Home >
Curl a proprietary RIA framework, which resembles Flex, is now releasing desktop support which sounds to be similar to Adobe AIR called Nitro.
From the Infoworld article:
Curl plans to unveil next week a beta version of a runtime tool that it said will help large organizations extend RIAs (rich Internet applications) to run on the desktop.The new runtime software, called "Nitro," provides the high performance, rich graphics, and enterprise security constraints that enterprises need to run RIAs on the desktop, according to Curl. The company claims that 300 mostly Japanese large organizations -- products enterprise customers? -- use its year-old Curl RIA development platform.
Curl is the latest vendor looking to garner part of the expanding offline RIA business, where users extend the rich User Interface and fast loading times of RIAs onto the desktop. Other offerings include Google's Google Gears technology, Mozilla's Prism software, and AIR (Adobe Integrated Runtime) from Adobe.
Curl executives claim that Adobe's AIR, which shipped in February, is better suited for business-to-consumer applications, while Nitro is fitted for the enterprise because it can handle very large data sets and strictly cordons off non-certified desktop RIAs from corporate networks.
Sounds kind of interesting but AIR uses certificates and as any Ajax developer who's used AIR knows they've done a lot for security. There's a sandbox that protects the users computer from potentially malicious remote content. For a good overview on AIR security check out this article on Adobe developer network..
The other reason they claim Curl/Nitro is better geared for enterprises is because:
"Nitro has successfully run data sets up to 100,000 records in tests, a performance level that would allow organizations to perform more complex data visualization."
Without more details on the test or a comparison to Flex in AIR it's hard to tell if this is relevant. I did dig around on their website a bit and found that they did a comparison between Flex, Ajax (actually Ajax for ASP.Net) and Curl. The problem with this type of comparison is that Ajax for ASP.Net is just one Ajax implementation and so this will really just confuse and mislead people. Which makes me skeptical of other claims.
So I'll get this out of the way: Nitro meets AIR and we get Nirtrous Oxide (aka laughing gas)...ha ha oh man that' funny:S Ok back to business. I guess we'll just have to wait and see next week when they release.
Anyone out there using Curl? I Would be interested to hear from end users or developers.
Tag Cloud
Podcasts & Screencasts
@InsideRIA on Twitter
Follow InsideRIA on Twitter
Facebook Application Development
Here is an example Curl application. Its the Puerto Rico board game written by a Curl developer
http://www.phial.com/puerto-rico/
I am not sure how this compares with enterprise Curl applications. The graphics are also quite simple for this game. I tried getting it to work on Mac with their beta Curl RTE and didn't have much luck but I did get it running on Windows.
Thanks for that Renaun, ya I can't seem to get it working on a Mac either:S I'll try later from a windows machine.
The article is very accurate. For example, Adobe AIR has a HUGE security problem. An application written for the AIR platform can access anything it wants on the users hard drive which means it can install root kits. I didn't make this up. Adobe's own Lucas Adamski says it in an article published on Adobe's web site.
"Finally, using any remote data in AIR specific APIs should be done with extreme care. For example, if a remote server can provide a file name and file contents for the application to download, it could write the file to a sensitive area of the file system, possibly resulting in installation of a malicious rootkit. This may seem farfetched, but it is a common mistake that is easily made, even when you believe you have exercised sufficient care. "
Just search Adobe's web site and you'll find it.
The security model that you refer to only applies when an Adobe AIR applications dynamically load an Ajax or Flash/Flex applications. It doesn't apply to the security model of the AIR application itself. I could write an AIR application that installs spyware, rootkits, logs keyboard actions, etc the same as I could with a binary executable. We call Adobe AIR's platform "Write once, Hack Anywhere!" because it makes hacking cross platform.
One of our engineers wrote a blog entry about the Adobe AIR security problem which you can access on our developers web site.
I'm not a security expert, but the security issues with Adobe AIR are pretty clear cut and we are not the only ones saying that. Adobe should come clean and admit that its security model is no security model at all.
Richard, yes but I could write a .net executable to do the same or the equivilent on Mac or Linux so I think that's a bit of a moot point.
There is a lot of education that is required for people installing AIR apps but the fact malicious software can be written isn't a limitation of AIR it's a problem with any locally running software.
Perhaps the installer could inspect the AIR app to be installed and prompt the user about any potentially hazardous code within the app but an uneducated average joe isn't going to understand such warnings and just continue anyway.
Hi Danny,
The thing is you CANT do this with Curl (http://www.curl.com). Curl also supports a desktop programming model - so saying that its a problem with locally running software is not correct. Its a problem with locally running software that isn't sand-boxed.
Curl provides a model for desktop applications too, called desktop applets, which allows you to run a Curl application directly from the desktop just like AIR. The difference is, Curl desktop applets are quarantined so that they only have access their own portion of the disk. The Curl Desktop applets cannot, for example, overwrite the notpad.exe with a rootkit because Curl desktop applets only have access their own sand-boxed disk area.
AIR applications are not sand boxed so they are no safer than downloading code from someone you don't know and installing it on your desktop. People don't do that, yet they seem very willing to download AIR applications of "UNKNOWN" origin and install those things.
I am not familiar with AIR but I know Curl for years and I just like Curl because it is so easy to program web applications.
Friedger
Curl has to go a long way to achieve the Adobe AIR's graphics capabilities. Adobe is known for its graphics and no one can beat Adobe in graphics. AIR offers more animation, transition effects, shading, opacity, transparency, border-less window, etc ... , which makes an application really RICH
right now my primary concern for offline apps like Adobe Air is the inability to protect the main file from being tampered by owner.
Once compiled, the exe still depends on the js or html files instead of all compiled into the executables. This means even with their secured by inserting sensitive data in encrypted localstore, it only takes a hacker a few minutes to edit the html file and write a password sniffer right before the apps save into localstore. Coz, the source code is right there, inside the application folder.
Am I missing something, coz I dont have any documentation indicating on how to deploy a more secured application files.