The main problems: 1) browsers do so much, that making them safe is hard. Keyword being hard, not impossible. Stopgap measures like address layout randomization and all manners of sandboxing sometimes were the difference between an exploit and a mere tab crash. Furthermore, almost every security bug I've seen depends on programmer mistakes or even bad practices - and the rest fall on "it works as intended, sadly" (like XSS). We could have a bug-free browser that does just as much as browsers do now.
2) Malicious insertion of backdoors is easy Since browsers do so much, adding one line of code in an update means your system is owned by the letter soups.
Open source doesn't fix this, because nobody can really browse the entire code base of FireFox, and an audit team would cost a fortune (and not prevent future bugs or even very clever underhanded C/asm inside a complex algorithm). This is not to mention binary blobs.
So the real question is, are there any hopes of fixing this that do not rely on preposterous proposals such as "let's make a new internet that only a few anons on Holla Forums will use" or "let's larp an anti-JS revolution".
Normal people still want YouTube and AJAX-style interaction in the browser, and Javascript is probably the most popular language ever, and better than Pajeet-tier C++.
Can the different tasks a browser does be split into small enough chunks that bugs will be found faster? Isn't this what browsers already do and fail? How could it succeed?
Change the model of browsing radically by reducing the attack surface radically.
No HTML. No JavaScript. One still-image format, one animated-image format and one video-streaming format. Send data and text in YAML so people can understand it. If it isn't valid YAML drop it into /dev/null, don't try and be "permissive" and guess at its structure like HTML. If it is valid, let the "browser" render it in anyway it wants and stop trying to simulate magazines and applications that fuck over the blind or disabled with stupid CSS effects like paralax or hijacking mouse-scroll--browsers are for content, so at its foundation, address the content with a cryptographic-hash so you can tell if it was tampered with. The samantics of YAML for kinds of content will naturally emerge instead of this rube goldberg bastardization of SGML. If you want, sign the hashes. If you don't trust the signer, you don't trust the content. Now you have 10% of the attack surface to worry about.
In other words, drop the modern browser into the ocean and put out that dumpster fire.
Elijah Rodriguez
How will users style their page? Without javascript, how will the page be "dynamic"? You can't just expect everyone to go back to a 1997 model of the internet.
Dominic Scott
You can keep javascript on the server side if you are suicidal, that's your problem. Just don't let take people with you by making client side javascript.
Hudson Thomas
Why would I want "dynamic" web pages?
Ayden Martin
No normal/uneducated people just want it to work. They don't give a shit if it's an abomination of security or design, otherwise we wouldn't have JS, PHP etc...
It's just a question of who is the biggest distributor of the said software/solution (website like youtube, sponsored schools etc....) But that doesn't mean that they will survive on the long term. A shit software is still a shit software it just takes time to people to realize/spread the word.
It had/has many good things going for it. All it really needs is in-text image support, better forms, better authentication, and TLS support.
Even better would be putting a gopher-style 'web' on a distributed network.
Consistently structured text, no 30mb of junk scripts and css. It was great. Its time to update it to the 21st century.
(I say was, but it still has a small but dedicated community)
Michael Butler
You're contradicting yourself.
You're free to go and join them. Normal people want the browser to run apps and that's not going away because If your perfect web 0.5 can't even run Vichan (let alone a modern website), it's not going to catch on.
Owen Baker
Wait until Gen Z starts web 3.0, you'll wish you hung yourself in the neet cave.
Bentley Williams
Maybe you don't, but the majority of people do.
Parker Bailey
You're free to follow that practise right away, but you'll notice that not many sites do this. Even Holla Forums is significantly more cumbersome without javascript. It's also inefficient, you give up any ability to do partial updates. Do you really want to load all ~600+ comments on a happening thread every time you post one?
Brayden Kelly
No, but it beats the alternative of leaving my attack surface wide open to drivebys from infected ads or tampered traffic if in tinfoil mode.
Jordan Barnes
Oh boy, another browser thread.
Thomas Baker
My bad what I meant his that it takes time to educated normal/uneducated users so that they can realize and spread the word too. It's pretty hard to do so most people are unfortunately self-centered.
