There's a product here that's been waiting to happen for awhile. I've been anticipating somebody cross-compiling another browser engine to WASM but this works, too.
Deliver your site only to the "inner browser" (that the user has no control over because it's heavily obfuscated and tricked-out with anti-debugging code) and you eliminate all ad blockers. Throw some DNS-over-HTTPS w/ certificate pinning in for good measure and you kill DNS-based ad blockers too.
Accessibility will be a challenge but if it sells that'll get "fixed".
(I think this idea is evil, BTW, but somebody is going to do it.)
Hopefully that will be literally illegal due to accessibility concerns.
Doesn't matter either way. Can't wait for AI-powered ad blocking. Just imagine it. AI parses content and filters out ads, brands, even subtle PR text from pages automatically. Not just textual content either. It also kills ads in audio, video, images.
If I can imagine it, it must be possible. I'm sure someone much smarter than me will create this at some point. Perhaps this comment will inspire that person.
In any other context, having an AI interpret websites and decide what you should and shouldn't be allowed to read, even based on "subtle" language (which one assumes the AI would need to rewrite,) would be considered the grossest form of censorship. It's far beyond what Twitter and other social media platforms have been accused of simply by using algorithmic feeds and people want to burn them to the ground.
I'm not against ad-blocking but this seems a bit too Big Brother-ish.
>I'm sure someone much smarter than me will create this at some point.
Such a person is the very last creature I want parsing every byte of content delivered to me. in order to make this service a reality it must be local.
What we need is data poisoning. Have the AI watch ads, spoof responses, while we watch ad free content. Run it like SETI, during our devices downtime. They'll try to raise fraud concerns. Understandable. Accusations of piracy? Certainly possible. Convictions, though? Probably not.
>Doesn't matter either way. Can't wait for AI-powered ad blocking.
It would seem that it is just as likely that browser producers would add AI "watchers" to the browser to make sure you are not using any ad blocking! AI doesn't see any ads or marketing copy for 30 mins, sorry browser temporarily unusable ... unless you have a business account, then no ads for 8 hours.
If AI-powered ad blocking becomes ubiquitous, it will mean the end of high-quality free services like Google Search, Gmail, Google Maps, Google Translate and YouTube, for all of which I much prefer to pay with my attention rather than cold, hard cash.
I have no doubt that current AI is capable of this (in fact I'm sure it would be trivial for GPT-3.5 and well within reach of even locally-run LLMs), the question is what fraction of users can be bothered -- and I don't see any reason why AI would lead to an increase there.
> Deliver your site only to the "inner browser" (that the user has no control over because it's heavily obfuscated and tricked-out with anti-debugging code) and you eliminate all ad blockers. Throw some DNS-over-HTTPS w/ certificate pinning in for good measure and you kill DNS-based ad blockers too.
I'm confused how the "inner browser" meaningfully helps you accomplish this. How is this any easier or more effective than just having a website that hosts its own advertising assets (or proxies them) and obfuscates/randomizes its DOM structure to make ads difficult to target with simplistic ad-blocking rules?
I was worried from the very start of the WASM tech, that it would lead to the end of the user-controlled client. You don't even really need an embedded browser, a motivated provider could create a completely proprietary protocol for rendering their pages.
Taking power away from the user seems to be a large part of the appeal of WASM. Wasn't it just a year or two ago that it was being reported that 75% of WASM modules are malicious? A study from a previous year had said 50% of all websites using it were malicious so the trend line isn't looking great.
I don't know how we got from "don't download and install random software from untrusted sources on your devices" to "let anyone with a website run code directly on your hardware. Sandboxes are impossible to breach!"
I get that it's cool tech and the promise of writing software to run on many different platforms is exciting, but from a real world/user perspective it's insane.
A browser is nice because the provider can continue to use their whole tech stack, hosting, dev tools, etc. Just wrap it in a proxy that only wants to talk to the "inner browser".
At that point I'm just going to have my ad blocker block the entire "inner browser." No website that would employ such a lovecraftian horror is worth visiting anyway.
Presumably the worry is that the big ad companies would get approximately every website in the world to use this technique, which is already the only reason web advertising is such a big problem.
The internet advertising industry needs to move past insisting that user machines have to be involved in a business relationship they have nothing to do with and no legal, or ethical, obligation to uphold. All other forms of advertising work that way. The advertiser and host need to figure out how to keep each other honest without involving passers-by.
Thing is, internet adtech involves a rock paper scissors evolution.
It's not just a advertisement and a viewer, it's also the bots.
Adtech is where it's at now just cause it wants you to see it but because a industry of faking viewership built up around it.
