
Show HN: CyberWeb – Building a Web Browser from Scratch on Windows 2000 [video] - rogerclark
https://www.youtube.com/watch?v=5RhW4njFimw
======
Operyl
Man, I cringed when he (OP in this case) said that "it's honestly kind of
insane that we require encryption for text based websites like .. let's go to
Wikipedia." (Around 4m in the video).

I'm sorry, but no .. it's not insane that we require that in this day and age.

Otherwise, this looks pretty cool, will watch it further when I get the time.

EDIT: Answering his next question: "Why does it really matter?" One reason is
simple: These pages link to login and registration pages. If it's not
authenticated, and can be modified over the wire, then an attacker could just
redirect you to a different "login" page. TLS/SSL authenticates that what you
received is what you expected, and that's very important on the internet in
this day and age.

~~~
rogerclark
I definitely understand the concerns that make people want encryption for
everything -- preventing governments and ISPs from messing with your content
or spying on you. I don't want that either, and I'm glad we have HTTPS to help
fight that.

But everything is a tradeoff, and there are actual downsides here. Nowadays,
Chrome and Firefox try pretty hard to make you think all non-HTTPS sites are
bad for you. What about old web servers that people never bothered to update?
They effectively become "broken" without actually breaking. There's tons of
great information on sites without updated certs that becomes that much harder
to access because of this.

There's also the concern about your actual codebase. Hypothetically, if you're
building an HTTP client from scratch, you can write, know and understand every
line of code in your project yourself. If you want HTTPS support, you're
basically forced to link with OpenSSL, and this is almost guaranteed to take
the total percentage of "your code" in your project from 100% to less than
10%. (Probably more like 1%.) You no longer actually know what's going on in
your program anymore. Maybe this isn't a concern for most people, but it does
matter to me -- and I suspect there are a lot of people who would care a bit
more if they thought about it for a few seconds.

So yeah, HTTPS is great. But everything is more complicated than it seems.

~~~
Operyl
You're already linking against far larger libraries that you probably don't
understand completely anyway! For example, glibc... So I don't think this is a
valid excuse against the "HTTPS Everywhere" initiative.

~~~
rogerclark
That's not always true, especially if you're working in an embedded
environment or you have other needs (business or legal requirements, even just
preferences) to control the libraries you link with.

In the case of this video series, I won't be using any C runtime library
functionality at all -- just Windows API calls. Of course, there's always the
operating system, which is big and opaque. IMO, there's a difference between
interfacing with the platform and dragging in a bunch of other people's code.
That's a personal call: it's not a clear cut line, obviously.

Speaking personally, I more or less know, in general (and for Windows, in
specific) how operating systems work. I don't have a strong understanding of
encryption, which is heavily mathematical. In the case of OpenSSL, I am not
likely to understand what it's doing. In the case of message queues, threads
and blitting bitmaps, there's not much mystery there.

Also, the comments I'm making are specifically about this project, not
generally about how I think everyone should work. It's clear that this is an
art project and not industrial software.

~~~
scottjg
I don't think I disagree with you in principle, but since you are linking in
the windows socket library already, isn't there built in support for SSL
(`WSASetSocketSecurity()`, etc)?

~~~
Lammy
He's on Windows 2000, though, which doesn't offer anything newer than TLS 1.0
support. Not really useful for the modern web.

------
giancarlostoro
This is awesome. I still remember asking what a/s/l meant back in the day when
I started going on AOL Chatrooms (I must of been like 10). Havent heard it all
that often since. One of the first things I kept wanting to do as a kid / teen
was a browser. Nowadays there's so much that browsers support it's
overwhelming.

~~~
rogerclark
thank you! really trying to go for the time warp aspect while attempting to be
as educational as possible. happy to hear you enjoy it!

~~~
Jaruzel
I've just sat through it whilst working on something else, and found it quite
entertaining. I too have fond memories of Tumpet Windsock, and early Web
Browsers (such as Mosaic). I am also a fellow believer in just opening a
socket and parsing the results directly as it totally gives you more control.
It was also nice to see you showing people that building for the Windows UI is
not that hard.

Keep going with this! I'm keen to see where you end up. Subscribed.

------
judah
This. Was. Awesome.

I did some Windows programming in VC++6 way back in the day, and watching you
do File->New [empty] Project was super nostalgic for me. And I actually
learned a bunch of things watching this video.

Kudos!

------
wolfspider
Many years ago I threw together a WebKit based browser with the frontend
written in C# with SharpDevelop on Vista. I found myself in the MFC code
pretty quickly and can appreciate the similarities between this video and
that, definitely a monumental task. Mine took ~48 hrs to compile as did Safari
on Windows back then. The hardest parts were getting a passing JavaScriptCore
build and fiddling with IDL to get things to render via GDI using interop.
Once it’s known to you how a browser works web development makes better sense.
For instance in the WebKit code I found once it detected form tags it would
jump to that first and then resume the rest of the markup after. In comparison
with Chrome I found that Chrome would lower the resolution on all images to
make things seem faster but WebKit didn’t. Nowadays modern browsers have a lot
of code to make popular sites run better like YouTube that will reformat old
links to their newer format like in Firefox. It’s interesting that after all
Microsoft is taking this approach with Blink. To make a competitive browser
nowadays it would have to pass tens of thousands of tests every build to avoid
regressions: [https://stackoverflow.com/questions/2933444/who-
wrote-250k-t...](https://stackoverflow.com/questions/2933444/who-
wrote-250k-tests-for-webkit)

------
amatecha
Good stuff man. As someone who's been developing for the web since 1995, I
appreciate any retrospective on the platform (dare I say it) and any efforts
to keep its history alive! Cheers :)

I should mention that a buddy of mine hosts a site that is specifically
designed to be a resource for people running old browsers [0] which links to
useful stuff, discussion areas, etc.

[0] [http://altexxanet.org/](http://altexxanet.org/)

~~~
Jaruzel
Oh! Darn it. I was 100% about to build something like this. I've even got an
authentic non-intel server to run it all on.

Oh well. :(

~~~
amatecha
haha, go for it man! The more the better. It's especially nice to have a bunch
of sites available when firing up an old machine that just got running again!
:)

------
UIZealot
Windows 2000! You've got impeccable taste!

I still use it in a VM to this day.

------
kevas
Yes! Thank you for posting this

