Freedombone Blog

Freedom in the Cloud

The end of the Web?

Something seems to be going on with the web. It seems to be heading towards a kind of endgame. For practical purposes there are only two web browser engines which most people use and they're both directly or indirectly controlled by Google. As I write this Google is busying itself trying to prevent ad blockers from working and without ad blocking the experience of browsing the modern web is some combination of insecure, annoying and occasionally horrifying. Targeted ads are like an unwelcome stalker who follows you around.

At the same time W3C - an organization already having profound flaws - appears to be handing over the definition of the HTML standard to Google. Mozilla I regard as being a proxy for Google because it's where they get their money from, and Apple, Microsoft, Mozilla and Google control WHATWG. Since Microsoft gave up making its own browser recently this really leaves Apple and Google as the new pilots of the HTML "living standard".

We can maybe see the future of the web in the form of what Google recently did with confidential emails in Gmail. If you're sending an email that way then it no longer gets transferred via the email protocol. Instead the email becomes merely a notification that something has happened on a Google server and you then have to log in to that server to read it. This is how open standards finally die, having been totally appropriated and subsumed under a superficial appearance of convenience and security theatricality.

A prediction is that in the early 2020s HTML is something delivered centrally by Google and optimized for ad delivery and metadata collection. There is a new era of utility computing in which Google data centers are the mainframes and the idea of personal computers being personal or decentralized is something quaint from the distant past. Unless Mozilla can really clean up their act I think they're heading towards a Netscape-like oblivion, although the codebase will live on and perhaps metamorphose into other things.

Now is a good time to reinvent the web and to revisit its most basic premises. Who should the web work for? Should it be just an ad delivery platform? Who should run the web and who should make the standards?

The Disappearing Firefox Addons

If you are a Firefox user or use one of its derivatives such as Tor browser then it may not have escaped your attention that all your addons disappeared, including even the default ones such as NoScript.

This appears to have been just a mistake with someone at Mozilla not renewing a certificate. Although LetsEncrypt exists TLS certificate expiry is still not all that uncommon even sometimes on well known sites. Disappearing addons has been a big problem with a relatively mundane cause, but it's a problem which reveals the underlying centralized architecture.

In a decentralized or distributed web one person forgetting to renew a certificate wouldn't be a big deal. It would only affect them or anyone accessing their server or peer. But in the web we've actually got one person at Mozilla forgetting something can render all Firefox browsers effectively useless - or at least a lot less secure. If you're relying upon NoScript in Tor browser to defend you then you could suddenly find that your defenses vanish. Welcome to the totalized web.

Checking signatures on installed software is normal. However, Firefox goes beyond this and repeatedly checks signatures every 24 hours even if addon code has not changed. It does this with a hardcoded constant called XPI_SIGNATURE_CHECK_PERIOD and there's also another constant called MOZ_REQUIRE_SIGNING which indicates that at some point the ability to manually turn off signature checking in about:config is going to go away.

Like most people, I was unaware of all this until NoScript disappeared and couldn't be re-enabled, resulting in the inevitable WTF moment. Apparently there was a minor scandal about addon signing a few years ago, but I must have missed that bandwagon and was probably busy with other things.

So how can this be improved? Within the current paradigm I think that signatures should only be checked when the source code changes. This means creating a hash of the code and storing that. If the hash doesn't match only then should the signature check take place. This would have made yesterday's debacle a lot less acute. In most cases things would have continued to work and Mozilla would have had time to update their certificate without any big fuss. Hashes could be stored natively such that they can't be spuriously modified by other addons.

It may also be worth considering whether addons such as NoScript are so essential that they should be built into the browser codebase, rather than being something separate. In the longer term I think that's a better way to go. Mozilla is unlikely to do it, but Tor browser developers could.

Going beyond the current paradigm, the web needs to actually be decentralized or distributed. One company shouldn't be deciding what browser addons people can run and have the ability to turn them off either through malice or oversight. There has been a lot of browser consolidation such that there are now really only two web engines, and this space could do with some disruption - especially with regard to ad blocking. A new browser which has ad blocking as a core feature I think could get quite a lot of traction quite quickly.