No other advertisement has really had to deal with how ads are bought on per viewer basis.
All the targeting tech is equally a response to "personalization" as it is to "fraudulent botters"
You can then understand that if ads reverted to the old static billboard or tv commercial state, there's probably be little incentive to harass the user.
It's happened already: https://earth.google.com is a Flutter app that's entirely drawn in a canvas. Its accessibility sucks. Things that you use to be able to copy and paste like names of places or phone numbers etc you no longer can. It's horrifying. Accessibility or translation extensions have nothing to look at.
It's also the new flash since like flash it's just a bucket of pixels. Like when say VisionOS comes out and their browser has made tweaks to all the HTML form elements so they work well with finger gestures in the air but of course here this page is just a block of pixels so it will have the wrong interface for the device.
I can't believe how many people seem to be excited about this whole WebAssembly Bring Your Own Everything stuff.
Every time there's an article about some kind of "Here's a really simple core to build stuff from scratch" technology people seem to get really excited.
I was hoping we'd be going the other way and building web tech into OSes!
People could have been doing this with JS for a long time. This is hardly the first virtual machine in JS and it seems like overkill.
The far more likely way we'll see push back against Ad Blockers is by simply detecting that an Ad did not play and then refusing to display content until it does.
This might be something you fear, maybe even legitimately, but it seems hyperbolic to assign an equivalence to your worst fear and the passion project of an individual who made this and probably does not have any of the nefarious intentions you default to attributing to anyone who could create something resembling it.
As a developer, JavaScript does not scale due it lacking static checkability and for some, performance.
So we slap TypeScript on top, which mostly solves this problem.
But starting a massive browser UI project today, I think Qt on WASM + WebGPU makes a lot of technical sense.
That would have the added commercial benefit of making ad blocking harder. Although the binary could be cracked by a modified browser.
The eternal cat and mouse game continues.
The next step in the arms race is to provide hosted ad blocking, where the action happens (however nested) in a headless server and an AI looks it over and relays only the stuff that looks like content into a cleaned up session for the user. It would eventually start looking like a CDN where the ad blocker caches the content so it doesn't have to bother contacting the underlying site so often.
I wouldn't, because sending all of your browsing history to any third party is going to result in them mining and selling it, or exposing it to state actors or someone else for direct surveillance/malware injection.
Eventually, AI will be something we can run locally on a typical desktop, or even a cell phone, and at that point we could locally host that kind of ad blocking, but trusting all of your traffic to some random company that promises to delete ads but not abuse their position seems naive given our situation today. It preserves the worst dangers of ads while adding even less control and transparency for the user.
I think this evokes the static vs dynamic linking argument again though. If you consider your browser client code as your "source code" and the browser as a "dynamically linked library", then there are substantial pros and cons.
Your proposal, while feasible, turns this into a static linking affair. This comes with many risks, like becoming complacent and not updating the "inner browser" due to browser incompatibilities and bugs. It creates a giant mess of dependency update hell if you aren't regularly updating the webview.
At that point, you might as well ship a desktop app that does something similar and proxies ads through the first party server since it's probably less work.
You are right that it would work. I just don't know if going to such lengths is required to achieve the same thing.
A good counter is that a desktop app could be exploited to alter the behavior via reverse engineering. But a browser would show you the WASM as well, so I'm sure you could reverse engineer it and alter it with an extension like a traditional binary.
Maybe I'm missing something though - I'll admit that I'm an advocate of WASM but don't keep super up to date on all advancements.
user doesn't want to download an app, since that has a lot of friction. Going to a url and waiting (even if the download time is the same) feels like there's less friction, and so this idea of shipping a blackbox is more desirable.
The only problem really is the jankiness of any non-browser controls. The user expects a good right-click context menu, keyboard navigation, scrolling, etc, which all would have to be implemented if you're compiling a native app into WASM. But if the app itself is just HTML+javascript, then shipping a WASM browser, then using that browser as the app layer solves all of those UX jankiness (since the user should not really be able to tell it's a WASM browser).
The idea is insidiouly bad for user freedom, but great for businesses like google (who wants to control the user space completely).
I don’t understand why ads aren’t just served from same origin as the rest of the content. Seems to work great for YouTube creators, while YouTube itself is fighting
I need someone much smarter and more willing to engage on this issue to explain this remark or set it straight, pretty please and pretty-thank-you in advance
Think of the browser as an operating system, and a web page as an app. If that app is another browser, custom built, it could be built to prevent adblockers.
Inasmuch as any app, eg., a video player, can include DRM or otherwise lock things down.
