 All right, so I this is my first FOSDEMS since 2010 I think was the last time I was here I did a talk about building firefox extensions called like firefox switchblade But it probably should have been like firefox foot gun because I was doing things like piping URL bar input directly into shell commands like So bad so bad, but so much so much fun The good old days battle days. Sorry, but today I'm gonna tell you a little bit different story The web is a little different since last time I was here The the needs of people that use it are a little bit different This last year. I was working with Colleague on a project to look into like how can we bring some of these? Decentralization and distributed technologies into web browsers. I've worked on firefox for a long time I think landed my first feature firefox in 2006 or something like that and We did a little bit of exploration both a little bit of code and experimentation and I'll talk about that And also ran a series on introducing distributed and decentralized web projects on the mozilla hacks blog So there's I think eight or nine different posts there if you want to learn more But as we explored this area this like looking at ways that we could change the web to meet The needs that we have the most urgent needs right now A couple interesting things happen like one researching this project I found about this project called web three It's like okay. There's this whole group of people all Kind of trying to build what they think is the next version of the web, right? They actually use a lot of the same language that the champions of the status quo web views and a lot of the same language That's even in mozilla's mission Is fascinating there's like almost no interaction or a crossover or a bridge between these different projects like these two different worlds and One of them we have the web that kind of we've heard about today and a lot of the projects and speakers here and this other group of people that are Working on redefining what the web actually is in in their vision and not really a lot of kind of Cross talk between these projects. So I wanted to learn more so I pitched a talk for the ethereum dev con and prog in November and Got accepted for the five minutes on the developer stage Awesome, and then the week before they're like no wait wait you have 30 minutes and you're on the main stage You're going after the crypto kiddies guy before the z-cash guy, okay? All right I will drop everything and make a better talk that I was planning on doing and try to take advantage of having this Platform to speak to this community about our community that we've been part of for so long So I went to get to talk because met a bunch of people is interesting But the real story was kind of the challenges that I encountered when telling people about this I went to the muzzle all hands in Orlando, and I had this encounter where somebody was like oh I heard you went and spoke at the ethereum conference. I was like, yeah It was really interesting and they were like how do you feel about engaging in a community of criminals? That are there solely to steal innocent people's money This is somebody I'd known for like ten years. I mean I like it was shocked like part of me It was like really hurt, right? This person kind of assumed the worst of my character For doing a talk there. I was like I've been working on Firefox for like over a decade. What more must I do? But also I was kind of shocked at the lack of curiosity about this whole other world That's moving forward kind of whether whether we agree with their architectural approaches values or purpose and intent or not They're doing it so But kind of more shocking was in these types of discussions for me was There wasn't an ability to kind of have an openness open an honest conversation about the challenges that we have in the web today Like one of the things that's always trotted out as well if you're using a blockchain Then you must be over to engineering it doesn't matter what your use case is Like the web has well this number was wrong. It's like 9500 estimated pieces of feature surface area right now We're also as if you're here for a flocking stock We're shipping an assembly runtime inside of a desktop publishing format if you want to talk about over engineered So like we kind of have to we have to have an open mind about the challenges that we face on on the web Another one is that it's not possible to design decentralized experiences the UX just sucks on these projects It always will and they will fail because of it and then you see I don't know if anybody saw this Which is like this video of what it's like to use the web today And it's everything from tracking from anti-tracking stuff or I see you're using an edbocker like no, I'm not I'm just tracking I want to see your ad, you know on and on set up to my newsletter It's just a horrible daily experience that a lot of people have that we really need to figure out a way to fix We we have our own design problems even though we have fantastic tools like CSS grid it does for beautiful layouts It doesn't mean that everybody's using them a lot of people's daily experience the web is not great And another one was like well everybody in that crypto world. They're just there for money They're just there to figure out a way to get rich quick and get out They're all bad actors, and I'm looking at the web today where we're like, okay Well, it looks like pretty soon 95% of the web will be one single for-profit company Who decides the future and direction of that technology for money So we need to be able to have this conversation about what the web needs We actually need to be able to speak honestly about the challenges that we have and This work that we need to do So this is Mark Sermon the director of the Mozilla Foundation, and he did a talk that I don't know 2009 or something like that and he asked this question like well He did a couple blog posts. I think about it too What does it take to build a hundred year organization and this is kind of like burned in the back of my head And every time I think about the future of the web and the technology systems that we're making I think about it in this context How can we design things that are robust especially in the face of these really extreme challenges that that we have today? In in order to be able to have that conversation in order for the web to be able to adapt and change We we need to be honest about the things that do need to change one of the challenges is Honestly the success of the web is there an estimated over five billion web pages and web browser vendors have the job And the responsibility of making sure that they keep working that you can go back to that web page from 1995 And it actually still renders and is as usable This makes change really difficult like this responsibility Combined with the complexity of the stack means that making anything