[Cryptography] So I wrote a new Web browser - PHB

Phillip Hallam-Baker phill at hallambaker.com
Fri Dec 10 12:23:19 EST 2021

Announcing Phill's Hypothetical Browser (PHB).

For years I have been saying, if only I had a browser that could do (X)

This is not a joke, took me all of 30 minutes to get PHB running:


This is a full Web browser built around WebView2 which is an API to
Microsoft Edge which is in turn built around Chrome. It doesn't have tabs
(yet) and it doesn't do anything that Chrome/Edge do not but it does
actually run and I have been able to intercept various browser calls in
ways that suggests to me that I can use this as a testbed for proposed new
cryptography features that require browser support. More of those in a

I was planning to actually implement some of that stuff before mentioning
it here. But then I saw:

Chrome Users Beware: Manifest V3 is Deceitful and Threatening | Electronic
Frontier Foundation (eff.org)

Now to be clear, I am not that fond of browser extensions and especially
not extensions written in Javascript. The problem I see with extensions is
that they don't compose well. Adding one extension is fine, two might work,
more than that and things start to fall apart. And the problem with writing
extensions in Javascript is that you are then making the same set of
interfaces available to content the user has selected to control their
browsing experience with the set available to content itself.

Limiting the browser to javascript extensions seriously limits the scope of
what the user can do. I once wrote an ASN.1 parser in Javascript, that was
enough. I am not rewriting all my code in a scripting language, I believe
in strong typing.

But I am a very big fan of putting the user in control of their personal
browsing experience.

Seems to me that I am not the only person with an interest in having a full
featured (dynamic tabs, etc) browser that can be used to put the user in
control. Perhaps this could be the beginning of an open source
collaboration? WebView2 dramatically cuts down the effort required to build
a browser but there is still many weeks of coding (C#) required to make it
a full feature browser. Even if other people don't want to implement my
Mesh related functionality, they could fork my scheme and add their own
functionality in.

At the very least, a discussion board where we could share war stories
would be useful.

The specific extensions I am looking to add are of course for the Mesh
which is now running outside the development framework and is very nearly
ready to ship.

The first extension is to implement EARLs which are a compact URI scheme
that allows a QR code to provide all the information necessary to locate,
decrypt and authenticate content stored on a Web server in encrypted form.

So imagine that you are partially sighted and receive a 32 page document in
the mail, you can scan the QR code and get an electronic copy that your
text to voice reader can read to you. Or it could be an invoice that
connects you to a machine readable copy of the invoice that goes into your
accounts package. The QR code is in effect a bearer access code to the

Second extension is to allow web distribution of end-to-end secure content.
Alice writes a document, encrypts it, publishes the ciphertext to her Web
site. Bob surfs to the content using PHB and if Alice has authorized him to
read it, the browser just decrypts it.

Net effect is that Bob can read encrypted content with the same ease as
plaintext. Imagine what it would do for corporate security if keeping data
encrypted by default became practical.

Anyone else interested?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211210/9a4eff2b/attachment.htm>

More information about the cryptography mailing list