This is feasible, but its unclear how successful it would be -- it would just start an arms race to hack it.
When desktop applications running in electron, just doesnt have enough web abstraction to keep up with mores law, a hero comes along, to ensure there can always be one more level of java script between you and a responsive UI.
Speaking of Electron... when I start my Slack client for work, there are a series of processes where at least one reports 1.130 terabytes of virtual memory. (Shown in top as "VIRT".)
Now, maybe that's just a potential usage that trust-me-bro it'll never actually try to use or access in RAM or on disk... but how on earth is that number for a chat client so much bigger than either Firefox with 100+ tabs or even Java-based IDEs like Webstorm?
V8 allocates a “gigacage” around every wasm memory area on modern 64 bit processors and marks them so the OS will trap on an unexpected access. This is much more efficient than doing a bounds check on every access. These pages are not actually resident.
“Big number is scary” is not a good way to understand performance.
Sounds like somebody is playing tricks with virtual addressing, yeah. See BIBOP (1980) [1] for an example, though it is not used literally in current garbage collectors as far as I am aware. Or look at what AddressSanitizer does with its nominal terabytes of “shadow memory”[2]. Chrome has a bewildering variety of low-level stuff in it, to save memory among other things[3], so it wouldn’t surprise me in the least to learn there was virtual-memory tagging somewhere in there, too.
This all reminds me of that description of the gigantic rover wheel from KSP:
> The RoveMax Model 3 was developed in total secrecy by Kerbal Motion's R&D team over the course of a year and a half. When it was finally revealed to the company's chairman, he stared in shock, screamed 'WHY', and subsequently dropped dead on the spot.
We are sorely lacking inner browser virtualization. This way web pages can virtualize other web pages internally via canvas and get true micro-front ends! Every component can be fully isolated from every other component and they will communicate via network requests to each other
To make the web entirely like a TV, everything should be rendered on canvases. To let you truly deploy your org chart, each team should be responsible for one isolated canvas.
For example you could set cookies before visiting another website. This is currently impossible in an iframe but possible in a browser.
I've wanted to do this to automatically login users on some external websites.
I don't know how people can say that JS is a great language with a straight face. Sure it has a lot of advantages mostly due to how widespread it is. But it's really obviously not a great programming language by itself...
JS is a language I can cobble together something hacky in and I don't have to care about types or anything yet, just making something work. It's fun! :)
Readit News
Deliver your site only to the "inner browser" (that the user has no control over because it's heavily obfuscated and tricked-out with anti-debugging code) and you eliminate all ad blockers. Throw some DNS-over-HTTPS w/ certificate pinning in for good measure and you kill DNS-based ad blockers too.
Accessibility will be a challenge but if it sells that'll get "fixed".
(I think this idea is evil, BTW, but somebody is going to do it.)
Edit: As an aside this needs to go here, too. https://www.destroyallsoftware.com/talks/the-birth-and-death...
Doesn't matter either way. Can't wait for AI-powered ad blocking. Just imagine it. AI parses content and filters out ads, brands, even subtle PR text from pages automatically. Not just textual content either. It also kills ads in audio, video, images.
If I can imagine it, it must be possible. I'm sure someone much smarter than me will create this at some point. Perhaps this comment will inspire that person.
I'm not against ad-blocking but this seems a bit too Big Brother-ish.
Such a person is the very last creature I want parsing every byte of content delivered to me. in order to make this service a reality it must be local.
What we need is data poisoning. Have the AI watch ads, spoof responses, while we watch ad free content. Run it like SETI, during our devices downtime. They'll try to raise fraud concerns. Understandable. Accusations of piracy? Certainly possible. Convictions, though? Probably not.
It would seem that it is just as likely that browser producers would add AI "watchers" to the browser to make sure you are not using any ad blocking! AI doesn't see any ads or marketing copy for 30 mins, sorry browser temporarily unusable ... unless you have a business account, then no ads for 8 hours.
I have no doubt that current AI is capable of this (in fact I'm sure it would be trivial for GPT-3.5 and well within reach of even locally-run LLMs), the question is what fraction of users can be bothered -- and I don't see any reason why AI would lead to an increase there.
I'm confused how the "inner browser" meaningfully helps you accomplish this. How is this any easier or more effective than just having a website that hosts its own advertising assets (or proxies them) and obfuscates/randomizes its DOM structure to make ads difficult to target with simplistic ad-blocking rules?
Right not it is not hard to write an adblocker, just block network requests and DOM elements (regardless of whom hosts of proxies them).
A browser in a browser would make blocking dom as hard as attaching a debugger and manipulating a price that has been hardened.
