Hacker News new | ask | show | jobs
by matheusmoreira 1022 days ago
How does cryptography software avoid such side channels? Normalize the performance somehow.

If I remember correctly, Firefox's fingerprinting resistance will actually slow down functionality to achieve that. Reduces the precision of performance timers or something. Makes CAPTCHAs exponentially more obnoxious.
1 comments
Groxx 1022 days ago
It hides that by being incredibly restricted in what you can do with it, lest you leak side channel information. To the point that you can't do much of anything useful, much less general computation. They're finely crafted Faberge eggs that break if you sneeze near them now or discover a new way of sneezing in the next few decades, not broad tools.

So... yes, you could build a "browser" like that. It would effectively have no scripting at all though, nor could it ever introduce new semantics that send data to another site, directly or transitively. You can do some stuff with that kind of system, but it's limited enough that most people don't choose it.

Gopher exists I guess? Lynx too, though lynx supports css, and that largely can't be allowed either.

link
matheusmoreira 1022 days ago
Sounds good to me. Javascript is too powerful and should be limited. I shouldn't have to worry that my browser is executing remotely downloaded code that could exfiltrate an unbounded amount of information about me. They should either they get it right by doing it in a way that doesn't harm us, or they shouldn't get to do it at all.

The web should be fully declarative and permissions/capabilities based. If they can't do something that way, they shouldn't get to do it at all.

link
Groxx 1021 days ago
In that case, you might like the Gemini protocol? https://gemini.circumlunar.space/

I'm not deeply familiar with it, but it's a similar "extremely minimal is best" approach, also in part for privacy reasons.

link