What could possibly go wrong?



  • So Mozilla wants to add a new feature to Firefox called "Push Notifications" which they describe as a way for a website to send notifications to your
    browser even if you don't have that website open in the
    browser.  Wiki with slightly more information here.

    @Some Mozilla Guy said:

    Push notifications are a way for websites to send small messages to
    users when the user is not on the site.  iOS and Android devices already
    support their own push notification services, but we want to make
    notifications available to the whole web
    . (emphasis added by me)

    Despite frequent mentioning of "user permission" being required, this seems ripe for some horrendous abuse by spammers or other bad guys.  But maybe I'm just being overly cautious paranoid.  What could possibly go wrong?


     



  • I remember they tried similar "web push" technology back in the 1997 or so. Like VRML, it didn't really go anywhere.

    What is the use case for this? This might be useful if, like, Gmail could tell my browser that I have new email (which could then send a Growl-like notification or something).

    I can imagine all sorts of security problems with this, but it seems possible it could be implemented correctly.



  •  It should be fine if, by default, it's only enabled for trusted sites that probably send useful notifications only. Like e.g. Facebook.



  • @morbiuswilters said:

    I remember they tried similar "web push" technology back in the 1997 or so. Like VRML, it didn't really go anywhere.

    What is the use case for this? This might be useful if, like, Gmail could tell my browser that I have new email (which could then send a Growl-like notification or something).

    I can imagine all sorts of security problems with this, but it seems possible it could be implemented correctly.

    Nevermind. No part of this seems to require HTTPS, so an attacker with passive read access to the connection can swipe URLs and spamageddon ensues. Also, managing approved URLs needs to be easy, or else users will just be inundated with junk. What's wrong with SMS or email? Shouldn't this be provided by the OS, not by a browser? What is going on here??



  • @morbiuswilters said:

    What is going on here??
    an apt question, my friend.

    I find myself thinking of the priority field in network packets.  If routers actually looked at it, who the hell wouldn't abuse it?




  • Meh...I'll probably wait to use it until someone writes an extension that turns my pushed notifications into email or RSS feeds.

    Wait...

    You know that right now the AdBlock guys are looking into how to whitelist these, and the new favorite addon will be the Push Spam Blocker.



  • @morbiuswilters said:

    be implemented correctly.

    hehehehehe ... yeah.



  • @geocities said:

    ...trusted sites... e.g. Facebook.

    Hmmm. I'm not sure I can think of a non-porn, non-criminal website I trust less than Facebook.



  • Hey, there are plenty of trustworthy criminal and pornographic sites!



  • A website being able to push a notification to a user via a websocket-like connection, good.

    Being able to push it to the browser without being on the website-- I can't think of any use case where this will be a good thing.

    Heck, the first thing people will do (before spam) will be to capture the "push to" address of an enemy, then sign up the push address to every single website in existence-- bombing the user browsers back to the IE5 age.

    And, to keep things on topic:  penis joke.



  • This requires a "notification service" between the web site and the user client. Who operates that service and how much does it cost? How will it be paid for? I know... spamvertisements.



  • @smxlong said:

    This requires a "notification service" between the web site and the user client. Who operates that service and how much does it cost? How will it be paid for? I know... spamvertisements.
    Or possibly it will be paid from the $300 Million a year Mozilla gets from Google under their new contract.





    or Spamvertisements.



  • @Lorne Kates said:

    Heck, the first thing people will do (before spam) will be to capture the "push to" address of an enemy, then sign up the push address to every single website in existence-- bombing the user browsers back to the IE5 age.
    That was exactly the first thing I thought of as soon as I read the description of this thing.





    Now that I think of it, maybe it's not such a WTF after all.


  • @Ibix said:

    @geocities said:

    ...trusted sites... e.g. Facebook.

    Hmmm. I'm not sure I can think of a non-porn, non-criminal website I trust less than Facebook.

     

    i was about to write something similar but wanted to go for the "useful notifications" part.

     



  • @Ibix said:

    @geocities said:

    ...trusted sites... e.g. Facebook.

    Hmmm. I'm not sure I can think of a non-porn, non-criminal website I trust less than Facebook.

    I was more amused by:
    send useful notifications only. Like e.g. Facebook


  • @belgariontheking said:

    @morbiuswilters said:

    What is going on here??
    an apt question, my friend.

    I find myself thinking of the priority field in network packets.  If routers actually looked at it, who the hell wouldn't abuse it?


    Are you talking about QoS? DSCP/IP precedence values?

    If the network engineer has done it correctly, the network ignores QoS values from user devices (desktop PCs, printers, etc.) and assigns its own pre-defined priority. The network can detect an IP phone and assign a higher priority to it. For devices that send multiple streams of traffic that need different priorities (a videoconferencing station, for example -- call control, video data, audio data, . . . some of these can also browse the Web, etc.) then you set those priorities on the device and lock those settings down. (Or use something like NBAR to separate the traffic to different priorities . . . we're not that paranoid, nor will our access switches do it.)

    But again, it's all about whether the engineer has the brains and the drive to do it right. Done right, there's little the end user can do to influence the priority of the traffic. (Where "little" should equal "nothing".)



