Interesting question coming from Adrian Kingsley-Hughes at ZDNet.

"With news that 92% of Windows PCs are vulnerable to a zero-day attack that Adobe won?t patch until Thursday, is it time to dump Adobe?s Flash player?

And this from Computer World.

"More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, a Danish security company said today.

According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.)"

Adobe admitted to the vulnerability on July 21st in this short blog entry.

Curl and Silverlight are not suseptible to such security holes as both run in secure sand boxed areas.

From the ensuing discussion there is a growing segment for whom the answer is YES.

Recently I was invited by Info-Q (Scott Delap) to participate in a virtual roundtable discussion on RIA. Other invitees are - Ryan Stewart (Adobe), Tim Sneath (Microsoft), Scott Stanfield (Vertigo), John Resig, Peter Pilgrim, and Didier Girard. The final roundtable discussion will happen and I am not sure if all the names will participate. But I was sent six questions to answer and I am posting my answers below.

1.  The web has been large dominated by "pages" and not "applications" despite the advent of RIA technologies.  In the last year we have seen the shift accelerate however with websites featuring "mini-applications" for video, interactive exploration, etc.  Given this change has RIA finally "made it".

JRD – I think there is much more RIA in the consumer space, as the need for moving from static refreshable pages (hence latency) to dynamic interactive applications is strong. For the enterprise RIA, there is no choice but to provide interactive and stateful transactional applications, as that’s what they are used to in the client-server model. However, enterprise RIA is yet to take off in the US. We see a lot more use in Japan for the Curl RIA platform.

2.  As RIA technologies have been introduced, portability has been stressed.  However, user demands are driving native integration with file systems, docks/taskbars, calendaring, and other os level items.  Do you think RIA platform will focus more on such integration in the next few years or continue to work towards interoperability instead?

JRD – Again, let us distinguish between consumer RIA vs. enterprise RIA. We see more interoperability needs than integration needs. Wherever we get benefit of the client OS (such as exploiting drivers for video rendering), Curl uses them for fast performance. The approach seems to be client-side integration and server side interoperability (incidentally Curl does not have any server-side code).

3.  Video is the largest application type driving RIA adoption at the moment.  What other types of applications to you see driving RIA technology adoption in the next 12-18 months.

JRD – We at Curl focus on web-based enterprise applications that demand high scalability, reliability, security, performance and predictability. The motivation is to switch over from client-server applications of last 15 years to a web based architecture that reduces TCO (Total Cost of Ownership) drastically. Frankly, video does not appear as a high priority for these applications at all. That is the reason why Curl has 400 large enterprises as customers running mission critical business applications. Not a single customer has deployed video.

4.  Given your target framework/language what is its greatest strength versus the rest of the field at the moment (Ajax, GWT, Curl, Flex, Silverlight, JavaFx, etc)?

JRD – Curl’s greatest strength is developer productivity (one language covers the entire spectrum of text, graphics, grids, as well as object oriented types and classes), and run-time advantages of scalability, very high volume of data handling, fast performance due to client-side compilation to machine code, and high security features. These are the basic requirements of all large enterprises for mission-critical applications for their business.

5.  Given your target framework/language what is its greatest weakness  versus the rest of the field at the moment?

JRD –Curl's greatest weakness is its relative obscurity.  Most of our customers have tried and failed with Ajax and Flex before discovering that Curl can solve their high performance and security needs. Also, video rendering is not one of our strengths as that was never a target.

6.  Most RIA languages are not used for both client and server development.  Typically backend work is done in PHP, Java, .NET, etc.  How do you see this polygot programming (http://memeagora.blogspot.com/2006/12/polyglot-programming.html) model effecting RIA?

JRD – I like the phrase Polyglot. Frankly it’s a mess. We observe that the world is polarizing to two-language schemes (e.g. C# & XAML; ActionScript & MXML; JavaFX & Java). One could argue that 2 is better than 4 and 4 is better than 6. But we at Curl believe in 1 language covering both the presentation stuff and the logic stuff. Hence the researchers at MIT designed one uniform language addressing the entire spectrum. This results in tremendous “programmer economy”, something we don’t seem to focus in the RIA world. Our customer experience substantiates this advantage greatly.

Curl is a great multi-paradigm language for building rich client applications. We hope you add it to your language repertoire.

As we are enjoying the last few weeks of summer, I’d like to take time to share with you an update on Curl’s business and the enterprise RIA market in general.

