As a grown-up guy of 36, I do still love the original comics of Donald Duck. Especially the ones from Carl Barks, who practically invented also everything of Duckburg. And then you have uncle Scrooge and his cubic money warehouse. What I love the most of it are the million and one tricks to make it secure to the Beagle Boys. Which, more often than not, results in more problems than security.
Hey… another wonderful Segway into my subject of the day. Because, the last two weeks I have been trying to figure out a sort-like design-flaw with web browsers these days. Because I found out that some cases we are absolutely limiting the power of our computers and programs trying to make everything secure.
In yesterday’s post, I mentioned about the amount of phishing emails I get, and how I called to action for at least more creativity if my mailbox is not going to be less stuffed with the junk-mail. But it is weird that I do need a pretty amount of computing power to run security. And not even that alone will suffice, you as a user are required to pay attention too.
Now, I do not have any problem with requiring people to act responsible and careful, and handle a sense of security. But the issue seems to be that we actually start to limit the freedom that we have with a computer, to make sure we are secure.
Let me rephrase that: The natural security of a computer is so flawed, that part of its own right of existence is to secure itself.
It is like a human needs to breathe so that it can breathe. It makes no sense. Sure, right now, running 8-16 cores on your server or desktop leaves enough left for all the other stuff you want to do with your machine. But it is weird in the first place. It is like having a complete shot-up immune system. Every tiny threat is a life-threatening one. If you have a healthy immune system, and you get a ‘security breach’, you will get sick, but you will get back on top of it (in most cases). A computer has the immune system of, well, a dead canary. Worse, because of all our nice anti-trust acts, our OS manufacturers are not allowed to even deliver a standard security suite with their OS. Nice going. Like putting a newborn in the wolf-cage: “Go ahead little fella’ Show ’em whut yooov got!’
So, right now, all kinds of software get all these security bits and pieces built-in. Which actually makes our life pretty miserable. Not only because we have to keep track of so many more things as a user, but also, all the software becomes bulky and slow. I don’t want bulky and slow. I am already bulky and slow, I don’t want my computer to be!
Take your browser. Your newly nice updated browser actually does not allow data to be exchanged between one domain and another. Let me repeat that… by default, website abc.com cannot get any data from website xyz.com. And this is to prevent accidental (or incidental) cross-site scripting. Fine. I understand. But I also cannot do it when I say that I own BOTH abc.com and xyz.com . Your browser will stick up its middle finger to me, and give me a big F-you! I am not allowed to do that.
I want to. It saves me a lot of time and effort, and I can secure that whole transaction. But No…. Google, Mozilla, Microsoft and Opera moon me and tell me I am not allowed.
Now, I hear some of you telling me that there are ways around it; like proxies, XDM’s and whatever… but that shows my point. There is a demand for this functionality that is completely valid. And there are ways around it. Only, to make it work, I have to run extra software, waste valuable resources and time, make my productions slower, to do something that should be possible in the first place.
Flash, and Silverlight, at least had the possibility of the use of a simple xml-document on the server that contained the data, that would allow a certain domain to read the data. And if that domain was on the list, no questions asked, it would send the data. Fine. But since Apple so nicely practically killed the future of Flash and dumped us into the highly overrated HTML5 era, we have to do with a lot of crap.
Sure, HTML5 allows some sort of cross-domain data retrieval, but not the standard way. And not only that, it is not deployable… and before the majority of browsers support this, we cannot build upon it for mainstream sites.
It is like uncle Scrooge trying to secure his warehouse. The medicine more often than not is worse than the disease.
Is there a solution? Organisms worked millions of years in evolution on their immune system… computer as we know them have been exposed to these kind of default threats only about 20-30 years. Maybe we have to wait. But this waiting really blocks creative progress.
It bugs me.