
Browser-Wars History: MD5-Hashed Posts Declassified - sankha93
http://robert.ocallahan.org/2018/01/ancient-browser-wars-history-md5-hashed.html
======
JepZ
Somehow, everybody pretends as if Webkit is some proprietary, closed source
rendering engine, but after all, it is the great success of the KDE/Konqueror
rendering engine, being adopted by some huge corporations (Apple, Google). [1]

While I appreciate that we still have the independent Firefox and its brand
new Quantum engine, sometimes I feel like the Konqueror/KHTML team does not
receive the appropriate tribute for laying the foundation for the dominant
KHTML/Webkit/Blink engine.

[1]
[https://en.wikipedia.org/wiki/WebKit#Origins](https://en.wikipedia.org/wiki/WebKit#Origins)

~~~
tambourine_man
While I largely agree, a _ton_ of work was done by Apple before Webkit was
usable. Most sites would show subtle rendering glitches and it took a while
before it matured.

~~~
lbenes
Not sure why you had issues. In my experience under KDE it was rock solid. It
was my primary browser from around 2002 until ~2009. I often tried other
browsers and Konqueror led the pack in terms of web conformance and
performance.

------
nly
Opera made the bet he proposed and lead themselves down a path to irrelevance.

~~~
jasode
As one of the few who paid for a web browser (paid $29 for Opera 7 in 2003),
it looked to me like Opera really had no choice.

There was a post from an Opera insider that I can't find but it was basically
this: the web's complexity was evolving faster than the Opera team could
maintain their proprietary Presto rendering engine.

Switching away from Presto and building on WebKit was a basic matter of
survival. Yes, they still became irrelevant but they would have also stayed
irrelevant with their Presto engine.

I agree with their assessment because around 2009, I started encountering more
and more web pages that broke Opera. The Opera forums had more and more
complaints from users reporting broken web pages. The Presto engine was
becoming a liability.

It was a vicious feedback loop because web authors wouldn't bother to test
their sites with Opera ... which led to more user frustrations. I had to
switch to Chrome to get a usable web surfing experience back. I originally
paid for Opera because it had the fastest rendering engine which was very
helpful for slow dialup connections. As Presto started falling further behind,
that speed advantage was negated.

Opera did try to some interesting features such as "Unite" which -- if you
squint a certain way -- was a form of p2p decentralization. Yes, it's
interesting to have a built-in web server in the browser but not enough people
cared about it.

The author's predictions for Firefox's Gecko engine meeting the same
irrelevant fate as Presto didn't happen because unlike Opera, Mozilla from
2004-2014 got massive funding from Google. Mozilla could afford to keep
programmers enhancing the Gecko engine. Opera couldn't do the same with
Presto.

~~~
jgraham
(I worked at Opera during the WebKit/Chromium transition and work at Mozilla
now. But in both cases I'm just a normal individal-contributor type employee
with no special insight into strategy or decision making).

There are always options. Opera could have doubled-down on Presto; putting
more people on the core team, and focussing efforts to keep up with, and
surpass, WebKit/Gecko. After all, that's basically the option that Mozilla
took, which has resulted in Firefox Quantum. Would that have worked? It's hard
to say. I would guess not, but I'm not sure the alternative really did either.
Maybe Opera was already too far down the web-compat death spiral to engineer a
way out. I don't know of a long-term bet like Rust that could have come good
at the right time.

Certainly the top-level culture of the organisations was different; Opera's
leadership were very concerned with maintaining/maximising the value of their
shares, whereas Mozilla is more clearly driven by ideological goals around the
success of the open web. Opera also had a (historically well justified) belief
that they could do more with fewer engineers than other compaines. That seemed
to work up to a point, but once the difference in resources became too great
it was hard to change the approach.

Certainly one lesson is that it's hard, maybe impossible, to be a niche
browser with a unique rendering engine. That is arguably a failing of the web,
but nevertheless it's a strong indication that arguments that e.g. Mozilla
should aim Firefox at small ideologically-driven markets are dangerous. One
interpretation of the Opera history is that they were too focussed for too
long on the subset of users who wanted a browser with lots of features and
configuration possibilities. A product that suits those people might be
actively offputting to other users, so inhibiting marketshare growth when
faced with competition targetting simplicity and sane defaults.

~~~
Noumenon72
> which has resulted in Firefox Quantum.

How is Quantum doing? On my computer, it's a lot slower; there are slow
spinners in the tab titles and another kind of spinner for loading pages that
often keeps me from seeing pages even after I already loaded them.