Overall, 2008 has been an exciting year for us.  We’ve made some great strides in further developing our product set as well as expanding our business.  We productized two of our three

open source projects, executed on our Eclipse strategy, and released our Run Time Environment (RTE) for the Macintosh, as well as support for Ubuntu. Also, we unveiled Curl Nitro, the next version of our RIA platform, which brought with it enhanced desktop capabilities to enterprises. We released a few really cool sample applications to showcase the data visualization and online/offline capabilities of that product, so I highly recommend you check them out. At the beginning of 2008, we predicted that this would be the start of an explosion of enterprise RIA, and this has truly been the case so far. The market is heating up with vendors, while companies and consumers alike demand richer user interfaces, stronger security, and higher performance. The enterprise has really felt the push, and we are right there to support them with thefeatures they need. This increase in demand also is reflected in the growth of our developer community, as we experienced an increase here of 456 percent. In particular, as I have been meeting with customers and prospects, here are the common themes I have heard from them: - Curl's visualization functions plus high performance gives us a competitive edge in our business. - "Curlization" is a process to replace spreadsheet-based client-serverapplications to RIAs with lower total cost of ownership. - Curl is ahead of Adobe Flex in several areas like security, performance, and programmer productivity. - Curl has a proven track record as a RIA platform for enterprises, while others are just starting.Below I have included a snapshot of the news announcements we have issued during the last several months, a sampling of the great media coverage we’ve received, and links to some of our most interesting blog entries from the Curl Developer Center for you to reference. I hope you find this update helpful in your research, and I welcome any comments or questions you might have. News ANNOUNCEMENTS · Curl Releases New Web-Based Training Courses, August 20, 2008 · Curl Announces General Availability of Curl Development Tools for Eclipse, August 5, 2008 · Curl Announces General Availability of Its Curl Data Kit - July 7, 2008 · Curl to Provide Rich Internet Application Technology to University of Hawai'i at Mānoa, June 26, 2008 · Curl Nitro Demo Application Visualizes [Facebook|http://www.facebook.com/] Social Graphs, June 23, 2008 · Curl Showcases Curl Nitro Through New Sample Application, June 16, 2008 · Curl Announces Public Beta Availability of Eclipse-Based RIA Development Tools, June 9, 2008 · Curl Makes Rich Internet Application Run Time Environment for Macintosh Generally Available, June 3, 2008 · RIA Technology Benchmark Test Finds Curl Outperforms Adobe Flex 3, May 28, 2008 · Curl Embraces Desktop RIA With 'Nitro' Product Release, April 21, 2008 · Curl Announces Support for Ubuntu for Enterprise RIA Platform, April 15, 2008 · Curl Joins Eclipse Foundation and Announces Eclipse Strategy, April 7, 2008 · Curl Delivers First Open Source Product with Web Services Development Kit, March 4, 2008 CURl IN the news · RIA company curls up with Eclipse, SD Times, August 6, 2008 · Curl completes embrace of Eclipse IDE, NetworkWorld, August 4, 2008 · How to sort out Ajax and RIA frameworks, [SearchSOA.com|http://searchsoa.com/], July 30, 2008 · The Architect's Role, Dr. Dobb’s Journal, July 1, 2008 · Overview of the Curl Enterprise RIA Platform, [InfoQ.com|http://infoq.com/], June 13, 2008 · Curl Adds Runtime Support for Mac Environments, PC World, June 3, 2008 · Curl 6 outperforms Flex 3 on CPU-intensive benchmark, InfoWorld, May 28, 2008 · Who Will Win the Next Battle for the Desktop?, AJAXWorld, April 27, 2008 · Curl's Nitro Takes Aim at [Adobe|http://www.adobe.com/] AIR, InformationWeek, April 15, 2008 · RIA War Is Brewing, eWeek, April 11, 2008 · Product review: Curl 6.0 enriches the rich Internet toolkit, InfoWorld, April 7, 2008 · Curl: Rich Internet Apps get richer, Computerworld, March 13, 2008 · Curl ships commercial version of its open source web services dev kit for RIA Platform, ZDNet, March 4, 2008 · Curl linking rich Internet applications, SOA, InfoWorld, February 29, 2008 CURl BLOG POSTS · Curl is now in the Top 4, August 12, 2008 · Backward Compatibility and Curl, August 1, 2008 · Quarantined by default, secure by design, July 28, 2008 · The Batmobile, Lamborghini, and my Suburban, July 23, 2008 · Enterprise RIA - real examples in use, June 13, 2008 · How big is your source code?, June 12, 2008 · Does RIA platform performance matter?, May 30, 2008 · For Curl, Security is Job #1, May 29, 2008 · Questions to ask your RIA Vendor, May 20, 2008 · Why Criminal Hackers Will Love Adobe AIR, April 16, 2008 · Seven nice things about the Curl Platform, March 25, 2008 · Why Is an Enterprise RIA Platform Different?, February 13, 2008 Events Tradeshows and Conferences Curl will have representation and/or executive speaking sessions at the following tradeshows. Please let us know if you plan to attend any of these events and if you’re interested in scheduling a briefing: · Rich Client Experience, Washington, DC, September 4-5, 2008 · Web 2.0 Conference & Expo 2008, New York City, Sept. 16-19, 2008 · AJAXWorld 2008 West,San Jose, CA, October 20-22, 2008 · SD Best hPractices,Boston, MA, October 27-30, 2008 · InfoQ QCon, San Francisco, CA, November 19 - 21, 2008