different there is a really really slow process And you have to be very very careful So they're good reasons why it's slow, but we also need to be able to understand when we need to make really really important changes so It turns out as we've found out in the course of this project over the last year that some of the biggest champions of the web Sometimes are actually the hardest to talk to about the things that actually need to change You know one of the first things like we're in love with URLs We like really are in love with URLs and they do really serve an important purpose But they also have some downsides like Centralization jump points and make it really easy it just just forget to pay your server bill and your website goes offline And if you don't pay it again, it goes on forever And sure the Internet Archive has maybe a copy But like do we really want to leave the robustness of the web and the history of our human activity on it up to? One non-profit organization is awesome as they are It's really a problem. There's also You know censorship issues there Also, like if you talk to anybody who has been a designer or a user researcher at a browser vendor They will tell you that statistically nobody understands how this stuff works We understand how URLs work because we work with them all the time. We're technical but most people do not and There's a challenge So this is a famous video that Google did where they asked people like Times Square or something like that What's a browser and just the the app the unbelievable breadth of answers is is fantastic. It's fantastic to watch Well worth checking out Another one is like we can't even imagine what what a world would be like without without domain names Like it's so embedded in our everything from how all the different aspects and workflow of how we create products How we brand products and talk about them how we talk to each other about how to find stuff online? What if they go away to how do you even find anything anymore? It would be impossible Another one is and this is this is interesting too is like this idea of that if you're talking about a network protocol Something at protocol level it must mean you you are not user centered you've decided to abandon the user And you are really focusing on the wrong problem here They need to say we're having these conversations over like You know many decades of development of internet architecture that is at the protocol level that allows all the benefits that we enjoy At the user level today Forget that also this this photo is kind of Mesmerizing I could stare at this I was like I've been staring this photo for like 10 minutes at one point Look look away So so what do we need to change like you know that gives it the browser the way that browser browsers have been a client basically for 20 plus years right Makes it really difficult for from a bit a security model standpoint Just people how people conceptualize the technology the different patterns that we've developed about request response and things like this Makes really difficult to make change as we're seeing with things like HTTP 3 and quick and other things There might be some change coming in that way either way But it's a really well-known and well-understood model that also has some problems All the decision-making power Basically is on one side of it and that's on the server the decision that I have as a user of Using my user agent as it were a browser is I could choose which websites to go to but I don't have a choice Do I get to see it again later right or I like that design? But now it's changed and these are the examples like people have really visceral emotional responses to change you find a website Even somebody like you really like and they update their blog and you're like I like the old design better Right like there's these little just like annoyances But we have really strong emotional attachments to how things look and how website changing over time Is maybe not something that is enjoyable for some people. It'd be great if I could just look at the way you had it before Another one is Kind of people are concerned about putting stuff online because of the legal repercussions of doing so Anodash had a massive set of samples of print samples, and they're all well within the fair use length But he was scared to put them online because he was like I'm gonna get sued either way It doesn't matter if the suit has merit or not This this is another one the centralization of how websites work today means that Services that we depend on as long as they are residing and all the application logic resides entirely on the server When that company decides to sell to a bigger fish or something like that that server just goes Poof goes away and the thing that you maybe maybe in this case like built your business on also goes away Other things like the whole whole chunks of the internet going down due to some centralization jump points There's a brighter reasons for this right, but I'm gonna talk about some projects They're trying to figure out creative approaches for working around it, and this is really a really important one I lived in Thailand for a year, and it was amazing how Sometimes they have they have a pretty strong censorship regime there and some laws around that But the software is actually like pretty terrible So it meant that sometimes like the page the Wikipedia page for the king of Thailand would actually be available And then other times it just wouldn't and you would just see this and all kinds of other pages too because they didn't have really Specificated algorithms that they were using they're using really blunt tool to be able to block access to information and As we've seen especially in the last couple of years the increase the rise of internet shutdowns for whole nation states Really like DNS and central client server Network interactions as we're very used to on the web is incredibly easy to completely shut off people's access to information I was also in Turkey for a month in November and just Living in a place where Wikipedia is banned was was fascinating There was like a spray paint on the walls of Wikipedia pages for people and stenciled stenciled Wikipedia pages. It was awesome but but these are real problems that we need to figure out and there are a couple of projects that are Figuring this out. They're experimenting in what Distributed web might look like what decentralized web might look like. I'm not gonna talk about any of these really in depth This is more about the challenges that we have as a community right now Who are building the web and using the web and love the web in making change? And I'm gonna talk a little bit about how we approach that change inside browser vendors and a couple of different experiments that people have done But these are some of the projects that are kind of trying to redefine What the web would look like in a way that