In TogetherJS both people are basically browsing like normal, but it communicates what's going on between the people (so for example you can see the other person's mouse), and synchronizes select things like forms. With the model of Surfly and Browser Mirror, one browser is the source, and the other is viewing what that other browser does. Everything "happens" on the source browser. This is in a session like this both people are logged in as the same person and seeing exactly the same thing, while with TogetherJS each person is logged in as themselves.
The difference is that with TogetherJS you will not be able to handle websites that require login. Surfly can handle that in a secure way.
Next, Surfly just works on any website - without the need to write a single line of code. For example, you can use it right now on GitHub. If you wanted to have such functionality with TogetherJS you would have to modify your website accordingly (i.e., by using a special version of the Ace editor).
Only the controller fires the HTTP requests. The viewer just gets DOM updates, so cookie's (session secrets) or password will never be send to the follower.
I do not quite understand, sorry. I am concerned about security.
Why am I allowed to login into say, Trello.com, while I am on surfly.com domain? Shouldn't my browser's cross-domain security policy prohibit this practice?
Is it all being done through a proxy? If so, is it not true that a lot of sites don't work over proxy?
[Edit] And if it is indeed proxy, doesn't that mean you can read my password(s) in clear text?
The proxy is needed to make sure that we can modify the content in such a way that it works correctly during the session. We sandbox the site so that everything keeps works correctly. I'll go deeper into this in a blog post soon.
The connection to the proxy is encrypted and if the site you login also uses https, your password will never be send in clear text over the wire. Since form submissions are not actually replayed on the viewer's side, we only keep them for the time of the request and only in memory. For those companies who want to control the security fully we are working on a on a solution that can be installed on-premise.
Yes, but you can't send your friend the surfly link. You have to ask your friend to also install the addon before you can collaborate on the same website. Extensions are cool, but not practical in the real world scenario.
In TogetherJS both people are basically browsing like normal, but it communicates what's going on between the people (so for example you can see the other person's mouse), and synchronizes select things like forms. With the model of Surfly and Browser Mirror, one browser is the source, and the other is viewing what that other browser does. Everything "happens" on the source browser. This is in a session like this both people are logged in as the same person and seeing exactly the same thing, while with TogetherJS each person is logged in as themselves.