Adobe has released their new AIR product with much fanfare about letting developers "[use proven Web technologies to build rich Internet applications that deploy to the desktop and run across operating systems|http://www.adobe.com/products/air/]."  The grand vision that's being promoted is that AIR is pioneering the application development model of the future, where cross-platform applications will be developed using a platform-independent tool such as AIR, and then deployed across the Web as downloadable gadgets that can be installed on any computer.

The concept is attractive, but there are several weaknesses in the way AIR implements it.  One of these weaknesses is performance: while the speed of AIR's execution engine may be fine for gadgets, will performance that is still an order of magnitude slower than native code be acceptable for serious applications like Adobe's own Photoshop?  (Note that the recently released Photoshop Express service is not an AIR application; it's a server-side application with a Flex front end.)  A second weakness is the complexity of the AIR execution architecture: will future application developers really find AIR's conglomeration of JavaScript and ActionScript execution engines to be a more tractable development platform than a single, coherent, object-oriented execution environment?  But the weakness I want to address today is AIR's security architecture.

Security is a central issue for any mobile code execution platform. When a user loads an application from a server, unless the user is able to verify the authenticity of the application and the trustworthiness of the application's provider, it is only prudent to assume that the application could be malicious.  This is why Web browsers execute the JavaScript on a Web page inside a security sandbox that prevents the script from stealing information or damaging files even if it is malicious.

Some advanced mobile code platforms, such as Java and Curl, provide a sandbox for garden-variety untrusted applications, as well as a means for eliminating the sandbox restrictions for applications that a user determines can be trusted.  Since trusted applications will have full access to the user's machine and network, it is very important that their origin can be authenticated.  This is typically done by requiring that a trusted application be digitally signed by its provider, using a certificate issued by a recognized certification authority such as Verisign.  This architecture extends the range of a platform, in a safe way, so it can handle a spectrum of application requirements that includes the features of typical desktop applications, many of which require fuller access than can be granted to an untrusted application running in a sandbox.

The designers of AIR obviously wanted to play in the desktop application space, so AIR applications have full access to the machine they are running on.  But it seems that the AIR designers were unwilling to give up on also being a platform for casually loaded Internet gadgets, even though they did not see fit to give AIR a sandbox for running untrusted applications.  The result is a mongrel security architecture that may impose costs on a lot of innocent people over time.

In a nod to the authentication requirements for trusted applications, Adobe says that all AIR applications must be signed.  But the nod is an empty gesture, because AIR does not require signatures to be based on a certificate from a recognized certification authority!  If you want, you can create your own certificate out of whole cloth and sign your AIR application with that!  I have to guess that Adobe did this because they didn't want to cut themselves off from the casually loaded Internet gadget domain, and they weren't willing to require that the creators of such gadgets go through the process of obtaining a legitimate certificate.

Yes, if an AIR application's certificate is self-signed, AIR displays the publisher as "UNKNOWN", "[giving the user pause as to whether they should continue|http://blogs.adobe.com/stateofsecurity/2008/02/air_security.html]."  But what detective work is the user expected to do?  How many users will actually be able to do it?  It seems more likely that if Adobe's dreams for AIR are realized, a generation of users will be trained in the habit of clicking "Install" for fully privileged AIR applets of unauthenticated provenance.  Adobe has already begun this training program by posting a large number of self-signed AIR applications on the Adobe AIR Marketplace, including the DiggTop feed reader, twhirl Twitter client, and Google Analytics Reporting Suite, just to name a few.

The resulting situation will be a bonanza for criminal hackers.  AIR will become the first truly cross-platform tool for distributing malicious applications.  Macintosh and Windows, home and business computers will all be equal-opportunity targets for Trojan horse attacks, keystroke loggers, etc., truly realizing the dream of "write once, hack everywhere!"

Adobe can't have it both ways.  Casually loaded Internet gadgets need to run in a security sandbox.  Trusted applications need to be rigorously authenticated.  Adobe needs to stop pretending that their self-signed application model provides a secure basis for running casually loaded applications with full privileges.