Hacker News Comments on
Building A Web Browser From Scratch on Windows 2000 (Part 1) - CyberWeb - rogerclark
rogerclark
·
Youtube
·
91
HN points
·
0
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.⬐ giancarlostoroThis is awesome. I still remember asking what a/s/l meant back in the day when I started going on AOL Chatrooms (I must of been like 10). Havent heard it all that often since. One of the first things I kept wanting to do as a kid / teen was a browser. Nowadays there's so much that browsers support it's overwhelming.⬐ rogerclark⬐ judahthank you! really trying to go for the time warp aspect while attempting to be as educational as possible. happy to hear you enjoy it!⬐ JaruzelI've just sat through it whilst working on something else, and found it quite entertaining. I too have fond memories of Tumpet Windsock, and early Web Browsers (such as Mosaic). I am also a fellow believer in just opening a socket and parsing the results directly as it totally gives you more control. It was also nice to see you showing people that building for the Windows UI is not that hard.Keep going with this! I'm keen to see where you end up. Subscribed.
This. Was. Awesome.I did some Windows programming in VC++6 way back in the day, and watching you do File->New [empty] Project was super nostalgic for me. And I actually learned a bunch of things watching this video.
Kudos!
⬐ wolfspiderMany years ago I threw together a WebKit based browser with the frontend written in C# with SharpDevelop on Vista. I found myself in the MFC code pretty quickly and can appreciate the similarities between this video and that, definitely a monumental task. Mine took ~48 hrs to compile as did Safari on Windows back then. The hardest parts were getting a passing JavaScriptCore build and fiddling with IDL to get things to render via GDI using interop. Once it’s known to you how a browser works web development makes better sense. For instance in the WebKit code I found once it detected form tags it would jump to that first and then resume the rest of the markup after. In comparison with Chrome I found that Chrome would lower the resolution on all images to make things seem faster but WebKit didn’t. Nowadays modern browsers have a lot of code to make popular sites run better like YouTube that will reformat old links to their newer format like in Firefox. It’s interesting that after all Microsoft is taking this approach with Blink. To make a competitive browser nowadays it would have to pass tens of thousands of tests every build to avoid regressions: https://stackoverflow.com/questions/2933444/who-wrote-250k-t...⬐ amatechaGood stuff man. As someone who's been developing for the web since 1995, I appreciate any retrospective on the platform (dare I say it) and any efforts to keep its history alive! Cheers :)I should mention that a buddy of mine hosts a site that is specifically designed to be a resource for people running old browsers [0] which links to useful stuff, discussion areas, etc.
⬐ rogerclark⬐ UIZealotthis is really useful. thanks for the link -- i'll try to check this out on the next video!⬐ amatecha⬐ Jaruzelnice! while you're there you can grab KDX or Hotline and hop on his server if you want (where there are pretty much always active users)! Maximum 90's haha :) He's working on setting up a web hosting service for 90's era websites similar to GeoCities or the like, but I'm sure it'll be a while before that's all set up.Oh! Darn it. I was 100% about to build something like this. I've even got an authentic non-intel server to run it all on.Oh well. :(
⬐ amatechahaha, go for it man! The more the better. It's especially nice to have a bunch of sites available when firing up an old machine that just got running again! :)Windows 2000! You've got impeccable taste!I still use it in a VM to this day.
⬐ kevasYes! Thank you for posting this⬐ OperylMan, I cringed when he (OP in this case) said that "it's honestly kind of insane that we require encryption for text based websites like .. let's go to Wikipedia." (Around 4m in the video).I'm sorry, but no .. it's not insane that we require that in this day and age.
Otherwise, this looks pretty cool, will watch it further when I get the time.
EDIT: Answering his next question: "Why does it really matter?" One reason is simple: These pages link to login and registration pages. If it's not authenticated, and can be modified over the wire, then an attacker could just redirect you to a different "login" page. TLS/SSL authenticates that what you received is what you expected, and that's very important on the internet in this day and age.
