- with diskdrives, we have programs sharing the same spaces, so passwords appear
- shared time on a processor is next
- prevents access to other users
- ensures the CPU time is "paid for"
- As the web grows, humans cannot remember their passwords
- RFC 1738 (1994) - describes URLs & use of passwords in URL
- sent in cleartext!
- aware this is a problem
-
"clearly unwise"
- massive understatement
- RFC 1738 (1994) - describes URLs & use of passwords in URL
- it's insecure
- it's complex
- complexity => insecurity
- brilliant in being decentralized and the initial web was very simple
- W3C cannot remove any complexity / standards, but they can only "add bugs"
- container for
Key: Value
pairs - negotiation - browser & server agree on formats to exchange
- req / res protocol
- http req one thing, blocks, then req another
- added channels, which adds complexity
- convenience for ugly, unmemorable numbers (IP)
- trademark issues
- not trustworthy (attacker can force redirect)
- so complicated we still don't have it working correctly
- can be verified offline
- was this desirable? if we're not online, why check this?
- needlessly complexity
- was this desirable? if we're not online, why check this?
- "I don't trust them."
- Verisign just accepted money to issue a cert
- hacked
- lied about being hacked
- issued bogus certs
- hundreds of other CAs
- browser trusts all of them equally
- complex
- thus came MarkDown
- SPAs: also terrible. not designed to do this at all
- we've spent decades learning how to use this effectively
- it's amazing we've been so successful
- I hate for 3 good reasons
- where XSS comes from (handlebars)
- everything becomes HTML - Layer Leakage
- "It's a Trap" - if everything is focused on making HTML, we'll never be free
"worst API ever invented"
- crappy style sheets
- designed to do technical documents
- amazing we made it work, but that's not what it was for
- hot mess. getting messier.
- good parts in ES15, might be some in ES16 even.
- keeps getting bigger and bigger
- "there is a good language inside of this language"
- "I'm hoping one day we'll get rid of JS, b/c I'm really tired of JS"
- "it's still better than everything else"
- many have tried
- MS, Apple, Adobe, Oracle, and more (Google! DART!)
- tech was much better
- most cases, closed system
- there was no transition plan
- I don't want to replace it, I don't want to capture it
- I want to keep the things it does well
- my model is based on HDTV vs SDTV
- NTSC: "Never Twice the Same Color"
- if TV goes out, riots will happen
- FCC and supreme court was even involved
- set top box was something on top of your analog TV
- if given a URL you can pass to another application (think itunes links)
- Convince one progressive browser vendor to integrate this helper app
- Convince one secure site (FI) to require it's customers to use this browser
- Risk Mitigation will compel other secure sites
- Competitive pressure will compel other browser vendors
- The world will follow for improved security & faster application development
- nothing breaks! (No changes at all to current HTML.)
- ECC 521
- AES 256
- SHA-3 256
- human meaningful
- securely unique
- global: decentralized
- ECC521 public keys as unique ids
- guaranteed unique
- blobs over the wire will go really fast
- req / res cycle will break, so we don't have to wait for that lop
- can send messages and receive data and no need to wait
web: publickey @ipaddress / capability
- keeps creds & relationships in cloud in some secure way
- avail across devices
- pet names - friendly name
- model for computation.
- nothing gets in / out except for the correct containers
- much stronger than sandbox - no leaks
- "if you have a cat like I do you don't like that"
- each party gets it's own vat for even a single application
- can't corrupt or confuse each other
- exchange JSON messages
- "cooperation under mutual suspicion"
- I have a hard time trusting things; with this model I don't have to
- I put your code in a vat and don't worry it can only do what the API does
- probably node js
- two problems
- way overspecialized for HTTP
- I have much higher security requirements than Node does
- Qt (cute)
- dev'd in Norway
- just the visual presentation and interaction
- no access to file system or network
- Vat has access to FS and Network, but not display
In the meantime, keep doing what you are doing
I don't see value in type systems the best one is in haskell I find I'm more productive with just plain old javascrit turns out if you were raised in Java and you can't think functionally, then it's a good thing for you functions are so much more expressive classical programmers will go to their graves never knowing how miserable they were
I'm not saying type systems have no value, but there is not enough value yet