There are a number of interesting things happening at the same time but today I am going to talk about Firefox3 offline support and how it can change the way we perceive web applications. Keep in mind that this post is a pure speculation. Firefox3 is noware complete, so we should really talk about problems that don’t exist.
It is kind of official that Firefox3 will support offline applications. This means that we, as users, can use applications such as GMAIL or Google Calendar without the need of being connected. This is quite good thing in situations where you don’t have web access but you still want to check your calendar, maybe even update it, write a draft email and check the 20 most recent entries in your inbox. All the changes that you perform offline will be synchronized with your online profile as soon as you connect.
This is very nice but it raises a few concerns about the offline applications integrity and security. The first point that I want to bring is that if a web application can work offline, for sure web malware can do the same. Moreover, offline web malware might be able permanently cripple offline web application with spyware functionalities and other malicious tools.
Here is a simple example of how this feature can be abused. Again, this article is pure speculation. If GMAIL is affected by some kind of Cross-site scripting vulnerability, can the attacker permanently plug malicious code inside the application offline source base. The browser cannot really differentiate between malicious and non-malicious code, which means that, in theory, this can happen.
So, what the attacker can do if they succeed? Well, it depends. However, given the fact that the malicious code is part of the application, attackers can definitely control not only the offline application logical flow but also the synchronisation and local storage facilities. This sounds dangerous.
Offline web applications, although executed straight from the browser are like desktop applications. I mentioned on a number of occasions that bridging web with the desktop, in general, is not good idea, although I can clearly see how useful and beneficial that could be. Browsers will support offline applications no matter what. Firefox3 is ahead of the game. IE, Opera and Safari are somewhere behind, but I am sure that they will catch up.
Here is one interesting thing.
Although Mozilla is an open source organization, some of its top workers are employed by Google. So it’s a very cozy relationship. We’ve discussed before how Firefox 3 as information broker suits Google very nicely, because the Mountain View company has a number of best of breed web apps – and if it’s not building them, it’s acquiring them (YouTube, JotSpot, Writely, etc). readwriteweb
Ben Bucksch responds:
Good stuff to think about. However we’re trying hard to keep the security model the same as the existing online model.
For example, we won’t allow offline apps to run “in the background” any more than we allow online apps to do so. On the downside this means you must explicitly visit the application page to resync when you get back online; on the upside, malware wouldn’t be able to run invisibly.
Furthermore, the offline cache that stores offline application resources is just a cache and it’s only used when you’re offline. When you’re online the application will run using normal HTTP caching mechanisms and offline-cache resources will be revalidated against the online source. So I don’t think this opens any new avenues of attack that don’t exist with existing browser caching, unless we stuff up our implementation somehow.