Behind the Scenes: Client-Server Communication

Once you have successfully synced your browsers a few times, you will probably wonder how the whole process works. Fortunately, the Mozilla project makes the Weave server source code publicly available and provides documentation on the API [5].

The Weave client uses https requests to communicate with the server for everything from account creation to data storage and retrieval. The data are stored at services.mozilla.com in essentially a highly structured WebDAV share. Each data type is in its own subdirectory, where snapshots and "deltas" (changes since the last snapshot) are kept in JavaScript Object Notation (JSON) files.

The Weave system is designed so that very little of the work is done server-side; this allows the server to scale up to many thousands of users. Instead, the client handles most of the heavy lifting, from encrypting and decrypting data to deciding how to reconcile changes between the server's snapshot and local data, depending on the kind of sync to be performed.

Mozilla developer (and early Weave user) Atul Varma took a look around the server's directory structure well before the v.0.3 release and shared his insights on his blog [6]. Unfortunately, for security reasons, you can no longer log in to services.mozilla.com and peek through your user directory as Varma did, but his is an interesting tour for those curious about the server setup. More details are available as reference material on the Mozilla wiki, although because the system is under development, the documentation is incomplete.

One of the more interesting aspects of Weave's design is its use of encryption. All of your data is stored on the server in encrypted form, but the system actually uses three encryption keys in a clever way. A secret, symmetric key is used to encrypt the data itself. Because it is symmetric, the same key is used to encrypt and decrypt the data. This secret key is in turn guarded by a public-private key pair. You and you alone have access to the private key, meaning that you can encrypt the data stored in your account.

The public key allows other Weave users to share data securely with you. The reverse situation is easier to explain. If you want to share your bookmarks with another Weave user, Weave makes a duplicate copy of the secret symmetric key used to encrypt the bookmark data. Rather than locking the duplicate key with your private key (as with the original), the duplicate key is locked with the other user's public key. That ensures that only the other user can access it.

The current encryption scheme uses a separate secret key for each type of data – bookmarks, passwords, tabs, and history. Likely you'll want to share only a subset your bookmarks or tabs with others, so the framework is in place in the Weave API to split stored data into several segments, each protected by a distinct key – this functionality is not exposed yet in the v.0.3 release.

Self-Serve

If you feel daring, you can download the Weave server code and set up your own server. The server is written in PHP, and requires PHP Data Object (PDO) and JSON support. Although Weave is based on the same ideas as WebDAV, it is important that you not enable WebDAV sharing on the location you plan to use as your Weave server – Weave and WebDAV would interfere with each other.

At the Mozilla wiki [5], you will find detailed instructions on setting up a Weave server. At this point in time, the installation process is not automated – you will need to modify the configuration files by hand. A Weave server can use a variety of storage back ends, including SQLite and MySQL. The server-side account creation method is not part of the basic Weave server, but Perl scripts are included in the release bundle, so you can create accounts. When your server is up and running, all you need to do on the client end is change the account credentials and server URL in each Weave client's preferences.

What's Next? Sharing and More

If you don't mind running the latest Firefox betas, Weave is already a winning addition to the daily browsing experience. Browser synchronization tools come and go. Over the years, I have used Firefox add-ons from at least three sources, and all either ceased to receive updates, didn't work across operating systems, or slowly broke for undiagnosed reasons. In a sense, Weave is merely the latest entrant into the browser sync contest, but it is special. First, it is a Mozilla-sponsored project, and second, it is extensible and has the potential to do more than preserve bookmarks and browser info.

As mentioned, Weave's server-side encryption scheme anticipates the addition of another major feature: sharing data between accounts. The simplest case is bookmark sharing, but considering the list of data types sketched out in the Weave roadmap, several are ripe for sharing as well – dictionaries, themes, and extensions, for example.

The same infrastructure that permits secure sharing between users could be used to share information with online services, just one way that Weave can integrate services into the browser. For example, you could sync bookmarks with a social networking site, said Weave's lead developer, Dan Mills, or notify your Dopplr friends automatically when you make travel arrangements that will bring you nearby. "Right now, you basically have to do that by hand," Mills said. "The ticket issuing companies and Dopplr are two separate silos that don't cooperate with each other. Part of what we are trying to do is raise the level of innovation on the services arena by making it so that when a brilliant entrepreneur has an idea for a service that ties in to the browser, they can execute on the area they know best."

"Creating an add-on is a sizable expense and effort from these organizations," Mills added. By building the synchronization and communication infrastructure into Weave, the service provider has less to do. Weave supports machine-readable microformats, and Mills says upcoming builds will integrate with Firefox's built-in microformat parser.

In the short term, the emphasis is on maintaining the simple and useful user experience. The broader Weave services, including third-party service integration, are still being fleshed out. In the meantime, you can take advantage of the sync platform – across machines, across operating systems, and on mobile devices.