[nicolaslem]

To be fair the problem is not related to web browsers. It's more about running code in general.

I start to realize that running someone else's code means trusting the developer. No matter the amount of sandboxing and the layers of abstraction, eventually his code will be able to run as root using exploits that are yet to be discovered.

[krick]

I would argue it is very much related to web browsers. Sure, your torrent-engine or audio-player can be vurnerable as well, but how likely is that? If this would be the case, I'd say that the developers of this audio-player have seriously fucked up, essentially have allowing the third party to run an arbitrary code on your PC — something is doubtfully necessary for an audio-player. The most important question would be — what do you have installed? And, sure, it could potentially be all kinds of malware, but then chances are you are fucked anyway — because installing a software, ironically, requires much more trust than opening a web-page.

But in reality you (and billions of people around the world) have this thing called web-browser with JS enabled, where opening a simple text-document is basically indistinguishable from running a BTC-miner for the end-user. All these people are fucked right now and have been left to hang. All they can do is to ignore the news and hope it will just go away.

It did seem to me a viable solution some 10-15 years ago, in the time of Web2.0. Now, after mobile apps have spread around the world — I reconsidered. Having an app is just better even if it's just the HN-reader. Even better, if it would be a single app for some common "news-aggregator-protocol", to fetch content from HN, reddit, etc. But it is not only not the case — I heard people say that this attitude is "killing the web". Well, if so, fuck you, web should be killed. It should have never existed at all in the form we currently have.

[jacquesm]

Sure, but until the advent of JS you at least knew whose code you were going to run. Now you are more or less required to run untrusted code just to get through daily life.

[kevingadd]

And web platform people remain convinced that HTTPS transport encryption is sufficient to protect everyone, even though desktop app, OS, and bootloader people have been doing code-signing for something like two decades.