2022-05-24 Web Applications

The web should be allowed to be way more capable than it is right now. Seriously. I know a lot of people who grumble about how the web today is way too capable than it should be and that creates a lot of privacy or security issues from overly capable web applications, but I just fail to see a convincing argument on why it is the case. On the contrary, I am pretty sure that the popularity of web applications actually reduces the attack surface of average home PCs and the fact that web applications today can replace many or even most of native applications is a net plus to security.

My core observation leading to the conclusion above is that on the web, applications (sites) are untrusted by default. Aside from cases where browsers may grant special privileges to sites owned by their makers, web applications have only access to their own little sandbox created by the browser, isolated by at least virtual machines and process sandboxes. Anything not available through JavaScript or WebAssembly APIs are simply impossible to access by an application except through direct or side-channel security vulnerabilities. Even in the case where something outside the sandbox is specifically made available, such access almost always require explicit user interaction to proceed. For example, in the case of file system access, the user must be prompted with a dialog to grant access to specific files / directories before they are read and passed through to the web application. Compare this to a hypothetical native application running on a traditional operating system, such as Windows or desktop Linux, who can basically access anything owned under the same user account, it is not hard to see that your typical native applications are just a security (and privacy) nightmare.

Can native applications be sandboxed? Sure, and there are countless solutions to do exactly that. However, because the base assumption of most desktop platforms is that all applications are trusted by default, it is very hard to properly sandbox desktop applications without breaking at least some functionalities. A proper sandbox requires the application itself to be aware of the fact that its access is limited, and ask for permissions to be granted by user interaction when needed. This would necessitate a complete redesign of the platform -- for example, Android, although based on Linux, enforces a sandbox on all of its applications. But, surprise-surprise, we already have such a new redesigned platform -- it is called the web. Web applications were originally very, very limited and can basically only serve information instead of providing any useful functionality. Nowadays, through the addition of APIs that grant more permissions based on user interaction, many native applications no longer even need to exist. We have more code running in limited sandboxes today than we used to do.

Will adding new capabilities to web applications open up possibilities for more attacks? Definitely. However, even in the worst cases, the attack surface of a web-based application is still dozens of times smaller than an equivalent native desktop application. When we think about extending the capabilities of the web, we need to keep in mind that they have to be compared with their equivalent desktop counterparts, instead of with their past selves, because of course a simple plaintext web page is way, way more secure than a modern web application, but that comparison is not useful, to put it nicely. It is like comparing a modern internet-connected PC to the first mechanical computers that cracked Enigma -- of course ours have more security vulnerabilities. What we do by enabling the web to replace native applications is not making the web insecure, but rather, replacing insecure native components with more secure web counterparts. Of course, this is all under the assumption that newly developed web APIs adhere to the same sandboxing and security standards as before.

In a perfect world, all applications should be free software, with source openly available and properly audited periodically for potential vulnerabilities. In this case, having an intermediate layer called the web may only be a waste of resources. But we do not live in such a perfect world. There are proprietary applications we have to use on a daily basis, for example, your banking account, and it is not like everyone can really live like Richard Stallman who does not even carry a mobile phone. Proper sandboxing is the way to go when a strict free software-only policy is not possible, and for that, I will stand for the web.