Elijah Peterson
https should take care of your tampering concerns. Something like uMatrix to stop external js code that you do not want running gets you quite far.
The biggest problem I find with modern browsers is that they do not follow correct standards, and of course using unsafe languages, they often times cannot prove the implementation of their sandboxed process.
Noah Price
accept that browsers are flawed.
Install Qubes instead.
Anthony Mitchell
Fun fact: It's entirely possible to implement partial update dynamic comment systems with no client side scripting using iframes, forms and cgi. It's just that nobody does it because 'lol javascript :DD'.
Oliver Nelson
Plz show me how, sempai.
Aaron Flores
True, but it's nasty and you're limited to polling if you're not going to have any js at all.
Ian Cruz
telnet and x forwarding
Jose Gray
If you don't, you end up with technologies like Adobe Flash, Unity web, Active X, and Java web applets.
Grayson Lewis
Because we all know feeding remote input all day to a parser that handles a superset of JSON and every scripting language's built-in serialization formats (hello PHP) is totally safe
Brandon Rogers
If you really think that you just hate javascript and aren't open to any positive side it may have.
Your solution is shit compared to Push API, ES6 on the browser and NodeJS on the server, handling thousands of users on simple hardware.
Colton Allen
The idea of building a house on shitty foundations and then adding lots of iffy mitigations isn't just stupid, it's baffling that someone would even accept this. There must be some serious brainwashing going on these days. Just start with a good foundation, and then you don't have to deal with all this crap. Obviously there are conflicts of interests, because the security industry depends on lots of vulnerabilites, and so do state intelligence organizations. But nobody should willingly play by their rules, if the goal is to have a solid system.
Zachary Wilson
That's mighty big talk for an anonymous shit poster.
Henry Howard
"Normal" people don't want anything, except to mindlessly consume what marketers tell them they should want.
Liam Garcia
It's not just idle talk. I avoid big browsers like Firefox, Chrome, etc. and stick with the simplest possible options (which means no JS or CSS). My setup is not perfect by any means. I'm running OpenBSD on Intel botnet architecture, so I have all the mitigations turned up to 11 (even stuff like /etc/malloc.conf linked to 'S', which has high potential of crashing various ports/packages, but this helps me to weed out the bad ones and find alternatives). When given an alternative, I always choose the simplest and most direct method, never the ones with slick, fancy design, or tons of features. If I could, I'd be running Amiga 3000 or other old hardware as my desktop. Unfortunately the world today has no real choices left, so I'm kinda stuck with botnet shit at the hardware level, even if I only want to be able to do a few critical tasks like online banking (I have investment stuff located on another continent) or various other administrative tasks I have to deal with. But apart from that, I stay far away from modern web shit that needs complicated browser.
Nolan Bailey
That's fine if you're paranoid as Stallman is. It is meaningless of you start issuing such a vapid open challenge as "just start with a good foundation", "stop making it bloated", "just make it more secure". This is meaningless drivel. If you want a real change, you're going to have to make highly specific technical demands to accompany a fully fleshed out mission statement.
Do not tell me "stop making botnets into the browser" and expect to be taken seriously.
Benjamin Brown
I'm not here to change anything, only to protect myself. What others do, that's their problem. If they're addicted to shiny social media sites and such, well too bad for them. I only care to the extent that their behavior affects my options.
Brayden Mitchell
Write a new rendering engine, then just don't include all the retarded shit in it. JS is disabled by default, but some sites have replacement free JS so they work properly without tracking.
Aiden Williams
Really don't care how users want to style their page.
Dynamic? What are you from Japan?
I didn't advocate pretending that its 1997...
Liam Young
Well, Holla Forums, how can we make women smart enough to use the internet? 50% of them are mentally deficient, according to our good friends at Mozilla, and we must rectify this.
I suggest selective and frequent breeding with the smart ones to pass on their genes. Oh, and kill all the baby boys, they're smart enough and don't need to be smarter and oppress the baby gyrls.
Isaac Collins
What exactly is the point? Javascript is the single biggest security hole in modern web browsers. It's like asking someone to remove the health hazards in your house yet keep the rats in the kitchen because you find them really cute and like to look at them while cooking.