⬐ AbraKdabraI'm glad I am not the only one who stared at the monitor with my "what the hell did I just hear" face when he said that.⬐ saagarjhaAnother reason is that certain networks will inject ads and other unwanted content into your webpages unless they’re transmitted over SSL.⬐ paulryanrogers⬐ kevingaddI thought this was unlikely in the real world until my new ISP did it on day one. And in other countries I've visited even HTTPS is intercepted.Historically tradition is to encrypt the login, registration and administration pages, which is what people have been doing for decades. Full encryption of everything has advantages but that's not it.⬐ andkenneth⬐ rogerclarkYes, of course you encrypt those, but you also need to link any page which can link to those as well, otherwise an attacker could put a link on the page which goes to their cred harvesting page instead of the secure login page.⬐ OperylAnd then it was later found out that, like I detailed in my edit, that that wasn't enough. Attackers could just modify the login page link on any unencrypted page and phish you that way. What I described is just one of many reasons the industry as a whole pushed to full-encryption.I definitely understand the concerns that make people want encryption for everything -- preventing governments and ISPs from messing with your content or spying on you. I don't want that either, and I'm glad we have HTTPS to help fight that.But everything is a tradeoff, and there are actual downsides here. Nowadays, Chrome and Firefox try pretty hard to make you think all non-HTTPS sites are bad for you. What about old web servers that people never bothered to update? They effectively become "broken" without actually breaking. There's tons of great information on sites without updated certs that becomes that much harder to access because of this.
There's also the concern about your actual codebase. Hypothetically, if you're building an HTTP client from scratch, you can write, know and understand every line of code in your project yourself. If you want HTTPS support, you're basically forced to link with OpenSSL, and this is almost guaranteed to take the total percentage of "your code" in your project from 100% to less than 10%. (Probably more like 1%.) You no longer actually know what's going on in your program anymore. Maybe this isn't a concern for most people, but it does matter to me -- and I suspect there are a lot of people who would care a bit more if they thought about it for a few seconds.
So yeah, HTTPS is great. But everything is more complicated than it seems.
⬐ rkagerereverything is a tradeoffThank you!
I agree there are good motivations behind the "encrypt everything" argument, but at the end of the day I'd like my browser to be first and foremost a tool for ME, not a tool for Google to manipulate website administrators.
I understand the implications of visiting a non-encrypted HTTP site. Every time my browser throws up a "this site isn't safe" roadblock and makes me perform extra clicks, I cry a little. Lately those extra clicks take me to a different browser.
⬐ Operyl⬐ e12e_You_ understand the implications of visiting a non-encrypted site because you are a technologically savvy user. Unfortunately, the vast majority of the world does not have the experiences you and I have. Overall, it's a major plus that this is currently happening, honestly.⬐ numlock86> You understand the implications of visiting a non-encrypted site [...]> [...] the vast majority of the world does not have the experiences [...]
Soon enough of the "vast majority" will probably try to ban "HTTPS for everything" because of the "implications" (read as: additional CO2 footprint or something like that)
SSL is a pretty terrible hack to patch over the fact that we don't have a internet protocol version "7" that guarantee point-to-point secure (ie: encrypted, authenticated) communication.This is the reasoning behind http2/3 - you pretty much never want "get me this thing with this name, show it to everyone, and let everyone on the wireless lan, my isp, their cdn etc modify everything I send and receive".
The biggest problem with ssl everywhere is that it complicates the elegant multilevel caching http easily allows - and I think an easier opt-out of this privacy aspect would be good (an easier way to set up a caching squid proxy on your lan that transparently caches os updates, package updates, Netflix episodes, world of War craft patches, news site front pages...). It's more or less still possible - but it's all or nothing: if you allow ssl stripping, the proxy gets your web mail even if you just want it to cache os updates and a handful of web sites.
At any rate, you're still using the os network stack, so maybe you're running ppoe and ipsec down there.. As "part" of your web browser...
⬐ OperylYou're already linking against far larger libraries that you probably don't understand completely anyway! For example, glibc... So I don't think this is a valid excuse against the "HTTPS Everywhere" initiative.⬐ rogerclarkThat's not always true, especially if you're working in an embedded environment or you have other needs (business or legal requirements, even just preferences) to control the libraries you link with.In the case of this video series, I won't be using any C runtime library functionality at all -- just Windows API calls. Of course, there's always the operating system, which is big and opaque. IMO, there's a difference between interfacing with the platform and dragging in a bunch of other people's code. That's a personal call: it's not a clear cut line, obviously.
Speaking personally, I more or less know, in general (and for Windows, in specific) how operating systems work. I don't have a strong understanding of encryption, which is heavily mathematical. In the case of OpenSSL, I am not likely to understand what it's doing. In the case of message queues, threads and blitting bitmaps, there's not much mystery there.
Also, the comments I'm making are specifically about this project, not generally about how I think everyone should work. It's clear that this is an art project and not industrial software.
⬐ scottjgI don't think I disagree with you in principle, but since you are linking in the windows socket library already, isn't there built in support for SSL (`WSASetSocketSecurity()`, etc)?⬐ LammyHe's on Windows 2000, though, which doesn't offer anything newer than TLS 1.0 support. Not really useful for the modern web.