The two gods of literature
according to Ted Nelson
A common benefit, overlap of need.-- but a battle.
Negotiation in style
- Cascading style sheets
- Accessibility
- User font sizes etc (eg HTML mail!)
Unexpected Reuse
is the value of the web.
- Writer insists on pale blue on white, user overrides.
- Writer intends entry through tunnel, user bookmarks deep in
site.
- Writer writer, reader indexes.
Essential balance between keeping the intent of the content, and
allowing the reader control over what she does with it.
The intermediaries
- Publishers
- Audio-visual people
- Internet Service Providers
- Web software, Web protocols
In the last case, this conference is concerned.
The unwanted parties
- Seaside banner planes
- Billboards
- Pop-up pushers
Users #1 problem?
- Spam
- Phishing
- Pop-ups
- Viruses
- Computer system destruction
"Malware"
Somebody Else's Problem?
Spam is mail, not HTTP, but...
- Spam and Phishing use HTML
- Pop-ups use a web browser
- Viruses can be downloaded by HTTP, and led to from HTML.
- "User Agent" -- double agent?
- Web publisher and user culture is key.
By the way, W3C uses SPF records against spam. Please do
also.
Causal elements
- User executing untrusted code
- Confusion between code and data
- By users
- By browser software
- By operating system
- Hooks for malware in OS
- Lack of accountability for hooks and code
Avoidable software problems
- Looking at the URL or filename instead of the Internet Content
Type
- Saving it with a filename which implies wrong type
- No concept of the difference between safe information and
unsafe: a column in the table
- Adding unsafe features to existing safe specs, eg Javascript
with unsafe power to HTML, Scripting to Microsoft Word, etc
- e.g. allowing the address bar or status bar to be overwritten!
(whose agent?)
Unsafe information
- A really important part of the language specification,
agreement between parties.
- Defined by software, if not conforming (eg JPG viewer bug)
- Part of the control battle between the gods.
- New features tried out in Javascript, then deployed into CSS,
SMIL, XForms, etc
- Is HTML now unsafe? Yes for some firewalls.
We have let this slide too far, empowering the bad guys
Safe information
What aspects of languages are safer
- Declarative
- Visibility between layers
- Not turing complete (scripts) - denial of service; difficult to
analyse
- For logic: DoS from logics too expressive?
- Have a standard meaning
- Separation of form and content
Confidentiality issues
- Data extracted from user's environment by e.g. inclusion in
document
- Smuggled out in modified URI of link, form, etc
- Tip of the iceberg of responsible management of data
- Voice browser situation involved 3rd party
Unambiguity and Accountability
- Communication relies on common understanding of the
message
- Phishing relies on meaning seeming to be something else
- Limits on the battle of the gods, like fine print
- Interesting with Semantic Web languages
Semantic Web languages
Languages about real things using URIs as symbols
- Very reader-friendly
- Reader control on many axes:
- Subject of data
- Source of data
- Properties I am interested in
- Views I chose to use, Lenses (Haystack)
- Issue of matching formal to user-perceived meaning
Conclusion
If this an old bug, why isn't it fixed?
- Safety of languages has to be specified in standards and
enforced
- Part of the spec for any mime type
- Use safe languages whenever possible on your web site
- Trusted systems will exclude or sandbox unsafe languages
- Separation of form and content emphasized again
- Independence of the communication from the provider of
software
Software, web sites, O/S, users all need to change.
What shall we do about it?