The backside with web applications, and why they aren’t the “killer app”

I read an article the other day about how web applications like Google Documents, and a host of other similar websites, are the future of computing. The article stated some reasonable arguments for using these services/applications, but sadly the negative aspects they brought forth was, perhaps not trivial, but when compared to some of the more serious concerns one should think of before using such services, not on the same level as the positive arguments.

The positive aspects they listed where such as:

  • No need to have large software packages on your harddrive
  • You always have the latest version of the application
  • Wherever you go, as long as you have an Internet connection, you will have access to your work.
  • You will most likely need a lot less powerful computer to work (as long as it can handle a web-browser you are fine)
  • You get your work backed up routinely (often every night)

Problems

While I do agree with the list of positive aspects (the logic behind them holds true) I don’t believe them to outweigh the rather serious cons such services brings forth.

One of the cons the article brought up was that you would probably need a fast connection if your files are large, otherwise it will take a long time to work with them (seeing as they need to be down/up-loaded to the service).

The logic for this holds true as well, but there are worse things to consider:

Privacy / Trust

First of all, how can you be sure that the service provider won’t exploit/use/read your data (work). Go ahead, call me paranoid, but know that I’ll be the first one to laugh at you the second this happens. It is not a question about if it happens, but when.
Trust is an issue which should not be dismissed lightly.

Availability of connectivity

Secondly, we can’t yet expect to have an Internet connection wherever we may go. So storing the data (work) online only is not going to cut it. (Yes, you may argue that you have to go into the darkest jungles of Africa to lose connectivity, and to that I simply reply with two scenarios: “terrorist attack” and “natural disaster”. How much is that precious web application worth if your connection is severed?)

Security

Security is another problem. These service providers will become prime targets for many different forms of attackers (ranging from phishers/crackers, aiming for the data stored at the provider to extortionists DDoS:ing the provider in order to get money)
Yes, a single computer can become infected with a virus, thus hemorrhaging information to an attacker as well, but the risk of being attacked is far smaller since there are so many other targets out there (you are just one indistinguishable zebra in the herd of zebras).
One could of course spend hours upon hours debating this issue, but when it comes down to it, you are only a target if;

  • You are a high profile entity with widely known goodies worth stealing, or
  • You are a nobody, but your potentially valuable data is stored centrally among other nobodies potentially valuable data.

The operational words here being “potentially valuable” and “stored centrally”. If an attacker can get hold of all that data, it is the “simply” the matter of rummaging through the crap, in search of something profitable.
Singling out specific targets, where the information stored is potentially valuable, and wasting effort trying to crack through an unknown amount of defenses for data of unknown worth, which will only reliably work on this target, this time, is simply not cost-effective, and thus, of negligible risk.

Availability of service

Going back to the service providers again. What if they all of the sudden void your “membership”? Say that they set up some new term of service, which your work does not conform with. One day you try to log in, only to be thrown out. How do you recover your data from that? And now that you are thrown out, even if you do recover your data, how will you continue working with it? (I admit that this is somewhat of an extreme case, but unthinkable? Hardly).

Why they could still bite you

Someone is bound to think “well, they still need to behave, since the customer will be paying for the service, and messing with the customer will be like biting the hand which feeds you”. That thought holds some merit, but not much. The provider will have to provide a service that gives the customer enough reason not to change to another service, yes, but in reality all this means is that all they have to do for the customer, is the least amount of work, which will still keep the customer happy, everything else is a waste of effort. And yes, they could do wrong unto their customers and get away with it, as long as they are not caught. (So reading the customers data, and misusing it, can still be done, if the provider is smart enough to do it in such a manner as to not alert said customer of their activities).

Use-cases

Web applications can however be useful iff (“if and only if” for those who didn’t know) ALL of the following conditions are all true:

  • You will ALWAYS have an Internet connection available when you are about to work
  • The data you are working with is not sensitive, and cannot be misused in any way, should it fall into the wrong hands
  • Should your “membership” be voided you haven’t lost anything of value, and you can begin anew with some other service without skipping a beat

Closing notes

The really neat thing with these web applications, and this takes some effort to do in any other way, is that the data is backed up routinely. Of course, again, if done improperly all this means is that there is yet another way for an attacker to gain access to somewhat current data (depending on the frequency of the backups)

I hope to write a post about what I would propose instead, as a better solution (although far from perfect) and this post would, lo and behold, actually contain a positive comment about Microsoft *gasp* Be sure not to miss it, it might be the only time this will ever happen ;)

Comments are closed.