~~~
SyneRyder
Wow, really? I've gone from regarding Firefox as a complete also-ran that I
would never use unless necessary, to making it my default browser. Quantum is
significantly faster than Chrome on my machine - it does eat more battery, but
I feel it's worth it for something this fast & smooth. It feels like I got a
new computer. (I'm using a 2012 MacBook Pro with 16GB RAM, still on El
Capitan.)

~~~
XorNot
Agreeing with this - I've switched to Firefox on all my devices and I'm
incredibly happy with it!

A big understated benefit is being able to run unlock/Adblock on my phone -
which has made a big difference in mobile usability.

------
devit
I wonder whether this scenario is now going to play out in the opposite way,
with Google ditching Blink for Servo once Mozilla finishes morphing Gecko into
Servo with the Firefox Quantum project.

Who would win then? Google's money and marketing power, or Mozilla's
independence, trustworthiness and being the renderer's creator?

~~~
fabrice_d
Not sure why this is down voted. I would not be surprised if Google was
working on a next-gen browser engine along the same lines as Servo, or even a
Servo fork. After all, there is a Rust toolchain for Fuschia...

~~~
guelo
Google probably couldn't stomach mozilla's open source license which makes it
difficult to distribute with proprietary code.

~~~
asadotzler
Mozilla's open source license was created 20 years ago precisely to make it
easier to distribute proprietary bits with open bits. I'm not kidding, that
was a primary goal.

------
zaro
> the more code engines share, the more de facto standardization of bugs we
> would see, so having genuinely separate implementations is very important.

Well it's not like there aren't any bugs in the specs. And whether there are
bugs in the code or the specification, it's the same process for fixing them :
politics :)

~~~
roca
Web developers code to Web browsers, so bugs in Web browsers lead to sites
depending on those bugs, making those bugs unfixable unless you have
developers testing in multiple browsers. Spec bugs don't become unfixable that
way.

~~~
Leszek
Though spec bugs go the opposite way: if you discover an issue in the spec,
then it is very difficult to change it because someone somewhere may have been
- at the time correctly - relying on that behaviour.

~~~
roca
Web developers can only rely on a spec bug if the browsers they test with
actually implement that bug. So it still comes down to what browsers
implement, not what the spec says.

------
foxhill
2007-jan-21 hash:

    
    
        ec06b3461cf0eaf3d3e4d7a2e429bddb
    

but then

    
    
        $ curl -s https://raw.githubusercontent.com/rocallahan/blog-archive/master/hashed-blog1.txt | md5
        9ba0c5cba20cff553500f034f58d5bb7
    

hmm.

that said, the others check out, so i'm sure it's harmless.

~~~
feb
Someone said the same thing in the comments. In a reply, the author does not
know why the MD5 fails but confirms that the post is correct:

    
    
      I wondered if anyone would check :-).
    
      I'm not sure what the problem is with the first post. It's been a long time. You'll have to take my word for it that the first post is the right text :-).

~~~
puzzle
Different encodings for line endings?

~~~
rzzzt
hashed-blog1.txt contains HTML markup for paragraphs, while all others are in
plain text.

~~~
raverbashing
Taking them out has not resulted in the correct hash, or maybe I forgot
something

Neither adding a \n to the last line makes it match

~~~
rzzzt
I also tried it with some line endings :)

There might be some other slight changes in formatting which is still missing.

------
gcb0
it only have optimistic views of google promoting webkit.

completely ignores the fact that google effectively took over the project,
killing old features it didn't like and preventing any new contribution from
making it to main line unless they fit their plan.

------
adius
Cool idea to just post the hashes for the future. I think I might do it too on
my blog :-)

~~~
lovemenot
Maybe use SHA256 rather than MD5.

A few years hence ease of producing MD5 collisions might render moot anything
that you had to say.

~~~
torstenvl
I don't think that's necessary. This isn't really a cryptographic use of the
hash. Between the legitimate text of the blog entry and whatever arbitrary
(likely nonsensical) string produces an MD5 collision, it's going to be pretty
obvious which is which.

~~~
tonyztan
Isn't it feasible to construct two sets of legible texts with the same MD5
hash now?

~~~
tialaramex
Legible, maybe, but I don't think you'll be able to collide the hash with
natural language, so you will need an excuse as to why the revealed text has
weird nonsense in it that is actually there to collide the hash.

You can also "see" this, once you suspect it's going on, if you're a
cryptanalyst and have the tools to see inside the hash, you can see basically
such collisions involving getting the internal state into an awkward place,
and then forcing it from there where they want to go, that could happen by
accident, but only by truly astronomical bad luck, so it's a pretty good
smoking gun.

MD5 is a bad idea for situations where a machine will be verifying, because
machines aren't good at saying "that's odd...", enhancing them to do so is
_way_ more effort than just using SHA-256 instead. But for something like this
where a human will be examining things by hand, it's fine.

