it so that they don’t have to pay. Privacy-wise, People in China could give less of a fuck if government ‘spied’ on their conversations, unless they’re anti-government, but honestly, growing up in China, i can definitely tell you the people there care a lot less about ‘privacy’ than the western world. As long as it does them no harm, they don’t care if government monitor everyone, they know the government is doing that to maintain control.

When the government blocked Facebook in China, the company quickly saw the demand for social media and lack of supply, and since so many people use Wechat, they then introduced ‘moments’ which is almost like Facebook and instagram combined. People can share status updates and other people can like and comment. So it grew more, but, when people shared those updates, it basically always linked to current http websites, it faired very well because it interfaced with the current world very well, it gave supply to the a sector in demand. Then it quickly spawned digital payments where you can scan a QR code and pay for things immediately, now, even 70 year old rural grandmas who sell their homegrown crops use it, but guess what though? It’s simply digitalising the Chinese Yuan and when you click withdraw, you get a bank transfer in less than 10 seconds to your bank account and it clears instantly, again, interfaced with existing currency system very well.

SAFE browser, if it does not support http links, will do NONE of that, it’s starting from complete scratch - First, all the websites have to be built by people and/or paid to be migrated by people to SAFE, otherwise there is simply no good websites in SAFE, hence browser is very limited to it’s usefulness to everyday people. Second, it’s native currency, even if you have it in a easy to use and easy to transact mobile app(which BTW is essential to it’s adoption), you have no fiat backing it, for all China is concerned, as long as the government there reigns, not many will get safecoin if you have no guaranteed, easy hassle free and instant conversions to Yuan at a rate that doesn’t fluctuation 20% every week, which, with safecoin or crypto, you can’t have that. It may just be like Bitcoin there currently more or less(although if it’s less fees and more transactional, MAYBE it’ll be used a little more than BTC)

So anyway, point I’m trying to make is, yes, Wechat is successful, but it’s based on completely different dynamics to what safe is doing. The second point i mentioned in the previous paragraph, you can’t do, as it’s a completely new currency system that’s not fiat, people just have to get used to it. But the first point, you can, restricting safe browsers to http will make the interface with the current world even harder and hence rate of adoption will definitely be slower. It is possible given enough time, though, but if you can fix the security issues, why not make do so so that the adoption will be faster rather than slower. And one more thing, if there could be an app created, that is a VPN service someone is hosting to access to clear net from the safebrowser, that’ll be also fine wouldn’t it?

(This is off topic but informative : Some people from the West think Safe is going to be big in China, sorry to break it but most likely, it won’t be. Just like Tor and VPN, most Chinese could give less of a fuck, although, it is important to those who do(which is maybe 0.01% or less of the population in China), and for tourists, but just not the majority of people, unfortunately.


#47

mmm, not sure.
TVs didn’t allow you to tune radio stations when they appeared, but they introduced a new dimension to broadcasting and were massively adopted.
Mobile phones didn’t access internet when they appeared, but they offered a new dimension in 2 points communications, and were massively adopted.
Satellites don’t let you access underseas wires communications, but they introduced a new dimension in overseas communication, and were massively adopted.

The guys at the wire companies told Marconi wireless radio communication was worthless and would never be adopted, too.

Thing is, Safe is not a vpn or another ToR. The aim is not to allow people to use http under cover.
It expands the concept of “internet” in many new dimensions, including but non exclusive : autonomy, decentralization, data breach resistance , immutability, censorship resistance, self healing, self balancing. Small details…

While the Safe network may well take longer to get mass adoption than Pokemon go, I have a feeling only one of both will still be there in 30 years, and widely adopted.

My point with the IP and ID http leak was that a script kiddy can , in 15 minutes, defeat the whole privacy and security aspects of the project , if an application exists that allows said script kiddy to run code inside of it and make http calls.


#48

I would suggest following the Unix philosophy. Do one thing and do it well.

There are plenty of browsers for the oldnet. There needs to only be one for the safenet when it launches, and the faster and safer and more stable it is the better. You are making it open source so people will be able to contribute as it gains broader adoption, and variants will arise for any cute features you don’t think of. To keep efforts centralized I hope you would consider bringing on board a plugin system like firefox, which you kind of already have via the “apps”. Current oldnet plugin developers will come on board and port their projects to the safenet as long as there is a well documented api and a lot of users. Security concerns are important too, in order to block malicious code being run on the clients computer (No-script plugin anyone?).

Some people might have an emotional attachment to their oldnet browser, but browsers come and go. We’ve had aol, netscape, ie, firefox, chromium, safari, etc. Its been an evolution. Remember that the oldnet will not really be relevant or will cease to exist if safenet is successful. Nothing wrong with forking an existing browser code base, just make sure all the nonsense and garbage is completely stripped off it, including license restrictions.

" Do not do anything that anyone else can do readily. "
— Edwin Herbert Land

Oh, one more thing. I can only offer a big NO-WAY vote to HTTP. The browser should only allow native secure/SAFE protocol.


#49

we definitely need HTTP too in the browsers to trigger earlier adoption I.e even if it’s just a redirect to the safe protocol alternatives. As long as this is optional it should be ok for everyone then


#50

You have this backwards. A safe browser would redirect any traditional http/https/ssh/ftp hyperlinks to one of the standard oldnet browsers on the user’s system. Eventually as the oldnet content enters safenet, popularity would demand that devs/maintainers of firefox/chrome etc work to bring their projects into compliance with SAFE on their own. No need for MaidSafe to work on conforming, which would make SAFE become unsafe. :wink: