xml
ssl
json
gossamer
dart

This Is Not The Net You Thought You Knew

Next Story

Gillmor Gang 12.17.11 (TCTV)

You know how the Internet works, right? Of course you do: you’re a TechCrunch reader, a power user. You know what that “HTTP” means in your address bar (if you’re not using Chrome.) You know that behind the scenes, the Domain Name System translates your requests for domain names like techcrunch.com to numeric addresses like 76.74.254.121, and secure connections are encrypted by SSL. You know that web servers send HTML, the lingua franca of the Web, over the wires (or the air) to your computer, and that web developers write JavaScript to control what your browser does with it.

…Unless you’re actually a techie. In which case you probably already know that the above description — let’s call it the Classic Web — is increasingly completely false.

What follows is a little technical, but bear with me, I have a larger point. (Also, even if you’re not a techie yourself, you need to have some understanding of what today’s tech does, and how it does it, in order to make intelligent decisions.)

Why doesn’t Chrome show the iconic “http://” before web addresses any more? Because it, like Amazon’s Silk and soon Firefox, doesn’t necessarily use HTTP any more. Instead, where possible they use Google’s far-faster replacement, SPDY, which also lets servers push data to browsers, instead of having to wait for requests.

That Domain Name System? It’s increasingly actually DNSSEC, an extension which guards against the massive security holes in the original system.

And your so-called secure connections? Well, SSL was actually replaced by TLS some time ago, which fixed some security holes, but not the biggest: browsers automatically accept security certificates for any site from literally hundreds of different authorities, any of which can be, and often are, compromised. Yes, this is insane. The EFF’s Sovereign Keys initiative might eventually solve the problem; in the interim, Chrome is more secure than other browsers, because it lets site owners specify which certificates are OK.

(Do I sound like I’m telling you to use Chrome? Not exactly. I mostly use Firefox, because Chrome doesn’t support any equivalent of Firefox’s security- and sanity-enhancing NoScript plugin, and probably never will.)

As for JavaScript — sure, all browsers run it, but almost no developer writes pure JavaScript any more. Instead we use library frameworks like jQuery, which has more or less conquered the world, or use higher-level languages like CoffeeScript (which I dislike, for these among other reasons) or even Google’s contentious new language Dart, which both compiles to and is ultimately intended to replace JavaScript. Unfortunately, almost no one outside of Google seems to like it.

In Google’s defense, their new server-side language Go is widely admired — even though, ironically, it signally fails the “The name of your language makes it impossible to find on Google” test — and their Native Client tech is powerful and interesting. Alas, I can’t see any other browser supporting it anytime soon.

But at the end of the day, your browser is still mostly getting and rendering HTML, right? Don’t be so sure. For one thing, “vanilla” HTML is a smaller and smaller part of the average web page. For another, it’s increasingly HTML5, whatever that means.

What’s more, there’s an interesting trend towards web servers that serve no HTML at all. Battlefield 3’s “Battlelog” web site is pure JSON between client and server. My former co-worker Michael Dykman (whose co-workers generally, without provocation, suffixed his name with “the greatest programmer who ever lived”) has developed a pure XML/XSLT web framework, Gossamer: as its introductory rant says, “wouldn’t it be nice if we could handle page requests from web browsers with the same simple elegance the web service model provides?

The Classic Web is beginning to look like a kludge. Mostly because it was. Slowly, fitfully, three-steps-forward-two-steps-back, the tech community is finally refining it into something more secure, streamlined, and powerful. The last time something like this happened was when AJAX support hit modern browsers. Non-techies don’t realize it, but it was that innovation which ushered in Flickr, Google Maps, and the whole Web 2.0 boom. I expect HTML5 — greatly aided by the little-known back-end iterations I’ve tried to itemize above — to have a similar effect on the web and everything we do there.

Including, maybe, the much-foretold, long-forestalled decline and fall of the Empires of Apps. But more on that in next week’s column…

Points clarified by commenters below: OK, so there’s no real evidence that the removal of HTTP from Chrome’s address bar is actually related to its use of SPDY. “No HTML at all” up above is too extreme: “no dynamically generated HTML” would be better, as the very first pageload still has to be HTML.

Points clarified by me: People can and do argue at some length about the semantic distinction between ‘pure’ and ‘vanilla’ JavaScript, but I maintain — with considerable confidence — that JS written with jQuery is qualitatively different in content and approach than ‘pure/vanilla’ JS. Last I checked, Chrome’s NotScript wasn’t a substitute for Firefox’s NoScript, as it worked by merely masking rather than stripping out JS on a site-by-site basis: alas, I can’t find a detailed technical analysis that compares the inner workings of the current versions.

Image credit: QbiT, Flickr.