Google Native Client: The web of the future - or the past?

This time, it's Mozilla v Google

3 Big data security analytics techniques

Google defends baby from red herring

Google understands the complaints, but the company believes it can win the critics over. "We've open sourced Native Client and tried to stay consistent with web standards because we'd like to build something that makes sense for the web," says Brad Chen. "But it's a really ambitious technology. It's not something that we expect other browser vendors to just swallow up with no reservation. It's our job to demonstrate that it's not just safe but really useful."

The ActiveX analogy, Chen and Upson say, is a red herring. "Native Client doesn't add any new capabilities that aren't actually in JavaScript and HTML5. It just makes them available to C and C++ programmers. It fits with the web's security model, whereas ActiveX was actively hostile to it," Upson says.

Asked how Native Client differs from ActiveX, Chen takes a different tack. "You can start by asking how JavaScript is different than ActiveX," he says. "It's safe and it's portable. And safety and portability are at the top of the list for Native Client. I don't think they were ever at the top of the list of the people who were working on ActiveX."

Again, portability is still to come. But clearly, Google believes it can get to the point where PNaCl significantly outperforms JavaScript in both startup and execution.

Chen and Upson also point to efforts like the Emscripten project, which seeks to convert LLVM bitcode to JavaScript. Even if Native Client isn't available in other browsers, Upson says, this would allow all Native Client applications to span the web.



Asked about Blizzard's by-improving-the-browser-you-improve-the-apps argument, Upson says that with Emscripten in place, the issue goes away. "You could start with C code and run it in Native Client or use Emscripten and convert it to JavaScript and run it that. Then the model stays exactly the same," he says. "Native Client does offer some additional capabilities like threading that Emscripten does not, but we can continue to improve underlying Native Client runtime as well."

The trouble is that this adds still more overhead. It's hard to see it ever keeping pace with raw JavaScript.

In the end, there are valid arguments to be made on both sides of the fence. But whatever the stance of Mozilla and Opera and the developer community at large, Google will push ahead with the effort – and push it far.

The beauty of the web is in the eye of the coder

After adding Native Client to Chrome, letting you download and run native apps into the browser, the company also has plans to run Chrome itself inside the Native Client sandbox – or at least pieces of Chrome. "We're people, and we make mistakes, and we write bugs and some of those bugs can become security vulnerabilities," Upson says.

"Native Client is designed so that even hostile code can't do harm to your computer. Wouldn't it be nice to be able to use that same sandboxing technique on our own Chrome code, which is trying to be correct but occasionally contains flaws? If we ran our own code in the Native Client runtime, even our own bugs couldn't be turned into security vulnerabilities."

Linus Upson

Linus Upson

Google may run Chrome's PDF viewer inside of Native Client, for instance. Portions of the browser that require access to the local file system can't be moved into the sandbox, but the company is confident that many other pieces can.

What's more, Google is exploring the use of Native Client on the server-side. A new Google grant program for visiting academics discusses building high performance server applications that run inside the NaCl sandbox. It appears that Google is aiming to sandbox native code wherever it runs. And why not? As Upson points out, Native Client protects against bugs as well as actively malicious code.

But the most interesting possibilities lie with web apps. With Native Client, you could potentially deliver any code to the browser, including software that's traditionally supplied by the browser manufacturer or through third-party plug-ins. Developers wouldn't need to wait for a browser to support a particular video codec, for instance. They could deliver the codec themselves via Native Client.

Unity Technologies has long offered a plug-in for running 3D games in the browser at its Unity platform, but the San Francisco-based outfit is now porting the game platform to run as a Native Client application. This means that developers can deliver their Unity-based games to Chrome without asking the user to install the plug-in – and at the same time, they can take advantage of the Native Client sandbox.

"One of the things that has always been important to us is to reduce friction for customers accessing Unity on the web," says Unity vice president of strategy Brett Seyler, who spearheads the company's collaboration with Google on Native Client. "When Native Client reaches Chrome, it means means Unity developers can reach 20 per cent of the browser market without the usual plug-in requirement. Reducing friction anywhere on the web is beneficial."

Similarly, the developers behind Mono – the open source incarnation of Microsoft's .Net platform – are working on a Native Client port. This would allow Mono apps to arrive in the browser alongside the latest version of Mono itself.

"I think of it as one plug-in to rule them all...Native Client blurs the line between native and web applications."

– Robert Isaacs

For independent coder Robert Isaacs, who has built a Native Client platform that plays classic DOS games, Native Client is the plug-in that puts an end to all plug-ins. "I think of it as one plug-in to rule them all. If you want to execute .Net in your browser, Native Client could be the base technology that allows you to do that. Then you wouldn't have to wait for Microsoft to come out with a new Silverlight version and make sure your users have it installed. You could just deploy the latest version of Mono on Native Client," he says.

"Native Client blurs the line between native and web applications."

It does. But while Isaacs says this with nothing but praise – and so many others join him in that praise – a blurring of the lines is exactly what Mozilla and Opera and others are so opposed to. The beauty of the web is in the eye of the beholder.

In the long run, one beauty is sure to win out over the other. With Chrome controlling 20 per cent of the market – and Google wielding such influence over the web in general – Native Client certainly has the backing it needs to succeed. "Chrome has the momentum. It's clearly the fastest growing browser right now, and Native Client is compelling enough that I believe it will catch on with developers," says Chad Austin. "If they can maintain that ecosystem, I think Google could be in a pretty powerful position in terms of the future of the web."

But not everyone agrees with Chad Austin. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story


SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.