Re: Web2Native Bridge emulator from Anders Rundgren on 2015-06-26 (public-webpayments@w3.org from June 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 26 Jun 2015 20:29:06 +0200
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: UniDyne <unidyne@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <558D99F2.7070301@gmail.com>
On 2015-06-26 16:05, Adrian Hope-Bailie wrote:
> Anders,

Hi Adrian,
This is a complex topic so a TL;DR warning in probably needed...

> The Web2Native work is very well done however I think there are three
 > challenges you will face in seeing it standardized.
>
>  1. It does not address a specific problem. It is simply an admission
 >      that there are many problems that can be solved by having a bridge
 >      to native applications so let's just open that up and see what happens.

As an individual developer I have hardly any other option, do i?

Anyway, I do have contacts with other parties using Native Messaging so
it wasn't developed in pure vacuum.  The next step is creating a fairly
advanced Web-invoked Wallet for public testing and concept verification.


 >      I doubt that the browser vendors will jump at this

Correct. They removed ActiveX and NPAPI without considering the MILLIONS
of users depending on such solutions.


>      as my experience  tells me that part of keeping the browser secure is
 >      solving small problems one at a time and eliminating side-effects.

I'm not sure what "small problems" you think needs to be solved except the
stuff you mention below:


>  2. It is very similar to simply addressing a locally running application listening
 >     on a custom port which is currently the method used by many native apps to
 >     communicate with their Web apps.

Yes, which means that the core concept (invoking an application *outside* of the browser),
including security model is de-facto already established.


>     I know there is talk of breaking this but
 >     I think the security issues will be addressed there before a whole new hole
 >     is opened up to do the same thing.

See last part of this message.

I'm not aware of a single security problem with W2NB except that bad native
applications can screw up everything which is why vetting is a requirement.

I would be *extremely happy* if somebody else performed a security review.


>  3. Your native apps are only addressable by name not by function. The benefit
 >     of standard browser APIs is that as the Web app author I simply call out
 >     to the API

The difference in practice is fairly small.  My existing public WebCrypto++
demo (https://mobilepki.org/WebCryptoPlusPlus) uses this concept; it is the
*messages* that contain the actual "meat".


>     and I don't need to know what technology stack the user has
 >     behind the API to support my request.

This is not how I intend this system to be used. An application called
"com.mybank.pay.v1" would (should) be identical with the respect to the
calling Web application on all platforms where it is implemented.


> I think a valuable contribution to solving this problem would be figuring out
 > a way to secure a standard http/websocket connection to a service running on
 > localhost in a way that deals with the vulnerabilities currently at the heart
 > of Chrome's threats to shut this down.
>
> Do you have any thoughts on how this may be done?

No, I don't and don't intend to spend any time on it either because the
Native Messaging concept as featured in Chrome is simpler to secure
(OS-based IPC and process isolation mechanisms) and provides a lot more
information to the called application including caller HTTPS data and
Window handle to invoking page.  The latter is missing in the emulator
since Chrome's [rather prototypic] implementation doesn't provide this.

Anders

>
> Adrian
>
>
> On 26 June 2015 at 15:18, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2015-06-26 13:55, UniDyne wrote:
>
>         This is very interesting.
>
>
>     Thanx!
>
>         I assume the proxy itself would be provided by the browser manufacturer.
>
>     > Assuming the security / vetting infrastructure could be built around the
>     > native bits, who provides them? Is it payment processors?
>
>     The vetting would (IMO) build on existing schemes like Apple's for AppStore.
>     The vetting process would only "guarantee" (within limits) that applications
>     do not violate platform integrity and user privacy as well as conforming to
>     the store's policy regarding content etc.
>
>     It should preferably NOT be possible publishing an application without some kind
>     of proof of ownership to the exposed name of the application ("com.mybank.pay.v1").
>
>
>         User's banks? Both?
>
>
>     The native applications would be supplied to the applicable store's distribution
>     center in (almost) the same way as today but this is really up to each vendor
>     to decide.
>
>     A core idea is enabling third-parties creating powerful extensions to browsers
>     as an alternative to lengthy Web API standardization processes for applications
>     that the platform/browser vendors may neither be interested nor competent in.
>
>     Yes, this scheme would allow closed source web applications. Although not exactly
>     my cup of tea, some people have indeed expressed such interests...and it is vital
>     listening to the market :-)
>
>
>         Does the user have a choice of native extension like  they have a choice of search provider?
>
>
>     Technically possible, implementation-wise less likely. Apple, Google or Microsoft
>     do not offer any alternative AppStore's.
>
>     However, a possibility would be that the invocation could target multiple applications like
>
>        navigator.nativeConnect(["com.mybank.pay.v1","org.freebank.pay"]).then(function(port)...
>
>     and then the system/user could offer a choice.  If these application have identical
>     Web-level interface everything is OK.  If not, the actual application would have to
>     be returned through the "port" object.  This part obviously requires a bit more
>     work/thinking/testing.
>
>     Anders
>
>
>
>
>         On Wed, Jun 24, 2015 at 11:24 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>
>              For those who (like me) do not regard browser vendors as the most logical
>              implementers of Web Payment systems (and Credential Management schemes...),
>              here is an alternative that can be tested on Windows, Ubuntu and Mac:
>         https://github.com/cyberphone/web2native-bridge
>
>              I'm in the process of writing a Wallet but that's non-trivial, so you have to live with
>              a simple chat-like application which though shows the technology in its purest form.
>
>              Comments are very welcome!
>
>              Cheers,
>              Anders
>
>
>
>
>
Received on Friday, 26 June 2015 18:29:40 UTC