{SOLVED} Hypothetically, what would it take to build a reasonably secure web browser completely from scratch?

[PerpetualNewb]

As a disclaimer, I am not a programmer nor a coder, though I am passionate about web design. As such, I had a nagging hypothetical lurking in my mind that I was hoping those of you who are more technically inclined might be able to shed some light on: What would it take to build a reasonably secure web browser completely from scratch, without basing it off of something like Chromium or Firefox? What kinds of things would the developer have to take into consideration? Would such a thing be possible, let alone feasible, for a lone programmer - or at least a small team of volunteers?

For the sake of this exercise, let's assume the developer isn't trying to build a fancy thing like Vivaldi, but rather a minimalistic project incorporating the bare minimum requirements for a modern web browser (including a GUI and JavaScript functionality) - as well as a serious focus on making it FOSS, private, and secure. Let's also assume the developer is building this browser on and for a Linux distribution - most likely Mint. Also, since I am - again - not a programmer, please let me know if any of my assumptions need fine-tuning, or if there are others one must realistically consider for this hypothetical.

P.S. I'm new to Linux and I've only ever posted in the beginner questions part of the forums, so please let me know if there's a different section this question is better suited for.

[stevengarland]

https://www.wikihow.com/Make-a-Web-Browser

[ugly]

Lots.

I remember, when Opera built its own browser engine (before they switched to Chromium), I think they had something like a hundred employees working on Presto alone (their own unique browser engine). It was considered very efficient, which is why Opera was popular early on feature phones and TVs. Aside from the resources, they still had to fight with websites not recognizing their browser properly, even though it was feature compliant. To save costs, and not have to deal with continual compatibility issues, Opera dumped their engine for Chromium.

Same reason Microsoft did the same thing.

When the founder of Opera decided to make Vivaldi with a small company, making a browser engine from scratch was not an option. Vivaldi, with a very small team is able to build a ton of features on top of Chromium. So it's not really the features that are the problem.

Even Chromium was built off of WebKit, which dates back to the early 90s. I'm pretty sure one of the main reasons Netscape Navigator failed was because they tried to rebuild their browser from scratch at one point.

I think there's a reason nobody is even doing it anymore.

[SMG]

P.S. I'm new to Linux and I've only ever posted in the beginner questions part of the forums, so please let me know if there's a different section this question is better suited for.

Beginner Questions are to be "Quick to answer questions about finding your way around Linux Mint as a new user."

Beginner Questions refers to the type of question and not the skill level of the person asking the question. We have many different forums and questions should be placed in a forum which covers the topic of the question. Only if you can not find a forum for the question should it go in Beginner Questions.

[dave0808]

What would it take to build a reasonably secure web browser completely from scratch, without basing it off of something like Chromium or Firefox? What kinds of things would the developer have to take into consideration? Would such a thing be possible, let alone feasible, for a lone programmer - or at least a small team of volunteers?

It would be a staggering amount of work.

You say to write it from scratch, but really how far are you going to take that? All the comms is done using HTTP. So would they have to write their own HTTP implementation? Probably, because (in this scenario) you can't trust the existing implementations. So you write your own. What about the underlying TCP/IP stack? Do you trust that or write your own? But wait, how do you trust the compiler? You'll have to write your own for a bounds-checking, memory-safe language. I think at this point, we'll have to trust the text editor running on the computer with an O/S that is trusted.

Once you've got your HTTP library sorted, you need some means to secure the connections. So you need to write your own TLS implementation because that's where the whole comms security kicks in and you can't trust anything out there (again, in this scenario). So that's several months of pouring over the specs before coding even starts. Then how do you prove that your new library is actually secure. Better get a security audit to make sure.

Now you need a HTML parser and renderer.

Then the fun really begins because you need a javascript parser, compiler and interpreter. And it better be perfect, because this is where your browser is really vulnerable as bad actors will write deliberately nasty code to break the stack you've created in order to do something bad on your PC.

There's more, much more. Maybe though this gives you an idea.

[PerpetualNewb]

Wow. I had no idea browsers are that complicated. It's kind of a shame really, since passionate people can't just make something better if they don't like the more famous ones out there. Anyway, thanks for teaching me something new.

[xenopeek]

since passionate people can't just make something better if they don't like the more famous ones out there

That's nonsense. You think we'd ever have gotten to fly airplanes or have a man walk on the moon with such an attitude? Don't limit your passion by what you are capable of today.

There are tons of independent web browsers. This is a good overview: https://wiki.archlinux.org/title/List_o ... #Graphical. As you can see at first it lists the clone armies; web browsers that are based on some other web browser, like based on Firefox or Chromium. But further down the list you get to web browsers that are independent, often using a web rendering component from a shared project. Like the qt5-webengine and webkit using web browsers, and then some last groups that are completely independent and have their own web rendering engine.

Should you write another web browser? If your passion stretches that far then sure Or you could look at how you can get involved with any of the existing web browsers. They need people to help with translating, maintaining help documents, bug triaging and so on. Not just developers.