You're overlooking the fundamental quality of the web and why a lowly document format and simple protocol eventually became a poor man's GUI platform that has been slowly rolling forward and crushing the desktop app market in its wake.
The web is a fully cross-platform/cross-device, installation-free, and open-standards-based platform.
Although traditional GUI toolkits can chip away at different aspects of this, it is actually a much more intractable problem for them to solve than the aspects you cite as native desktop apps being better at. For example, interoperability between web apps has gotten steadily better as HTTP APIs have evolved, today's generation of web apps often make interoperability a selling point (Slack is a good example). From a traditional single-platform native developer the mechanism for this looks crufty and ill-defined, but that is the price you pay for a truly open standard not controlled by a monolithic entity. For instance, for all the beauty and elegance of Microsoft Visual Studio, there is no way they can bring that experience to OS X and Linux, let alone all the mobile platforms.
Native app developers have been wringing their hands over the "inferiority" of the web for 15 years now, but all the while ignoring that the web does something which no technology has ever done in terms of ubiquity. And what enabled this was the trojan horse of HTML/HTTP's initial simplicity. Hell, the simple HTML documents for which the format is ideally suited still outnumber apps by an order of magnitude, but the beauty is you have one platform that can support everything on the complexity continuum from the simplest documents all the way up to sophisticated business apps.
Agreed, especially about integration. Many web apps expose their functionality with RESTful JSON APIs or similar. It seems to me that integrating data & functionality from across web apps is far more common than in the desktop setting. I've never built a desktop app, but just from a users perspective most of my desktop apps are isolated pieces of functionality while web apps are entangled in the greater web community.
My background is mostly web app development, and when I started I was using open technologies such as PHP and NodeJS. This summer I'm doing some work in Visual Studio with a C# .NET MVC 4000 web app. Visual Studio is a slick interface _mostly_ with some great convenience _usually_ but overall it feels suffocating compared to slapping together random tangles of open web technologies. I like the messy open standards...
You can even compare web standards to the most ubiquitous formats used in the most ubiquitous desktop programs. MS Office formats still cause people problems when they try to open complex files in older versions of Office or compatible suites. Whereas if data is stored as JSON, you can be sure that anybody will be able to access the data correctly in any of the thousands of apps that handle JSON, and they'll be able to handle it indefinitely.
These are problems with particular web apps, not web apps in general. I host lots of web apps on my own servers, and they are just as free as any software, but I can access them anywhere from any device. In cases where web apps are non-free, I would have to say it's better than having them installed locally. Web browsers do quite a bit to keep apps in jails where they can't access and affect the rest of the system in the same way a local program can.
app: not yours (BUT: communication between author and app is impossible if you want it to be)
data: yours (meaning you can delete it)
remotely installed non-free app
app: not yours, and you can't prevent the author from updating their app under your feet. And the author can do nearly anything, meaning any encryption on your data is useless.
data: not yours (meaning the author can read, change, delete, and you CANNOT unless the author, and anyone with a global root certificate (like Saudi Arabia, dozens of companies that have committed breaches of trust, ...) can mitm you, and gain the author's access to your data)
Non-free web apps definitely come with their own range of problems. Data doesn't need to be out of your control though. JavaScript is usually run locally, so there are lots of calculations being performed by your computer before it reaches the remote server. For example, Mega encrypts data client-side before it is archived online. Just like with regular non-free software, you have to trust what it is doing. The best way to deal with these problems without throwing away non-free software would be to have security functions like encryption performed client-side with free software.
I agree that server-run non-free software is neither safe nor private, but I still believe that this is the flaw of particular programs, not web-based software in general. It only emphasizes what a need there is for further development of open standards in web apps.
But the ability to use a cross-platform browser as a universal client and run software that is built on the advantages of networking is a huge bonus for software in general. Free software just needs to catch up in a few areas, but in general it is dominating the backbone of the web. Now we just need to push that freedom forward to the user.
> For example, Mega encrypts data client-side before it is archived online. Just like with regular non-free software, you have to trust what it is doing.
This is, sadly, not true at all. You have to trust
1) that the actual author of the site is playing fair
2) that you are not being mitm attacked by anyone in this list [1]. Note that 3 organisations on this list are known to have issued false certificates with the express purpose of stealing login credentials. They did this by sending through "amended" login javascript bundles.
> I agree that server-run non-free software is neither safe nor private, but I still believe that this is the flaw of particular programs, not web-based software in general. It only emphasizes what a need there is for further development of open standards in web apps.
No. Web apps can be replaced by malicious software every time you use it, and there is nothing you can do to prevent this. It is a fundamental design flaw of web based systems. And, of course, "cert pinning" simply means that a few organisations (google, facebook) get isolated from a few kinds of attacks.
The flaw is that control is placed entirely in the hands of the remote side. Needless to say, this is not secure.
I don't get where this idea of open standards being the solution to privacy problems comes from. Cookies are an open standard, the web is an open standard, TPMs are an open standard, the SSL certiciate chain principle is an open standard. Hell, microsoft palladium is an open standard. All are complete disasters for privacy and freedom.
