On Sep 23, 12:18 pm, Thomas Broyer <[email protected]> wrote: > On 23 sep, 16:54, lusus <[email protected]> wrote: > > > > I think I can safely say that push is NOT evil. Not in itself. > > I must admit I agree (Yanick: how do you think GMail, (Wave), Facebook > and the like do? oh, sure, that's not really "push", but is it really > that different?) >
I believe it is. In my understanding, having a browser listen on a specific port and having it wait for any incoming connection from anyone exposes it to attacks. For once, in the case of pulling, you know that you made a request and waiting for a response even if that can take 2 minutes or be instantly. GMail, Facebook and all receive requests from the client, which then wait for an event response to "call back", but the initial request was made by the client. Then, if the client leaves abruptly, the server knows it because the client closed it's end of the connection. Then again, the protocol could just use standard TCP and keep the connection open and be able to receive communication both ways (the communication being initiated by the client). But wouldn't that overload the server with connections? In the case of pulling, if the connection pool is full, the client will wait until an event fires some response to some client and then be able to connect. But what when the client keeps a connection open to the server? Other clients wouldn't be able to connect at all. Coming back to the client listening for a server request. Servers do have protection measures and are usually properly setup to protect against attacks. This is why there are client OS and server OS. While many clients don't even have proper anti-virus softwares, and most computer owners don't cleanup their machines of ad/spy-wares, opening a hole in the client's firewall "in case" a communication from the server emerges is a kind of security loophole that would make me reluctant. If I install some specialized software (like Apache) to serve something and opening it to the www, I make sure that I have network tools installed to minimally protect me from intrusion or other kinds of attack. And these software are not grand'ma approved. The conclusion to my saying is that until the world is educated enough about web security (which is not doing well as user tends to become less and less informed about it...), having server push will open a new way for people to gain access to client computers and will be counter productive to make the web more secure. I for one, refuse surf on a site having a socket listening to some port "just in case the server wants or need to send something". I'd rather far and wide initiate that connection and wait for a response, than have the server initiate it. At least this is my understanding of all this. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