  • Remember back in the 90's when browser vendors added proprietary feature after proprietary feature? If you don't well just change Mozilla to Netscape and Google to Microsoft and you can imagine it based on what's going on now.

    Modern IE's actually become one of the more conservative browsers in terms of proprietary features.



  • Just think of all the possibilities.... a site could send you a notification (in your browser woohoo) just after it, for instance, sent you an e-mail.

    my o my, what is the world coming to.



  • @morbiuswilters said:

    Shouldn't this be provided by the OS, not by a browser? What is going on here??

    The browser is the new OS, that's what. Given how much push there is for the browser as a generic application platform, even to the point of having a couple examples of operating systems where a browser is pretty much all you've got (WebOS, ChromeOS), I'm just waiting for someone to cut all the crap and make a kernel-mode browser.



  • @tdb said:

    @morbiuswilters said:
    Shouldn't this be provided by the OS, not by a browser? What is going on here??

    The browser is the new OS, that's what. Given how much push there is for the browser as a generic application platform, even to the point of having a couple examples of operating systems where a browser is pretty much all you've got (WebOS, ChromeOS), I'm just waiting for someone to cut all the crap and make a kernel-mode browser.

    You actually have no idea what WebOS is do you?

    Actually I take that back after doing research because for some reason I thought WebOS used C++.



  • @tdb said:

    The browser is the new OS, that's what.

    I'm aware of that idea. That doesn't make it any less WTFy, for a variety of reasons.



  • @MiffTheFox said:

    You actually have no idea what WebOS is do you?

    Spanish for eggs or balls?



  • @morbiuswilters said:

    @tdb said:
    The browser is the new OS, that's what.

    I'm aware of that idea. That doesn't make it any less WTFy, for a variety of reasons.

    Certainly not. The notion that HTML/CSS/JavaScript would make a good generic application platform is one of the most absurd trends in the entire IT industry. I guess the motivation is that it's easy to create UI mockups with HTML and CSS, and therefore the JavaScript part must be easy as well. Also, you can use your hipster web developers to make applications instead of having to hire all those costly programmers who demand things like version control and requirements documents. No sir, much easier to have your webdevs turn out something really slick in two weeks. Never mind that the result is usually slow, buggy and fails to work in at least one major browser (usually Opera and/or IE, sometimes Safari).



  • @tdb said:

    @morbiuswilters said:
    @tdb said:
    The browser is the new OS, that's what.

    I'm aware of that idea. That doesn't make it any less WTFy, for a variety of reasons.

    Certainly not. The notion that HTML/CSS/JavaScript would make a good generic application platform is one of the most absurd trends in the entire IT industry. I guess the motivation is that it's easy to create UI mockups with HTML and CSS, and therefore the JavaScript part must be easy as well. Also, you can use your hipster web developers to make applications instead of having to hire all those costly programmers who demand things like version control and requirements documents. No sir, much easier to have your webdevs turn out something really slick in two weeks. Never mind that the result is usually slow, buggy and fails to work in at least one major browser (usually Opera and/or IE, sometimes Safari).

    I agree that the web is a crappy application platform (although it is improving). Although the reasons for it catching on have more to do with ease of deployment, maintenance, security, etc.. Network apps are great, but nobody came up with a kick-ass, cross-platform stack, so the web caught on. As for version control and requirements documents, they certainly aren't excluded from web development. In fact, I'd venture they're more common in web development than they were in desktop development.

    The fact is, the web is here to stay and the objective should be to make it as painless as possible. Web development is a lot better now than it was 10 or even 5 years ago, and there are some big improvements on the horizon. Additionally, I'm fond of the way web development has embraced conciseness and agility versus the sluggish waterfall methodologies of the desktop world.

    Finally, as an end-user, I usually prefer web apps to desktop apps. No installers to mess with, no updates to worry about, etc.. I just hate HTML and CSS and some parts of JS (mostly browser support; it's an okay language on its own).



  • @morbiuswilters said:

    ...

    Wow you've risen from your eternal slumber!



  • @galgorah said:

    @morbiuswilters said:

    ...

    Wow you've risen from your eternal slumber!

    I must feed. Soon I will return to the underworld.



  •  Eat the trolls.



  • @dhromed said:

     Eat the trolls.

    Who would be left?



  •  @serguey123 said:

    @dhromed said:

     Eat the trolls.

    Who would be left?

    Me and Morbs.

     

    ALONE AT LAST

     



  • @dhromed said:

     @serguey123 said:

    @dhromed said:

     Eat the trolls.

    Who would be left?

    Me and Morbs.

     

    ALONE AT LAST

     

     

    Eating each other.

     



  •  nom nom nom



  • @Lorne Kates said:

    Eating each other.

    Giggity.

     



  • @Lorne Kates said:

    Eating each other.
     

    What's that film where they eat each other?



  • @RTapeLoadingError said:

    What's that film where they eat each other?
     

    Lesbians.



  • @Weps said:

    Just think of all the possibilities.... a site could send you a notification (in your browser woohoo) just after it, for instance, sent you an e-mail.

    my o my, what is the world coming to.

     

    then your webmail would send you notification about the notification e-mail.

    we'll be recieving information about recieving information, it's beginning of The Meta-information age!

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.