gives a little bit more of that power onto the user So that we can actually get to the point where the user agent isn't just a place where we can request stuff But has actually a little bit more decision-making power When we started looking at how we could add some of these technologies into web browsers We're like, okay, there's really you know like each one of these projects has different architectural approaches that different philosophies about things like you know, p2p networks and Blockchain or no blockchain. There's all different types of use cases They are trying to address maybe first rather than later some of them are our more general purpose and sometimes not There's a whole bunch of like higher level application primitives that you find in p2p and distributed and decentralized applications blockchains and swarms and CRDTs Things like key management and really important and really difficult But when we looked at these types of projects a lot of these similar key higher level architectural pieces came to the fore Okay, well, should we just make like a navigator not blockchain API Maybe not the right level of obstruction that we want So we're like, okay What are what are some of the lower level primitives even before those that are enabling these people to build these types of architectures and turns out Really kind of well-known set of technologies that are kind of boring But when put together in kind of simple ways enable all these other different higher level application primitives but none of these are In the web today, they're not not shipping really in a meaningful way in any major web browser. There's been experiments There's been attempts. There's been some like pushing forward and then pulling back both by Chrome both by Firefox opera and But it's it's still not there for and for a variety of reasons like I said before changes really hard There's also like real security concerns about this kind of stuff But at the same time these these use cases that get unlocked by these means that we need to start figuring out what that Security model looks like and we need to be able to understand the trade-offs that we're making By not adding these types of functionalities and giving more decision-making power to users in some cases So there are a couple different ways that as people who make browsers we've looked at where okay We're like, where do we put this technology? We put it in the web pages API's there We could make extension API's which then it's not kind of there by defaults the developers may or may not use it and the Users don't know to install it. We already know well-interested problems with extension install flows You know as a core browser feature. He's like, okay as the browser just add IPFS as a native protocol or something like that, right? So there's these decisions kind of like what a choice-of-venue kind of decisions about and they all have their pros and cons You know it a JavaScript API for for raw TCP socket access has been tried And I think you can you can even flip it on and in Chrome OS and Chrome apps there There's a couple places you can get a work in Firefox OS device that's had access to it but there really were a lot of problems and and Wasn't maybe the right level of abstraction So we worked on a project called libd web my colleague a Rockley and I where we implemented that set of technologies These most most of these anyway in web extension API's so you could write a browser extension those able to open up a listening socket This unlocked really a lot of use cases We were just experimenting on the PIs and we're having conversations about how we actually get to the point where we can ship it At least even a nightly off by default right place at least let people experiment One of the coolest things that happened almost right away was somebody from the IPFS project Ported IPFS to use these API's and and actually did a demo Serving up Wikipedia Turkish Wikipedia in a p2p way Which meant that it was really really difficult for the government there to be able to censor it? And this was kind of an immediate validation that there is something Something worth doing here that it's worth taking some risks to figure out how we can change the nature of what a user agent is to actually Really represent the user's needs more instead of the server owners needs more So we got we got kind of far we we got at least some buy-in from the teams and shipping API's that they're interested We started going through the threat modeling exercise for things like opening up listening sockets on a something that's been a client for 20 I years Those are conversations ongoing But but you know that there really is a level of interest and we even poked You know poked a little bit it like okay Well if I think Andre Garcia landed a patch in Firefox that enabled some of these Distributed web project Protocols to be loaded at least like forward to a different page or URL in the browser and a few months later Chrome also like listed those protocols so so it's kind of like slow pushing a little bit by little bit in this space That was really interesting to see The going back to other kind of choice of venue decisions There's some interesting work happening in IPFS and Rockley's also involved in that project It can figure out like how close can we get using existing web API's to Either connecting to a local IPFS node or even how close we get to even hosting some kind of node Or connecting to local DHT things like this really pushing it okay how many browsers have entered Say implemented service workers shared workers and how can we and web RTC and how could combine this stack into a really kind of Scary over complicated ball that eventually does meet some of these needs right at least connect to some of these networks in a Way that reduces the frictions and getting more people to actually be able to use them without having to say Install browser extensions and things like that. So that's the kind of like what can we do in a web page today? Approach and then also like brave browser. They're like maybe we'll just implement IPFS natively They already shipped a cryptocurrency wallet So the user base is small enough that they're able to push really hard Take more risks maybe not have to worry about kind of like the Compatibility backlash that if Firefox did something like that and we're like God didn't work out Like it's really hard to walk back from web features that you ship and a browser that you then need to basically Own forever so that like I said at the beginning you don't break the web Which is kind of like first do no harm for people who are actually making the web So that's at the core level. We're different ways to do it None of these are really the right answer that we know yet But there's a lot of experimentation happening and one of the things that I think is important about all this is like we didn't Come up with okay We're not