The fact that a web email client (gmail) can turn the fan on when it’s mostly text and runs in a VM written and published by the same company that wrote the email client just makes my head spin.

And the solution to this is to put the browser in the cloud? So what’s the desktop browser on your new $3,000 mbp now, like... a demo environment?

It boggles my mind that we’re not demanding the web bloat stop. Maybe figma just doesn’t really work as a web app! If I have to run my browser in a datacenter, I think it’s fair to say it doesn’t.

As a web dev I’m just embarrassed. How are we not saying “this is too much, stop making web apps that crash my computer it’s not worth it.”

Pop open developer tools - Gmail's JavaScript is heavily obfuscated, not just minified. (I think it's a custom, self-modifying VM that's written in JavaScript, and it fetches pieces of itself over the network, like ReCAPTCHA).

This "DRM" plays at least some role in making the optimizers in V8 work a lot harder to get anything reasonable out of the spaghetti.

Why Google needs DRM for a web email app? Beyond me.

>> Why Google needs DRM for a web email app?

The reason we use such tactics is to increasing barrier of reverse engineering because our teams value their work. Some people claim that security through obscurity is bad. I challenge this view. I claim that every security defense such as RSA is a obscurity.

It's a matter of time until RSA breaks in the same way as Obfuscation does.

Gmail is not your let's make it weekend kind of app. It's highly sophisticated and deliver huge value.

There are lot of people who hate Obfuscation. Some are communists and others are attackers.

My wife (she works in the fraud detection department) found an interesting attacker who masqueraded as a security researcher and student of X University, but in fact he was a a criminal scum. He has reverse engineered anti-fraud scripts of many websites and published them on Github for everyone to see. His main goal was to attract malicious buyers and sell them scripts that bypass this protection. It was one of the heck of marketing.

Brian Krebs also had similar story on his blog.

First, encryption is not "obscurity" in the same way you think DRM is.

Second, several other email providers don't think they need to rely on some performance-killing DRM to "protect" their web app (oh no, what of all the value!).

Outlook has a part of their files minified, but doesn't use any obfuscation; apps like ProtonMail[0] and Tutanota[1] are even open source.

(I'm actually starting to migrate off of Gmail to Protonmail myself.)

[0]: https://github.com/ProtonMail/proton-mail/ (the new site, on beta.protonmail.com) [1]: https://github.com/tutao/tutanota

Oh, and there's no need to call people "communists", "attackers", or "criminal scum". Be civil.