For SHA-1 (which we knew at the time would be broken shortly, and then in
practice it was less than a year before Google and some academics announced
their full collision) we reviewed special "Exception" SHA-1 SSL issuances by
hand on m.d.s.policy after the official deadline for SHA-1 issuance and I
asked for one application to be explained or rejected on the basis that the
requested certificate had bizarre short gibberish values for "Organizational
Unit". The applicant provided an explanation (which was maybe plausible but
not up to the standard of transparency needed in the circumstances) but agreed
to accept certificates missing the OU value altogether instead. That's the
sort of thing you'd catch if a human examines what was hashed rather than a
machine. I had no reason to believe that applicant was trying anything
sinister, but the point of the manual examinations was to ensure everybody can
see there were no shenanigans going on (and to make it a complete pain -- if
the process was easy it would have become routine and defeated the purpose of
prohibiting new SHA-1 issuance, being annoying was a feature).

~~~
flukus
Could you produce collisions using only non-visible/zero width characters?

------
toyg
At the time this internal skepticism about the future of Gecko was very
palpable from outside. Which is why it was infuriating to see Mozilla jumping
on every bandwagon they could, eventually ending up with the OS silliness: it
really felt like they were trying to run from their own browser and from their
own tech, like they were ashamed of not being cool.

Thank god they eventually “saw the light” and they’re now back on track.

~~~
fabrice_d
FxOS started in 2011, not 2008. But yeah, that's the usual scapegoat to
explain any of Mozilla's issues from the last 5 (or 10?) years.

You also totally misunderstand the goal pursued with FxOS, which had nothing
to do with "run from their own browser and tech". If anything, the current
work to remove XUL and xpcom puts Firefox closer to how FxOS was built, not
further away. At the time some employees even build a new desktop browser
around the same tech (not the failed Tofino experiment), that was
outperforming Firefox because it had a lot of the "new hotness" like e10s and
web extensions. Guess what, the desktop team ignored it, only to do the same
thing later.

Mozilla is not back on track at all, they are still playing catch up on the
desktop market which is not growing much and totally irrelevant on mobile.

But they have enough money to last years, in a weird way of "to rich to fail".

~~~
toyg
Please read my comment, before trying to read my mind. I'm telling you what it
looked like from the outside. Nobody ever cared for the internal politics of
Mozilla; what we saw was a wobbly org that looked anxious to build anything
that wasn't their own browser. I didn't say the OS was responsible, nobody
cares if FxOS ended up making choices that the browser should have made or
whatnot. The problem was not FxOS; FxOS was a symptom of an institution that
had lost its way _before_ the OS was even in the picture.

 _> they are still playing catch up on the desktop market_

It's not the sort of wave you turn in a month. 57 is a big release, give it
time. It had a massive surge of good press, which is a good sign. If they can
come up with developer tools that can beat Chrome at something, they will see
numbers go up.

 _> totally irrelevant on mobile._

They are making inroads on Android, which is the only market they will ever
play into. iOS will only be cracked open by legal coercion. Anything else is
wishful thinking.

 _> But they have enough money to last years_

Mozilla is not just a company, it's basically a public institution. Their role
is to champion a view of the web as an open utility, not to be the most
popular widget maker. They don't need bazillions of money to do that.

~~~
roca
> Their role is to champion a view of the web as an open utility, not to be
> the most popular widget maker. They don't need bazillions of money to do
> that.

To maintain Firefox as a viable product they do need a lot of money, and
significant market share too.

Without Firefox as a viable product Mozilla would be a very different and much
less useful organisation.

------
twic
>* There is a huge overhang of security-critical bugs; we have to choose
between addressing that and making forward progress. We are putting code-
cleanup projects on the back burner for the same reason.*

Have they considered rewriting it in R... oh, hang on.

------
jwilk
I expected an article about 1990s browser wars. 2007-2008 is not ancient in my
book.

~~~
rainbowmverse
10 years is a long time. This was back when I still heard people seriously
asking if the internet would last. It was even plausible! Google was only a
few years out from its IPO. Few people thought the internet could help elect a
president (and I don't mean the current guy).

A lot changed in the last ten years. It may not seem like it because most of
those changes were refinements on things we already had at the time. We've
just been in a long period of revisions. New programming tools, new social
networks, new [insert thing we've had since the '90s]. The late '90s and first
half of the '00s were full of radical changes, so it seems less significant in
context.

We're probably on the brink of another radical upheaval like the '90s. There's
lots of money flowing around, lots of amazing and well-refined tools, and all
the low hanging fruit is more or less captured. No one's getting rich on "x as
a service" anymore. People will have to really change something to capture the
next huge payday, and the first few will set off a cascade of changed
expectations.

~~~
osteele
Ten years ago my home page showed up on the first page (top ten) of search
results for a Google search for just my first name, or just my last name. I've
never been particular famous—there were just _no_ individuals with a web
presence, outside of tech.

[But mostly I just came here to practice using an em dash correctly…]

~~~
rainbowmverse
I'm more impressed with the ellipsis.