like okay the web extension APIs is the way to do this is that best balance of Security compromise compromising the security stuff there with the user needs that we need not really We didn't even have a plan to ever ship it part of the why we actually did that project was to kind of initiate this conversation To push on the boundaries of the space So that we can actually get people talking at least about that kind of security model We're also looking at starting up a w3c community group So there's a kind of a place where all these projects can speak in a way that might put us on the path towards some types of standardization Or at least shared implementations and interoperable implementations of stuff like this in web browsers But Coming back to this point we we need to be able to figure out what that Change is going to be we don't maybe know what the end state is going to be but As you saw in the beginning of the slides and you're all pretty much aware as like especially if you're hanging out Listening to some of the projects talking about anti tracking stuff in the privacy and decentralization room over there The web has real challenges today That to some extent might be considered compromised even in some ways Especially depending on what web properties you're visiting the privacy international report about how How basically how many people on the web and even native apps are subject to tracking was was really horrifying And something that we need to take seriously and really take immediate and drastic action To be able to do the companies that are doing this for a profit have relatively little incentive To be able to do it but in open source communities like this We already have the values we know what we want to see But we need to be able to push on that environment to make make that change happen Even when it's kind of like tearing at our hearts to say, okay, maybe we maybe we need to revisit what a URL means Maybe we need to think about what a what a browser looks like And even if there are relative security concerns Understand what the threat model of those of those are going to be so that we can actually figure out what that next user agent is going to look like And hopefully the web then will still be here in 100 years Thanks Six minutes for questions. Yeah Do we have a microphone? Thank you. So apparently opening raw sockets To extension developers. It's like pretty hot topic And I noticed this when there was like the drop of the old extension format and the switch to the new one We had like extensions like fire ftp which used this feature And my question is if you were to open in a web extension way Not in the legacy way in a new modern way these sockets What sorts of threats are you afraid of? And both as a client is and as a server because ipfs would be as a server. I guess Yeah So it's a really good question That's part of what we started to get into we started doing a threat modeling of these types of apis We only fully went through the process for the protocol registration api We haven't yet gotten to the sockets apis, but it the the upside there is that chrome's been shipping those apis on chrome was for quite a while So there are people who have actually shipped these apis in production to some sense of users So there are public discussions and on the There are so many different repos for standardization on W3c or the wicg or the what wg or one of them There's a really great thread about exactly that what the threat model for listening sockets are So I'll I'll try to look it up and then just share it on twitter or something like that But it It kind of depends and this is one of the reasons why the web takes a really conservative view towards Opening up these types of capabilities because it's serving the entire needs of humanity every day so that that kind of attack surface is really broad and Understanding what that threat model is end up being in the ends of being really kind of subjective to the kind of places That you go on the web, but I think for certain groups of people It's worth evaluating What the tradeoff is and that that I think is what ultimately needs to happen there Any other question? We look at So I'm just wondering what's in your mind, you know, what kind of aspects we need to look into I understand that the W3c is looking at like It's decentralized the id working group. Yeah, so how these two work together was your thoughts about it So I'm not I'm not super familiar with the the d id spec the decentralized identification spec But as far as a kind of like post url life some of these projects Here have done a lot of experimentation in there. So They're The examples so far like ipfs you open up what is basically a hash and the dat project is really similar I was at the aragon conference Earlier this week in berlin and there was a designer there who did a kind of a cool presentation on like The ways that you can tie hashes and all these different in different types of projects Two real names and things like that and different design patterns and interaction patterns for Tying some type of information that you can find to those So I think there's going to be a lot of design challenges around losing the url But the problem is we're going to have to figure out Sooner or later, and it also doesn't mean the url is going to go away forever, right? Like we still want to have access to the type of publishing Workflows and tools that we have today when they are available, but we also have to balance that against Preparing and being ready for conditions maybe when they're when they're not But I I honestly I I started looking through all the decentralized id stuff and it's a really It's a deep stack So I I'm not really super familiar with it Cool. Thanks. That was really interesting talk there But what I was wondering there Do you think there'll be a pushback from like the certain companies there that the centralized way is how they make money Like will they do you think they'll be able to survive in this old decentralized way? They might not be Yeah, that's that's a really valid question when 95 percent of Web users might be using an engine that is controlled by one company Yes Some extent you could look at that that near monopolization of that space as that pushback Like what do they what do they have to push back about when they already own the ground? We walk on in the air we breathe That's that's the threat. I think that's why Why kind of I talked about the social challenges That for as much as we love the web we need to explore different ways that the web might exist We need to look at all the different permutations that might be That it might turn into in ways that help us push back against Those people who don't want us to have more user agency. I think the the company has already pushed back They they own they own almost every moment of our waking day Any other question? No, okay Thank you. Thank you so much