undefined | Better HN

0 pointsfactormeta3y ago0 comments

We need 2 classes of web. One for document based that doesn't require JS to run (secure). Insecure, all the SPA and anything that require JS to see the full content.

0 comments

derefr3y ago

The dark web is the document-based web. Sites built for Tor Browser have to assume JavaScript is disabled. So they have to rely on server-side rendering, old-school HTML forms, HTML meta refresh, etc.

Surprisingly, one thing that seems to work just fine in this environment is (even modern versions of) phpBB. Lot of phpBB dark web forums.

Also surprisingly, this doesn’t preclude polish or some level of app-like stateful interactivity, because CSS still works. You just have to think differently about how you use it.

grishka3y ago

Back in the day, we had a nice boundary between the document and the "app". Then for some reason we decided that Flash doesn't need to be a thing any more and erased that boundary by building the app functionality into browsers themselves, making the app and the document inseparable. We should have invested that effort into building an open source Flash player instead.

One of the nicest things about Flash was that you could set your browser to only load and run Flash content after you click it.

giancarlostoro3y ago

Java Applets were worse though, every time I got a virus of any sort from merely browsing generic sites, it always happened due to Java in the browser. I finally stopped installing Java for the web and my security problems went away.

Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do. It would be nice to be able to block web APIs selectively to limit what a JS script can do.

grishka3y ago

> Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

Those incessant RCEs were only due to the sloppy way the Adobe Flash player was written. There is nothing bad security-wise inherent to the SWF format itself.

Ruffle is an open source Flash player in Rust, currently under active development. I'm sure it won't have such problems because 1) it's open-source and 2) it's in Rust, and I was told that anything written in Rust can't possibly have any memory-related vulnerabilities; we'll wait and see if this would still hold true if/when they implement JIT compilation for AS3.

nordsieck3y ago

> I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do.

IMO, it should be enough if incognito mode presents an identical fingerprint on everyone's browser.

1 more reply

olebedev3y ago

I think we will end up with something like permissions grants (including granular JS APIs available for the website, as we do for the location, camera APIs etc, at the moment) per website and convenient tools built-in browser that allow you create/re-use patterns so you don't actually interrupted by this strictness too much.

illiarian3y ago

> per website and convenient tools built-in browser

Per-website, for dozens (if not hundreds) of APIs and convenient? These are contradictory :)

olebedev3y ago

Yeah, sounds a bit overwhelming for users, but my point here us that we would need appropriate tooling to be offered to end users so they are not get lost (quickly lol).

nordsieck3y ago

> We need 2 classes of web. One for document based that doesn't require JS to run (secure).

I've wondered for a long time if a sort of posh gopher based on markdown with extensions would be able to make a comeback. Especially if it allowed for CSS.

kps3y ago

But not current web CSS, please. It manages to be simultaneously overcomplicated (including enabling fingerprinting) and really bad at laying out text (e.g. still no baseline grid). A ‘markdown web’ style sheet should be more like document processor's character/paragraph styles. It also needs to be easily overridden for accessibility or alternate presentation, particularly around size and colour (a markdown-like format should already be fine for screen readers without styling). Aside: FFS, web people, if you're setting colours at all, respect @prefers-color-scheme and do not use the inverse for code blocks.

There's also the million-markdowns problem, and markdown's HTML embedding. This being Tuesday, I'd start with djot (without embedding), but Wednesday I might go for asciidoc.

VyseofArcadia3y ago

You're sort of describing Gemini.

https://en.wikipedia.org/wiki/Gemini_(protocol)

account423y ago

Except that is too limited even for a document web.

coldpie3y ago

As with most things, this isn't really a technical challenge, it's a social one. The protocols you're describing already exist, more or less. No one uses them.

account423y ago

Why not just good old web 1.0 or even HTML5 without javascript. There are alreay plenty of pages that conform to that, you just need the client enforcement (also already available via extensions) and marketing/lobbying so that big organizations switch to it.

wraptile3y ago

Yeah that's never going to happen - javascript is a lost cause. There's no way any sort of conflict and backwards compitability will lose out to "a bit more privacy" especially when people in control benefit immensely from this.

Spivak3y ago

Which class you're in will be in control of the developer and they'll always choose SPA even for the presentation of static text.

And to be fair it makes a lot of sense because writing HTML templates feels super jank once you've experienced not doing it. Even for a site with static content I would still prefer to deliver it as a static JS bundle and a data payload.

I really like https://docsify.js.org. Gotta be one of the lowest touch libs out there. The whole site from git repo to page one single completely static asset.

j / k navigate · click thread line to collapse

0 comments

derefr3y ago

Surprisingly, one thing that seems to work just fine in this environment is (even modern versions of) phpBB. Lot of phpBB dark web forums.

Also surprisingly, this doesn’t preclude polish or some level of app-like stateful interactivity, because CSS still works. You just have to think differently about how you use it.

grishka3y ago

One of the nicest things about Flash was that you could set your browser to only load and run Flash content after you click it.

giancarlostoro3y ago

Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

grishka3y ago

> Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

Those incessant RCEs were only due to the sloppy way the Adobe Flash player was written. There is nothing bad security-wise inherent to the SWF format itself.

nordsieck3y ago

> I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do.

IMO, it should be enough if incognito mode presents an identical fingerprint on everyone's browser.

1 more reply

olebedev3y ago

illiarian3y ago

> per website and convenient tools built-in browser

Per-website, for dozens (if not hundreds) of APIs and convenient? These are contradictory :)

olebedev3y ago

Yeah, sounds a bit overwhelming for users, but my point here us that we would need appropriate tooling to be offered to end users so they are not get lost (quickly lol).

nordsieck3y ago

> We need 2 classes of web. One for document based that doesn't require JS to run (secure).

I've wondered for a long time if a sort of posh gopher based on markdown with extensions would be able to make a comeback. Especially if it allowed for CSS.

kps3y ago

There's also the million-markdowns problem, and markdown's HTML embedding. This being Tuesday, I'd start with djot (without embedding), but Wednesday I might go for asciidoc.

VyseofArcadia3y ago

You're sort of describing Gemini.

https://en.wikipedia.org/wiki/Gemini_(protocol)

account423y ago

Except that is too limited even for a document web.

coldpie3y ago

As with most things, this isn't really a technical challenge, it's a social one. The protocols you're describing already exist, more or less. No one uses them.

account423y ago

wraptile3y ago

Spivak3y ago

Which class you're in will be in control of the developer and they'll always choose SPA even for the presentation of static text.

I really like https://docsify.js.org. Gotta be one of the lowest touch libs out there. The whole site from git repo to page one single completely static asset.

j / k navigate · click thread line to collapse