> But the ability to use a cross-platform browser as a universal client and run software that is built on the advantages of networking is a huge bonus for software in general. Free software just needs to catch up in a few areas, but in general it is dominating the backbone of the web. Now we just need to push that freedom forward to the user.
I disagree. The web has brought back the "freedoms" of the mainframe era, only with a much bigger dependency on the mainframe system. Mainframes also in many cases ran free software. Can you claim with a straight face that a non-root account on a mainframe system is in any way free and private ?
If you don't decide what software runs on your machine, like on the web, you have ZERO security guarantees. Zero. Nothing, nada, zilch, ... no matter how secure anything built on top of that is. I don't get why this is even the slightest bit controversial.
You bring up legitimate problems, but again, they aren't unique to web apps. Physical computers can be compromised too. They can be compromised in manufacturing before they even reach you. There's never a guarantee of security, just trust that you are using a secure product.
Improving the trust model has almost nothing to do with how much of the computer you have administrative access too. Secure computing means trusting those who build and maintain your computers and the software that runs on them. It's less possible than ever to do everything yourself.
There are big privacy and security advances happening because people have lost so much control of their data. People are trusting others more than ever with control of their computers, and that means certain demands for trustworthines that didn't manifest when people felt better about their data because they knew where it was physically stored.
Moving the easiest point of attack on a system to the external network just means we have to be more explicit about what we do with each other's data. We have to learn to trust each other, and that means developing systems that are transparent, auditable, and free, but it also means developing cultures that promote trust and proof of trustworthiness, because that's where real security will come from.
I'll just say this : your data is not private. Take a divorce proceeding (which is a CIVIL proceeding) from the last 5 years. Press CTRL-F, "facebook", and recoil in horror.
Basically all your cloud data will be used against you in any civil dispute in the US. So remember when you use web apps : anything you type in there is accessible to anybody who enters into a serious court case with you.
Another example : any office 365 document (esp. spreadsheets) WILL be read by the IRS if they ever decide to sue you (and you'll pay the wage of the person doing it, to make matters worse, whether or not they find any wrongdoing). Again, the evidence is plain to see in court transcripts.
And, lastly, sometimes your accounts will be compromised in petty legal disputes.
Therefore my policy is :
1) As microsoft has publicly demonstrated, they will use your hotmail stored information and use it to take action against you. If you work for a company that has a cloud platform, or a company that has a significant relationship to one of the cloud platform companies, you're taking unacceptable risks.
2) any dollar sign in any mail to me will immediately result in dead silence. I'll call you up and warn you to never do that again. If it's important enough I'll call. And if it's really important I'll drop by. Both kinds of interactions have vastly superior legal protection.
3) I will NEVER negotiate or store any contract over email, not even my freaking cell phone bill. I have them on my (encrypted) hard drive, of course, even indexed. But contracts on online services is just stupid.
Note that this behaviour is NOT illegal : the purpose here is to safeguard my personal information, which is a normal thing to do that is in fact encouraged by the relevant departments. I am trying to hide personal information from everybody and everything, which is my right.
Yes, you have that right, but I still think we're talking about different things. When you're talking about web apps, you're talking about apps hosted by Microsoft, Google, etc. I'm saying that those have their own issues, but the issues are issues with Microsoft and Google, not server-hosted applications made with HTML5, JavaScript, and PHP.
The right way to do web apps is to have something like a Debian Freedom Box, where you have your own server running free software sitting in your living room and you can access it from anywhere. Another pretty good option is to buy hosting from someone you trust with your data and run your server in their data center, preferably encrypting your data client-side before it's sent to the data center. These privacy issues you mention with Microsoft are due to using their particular implementation of web apps.
Web developers have been "wringing their hands" for the last 5 years swearing blind that any day now everyone's going to give up on smart phone native app development and go html5.
All the web has managed to prove is how badly MS cocked up app deployment on windows, nothing more. The web 'won' against one platform, windows deployment, MSIs and the rubbish they've been putting out with WPF, "one click" deployment. Smart phones have shown us how the web actually doesn't compete very well against native once a decent deployment solution is in place.
The web is a fully cross-platform/cross-device, installation-free, and open-standards-based platform.
Although traditional GUI toolkits can chip away at different aspects of this, it is actually a much more intractable problem for them to solve than the aspects you cite as native desktop apps being better at. For example, interoperability between web apps has gotten steadily better as HTTP APIs have evolved, today's generation of web apps often make interoperability a selling point (Slack is a good example). From a traditional single-platform native developer the mechanism for this looks crufty and ill-defined, but that is the price you pay for a truly open standard not controlled by a monolithic entity. For instance, for all the beauty and elegance of Microsoft Visual Studio, there is no way they can bring that experience to OS X and Linux, let alone all the mobile platforms.
Native app developers have been wringing their hands over the "inferiority" of the web for 15 years now, but all the while ignoring that the web does something which no technology has ever done in terms of ubiquity. And what enabled this was the trojan horse of HTML/HTTP's initial simplicity. Hell, the simple HTML documents for which the format is ideally suited still outnumber apps by an order of magnitude, but the beauty is you have one platform that can support everything on the complexity continuum from the simplest documents all the way up to sophisticated business apps.