Network requests may still be able to be blocked, but it is going to make ad blocking harder.
Deleted Comment
> How is this any easier or more effective than just having a website that hosts its own advertising assets
advertisers REALLY don't want you to do that because it's far too easy to cheat.
I don't know how we got from "don't download and install random software from untrusted sources on your devices" to "let anyone with a website run code directly on your hardware. Sandboxes are impossible to breach!"
I get that it's cool tech and the promise of writing software to run on many different platforms is exciting, but from a real world/user perspective it's insane.
It hasn’t been the end of the world, but it hasn’t been great either.
Deleted Comment
It's not just a advertisement and a viewer, it's also the bots.
Adtech is where it's at now just cause it wants you to see it but because a industry of faking viewership built up around it.
No other advertisement has really had to deal with how ads are bought on per viewer basis.
All the targeting tech is equally a response to "personalization" as it is to "fraudulent botters"
You can then understand that if ads reverted to the old static billboard or tv commercial state, there's probably be little incentive to harass the user.
It's also the new flash since like flash it's just a bucket of pixels. Like when say VisionOS comes out and their browser has made tweaks to all the HTML form elements so they work well with finger gestures in the air but of course here this page is just a block of pixels so it will have the wrong interface for the device.
Every time there's an article about some kind of "Here's a really simple core to build stuff from scratch" technology people seem to get really excited.
I was hoping we'd be going the other way and building web tech into OSes!
https://news.ycombinator.com/item?id=36778999
The far more likely way we'll see push back against Ad Blockers is by simply detecting that an Ad did not play and then refusing to display content until it does.
Dead Comment
https://plato.stanford.edu/entries/goedel-incompleteness/sup....
I would pay for such a service.
Eventually, AI will be something we can run locally on a typical desktop, or even a cell phone, and at that point we could locally host that kind of ad blocking, but trusting all of your traffic to some random company that promises to delete ads but not abuse their position seems naive given our situation today. It preserves the worst dangers of ads while adding even less control and transparency for the user.
But even without WASM, there is the “tiktok strategy”, of pushing bytecode to a self-made interpreter, that frequently changes its semantics.
Your proposal, while feasible, turns this into a static linking affair. This comes with many risks, like becoming complacent and not updating the "inner browser" due to browser incompatibilities and bugs. It creates a giant mess of dependency update hell if you aren't regularly updating the webview.
At that point, you might as well ship a desktop app that does something similar and proxies ads through the first party server since it's probably less work.
You are right that it would work. I just don't know if going to such lengths is required to achieve the same thing.
A good counter is that a desktop app could be exploited to alter the behavior via reverse engineering. But a browser would show you the WASM as well, so I'm sure you could reverse engineer it and alter it with an extension like a traditional binary.
Maybe I'm missing something though - I'll admit that I'm an advocate of WASM but don't keep super up to date on all advancements.
user doesn't want to download an app, since that has a lot of friction. Going to a url and waiting (even if the download time is the same) feels like there's less friction, and so this idea of shipping a blackbox is more desirable.
The only problem really is the jankiness of any non-browser controls. The user expects a good right-click context menu, keyboard navigation, scrolling, etc, which all would have to be implemented if you're compiling a native app into WASM. But if the app itself is just HTML+javascript, then shipping a WASM browser, then using that browser as the app layer solves all of those UX jankiness (since the user should not really be able to tell it's a WASM browser).
The idea is insidiouly bad for user freedom, but great for businesses like google (who wants to control the user space completely).
Like a reverse proxy inside the browser, but with a server component.
When i first heard about their idea I couldn’t really comprehend it, and actually I still find it hard to understand. But they think it will be big!
https://dosyago.com/
https://github.com/BrowserBox/BrowserBox
Inasmuch as any app, eg., a video player, can include DRM or otherwise lock things down.
This is feasible, but its unclear how successful it would be -- it would just start an arms race to hack it.
For now.
Now, maybe that's just a potential usage that trust-me-bro it'll never actually try to use or access in RAM or on disk... but how on earth is that number for a chat client so much bigger than either Firefox with 100+ tabs or even Java-based IDEs like Webstorm?
“Big number is scary” is not a good way to understand performance.
[1] https://foldoc.org/Big+bag+of+pages
[2] https://github.com/google/sanitizers/wiki/AddressSanitizerAl...
[3] https://v8.dev/blog/oilpan-pointer-compression
> So I started making a browser engine (for fun) a few days ago, it felt kind of inevitable so here we are
And I got to admit, it is pretty neat.
> The RoveMax Model 3 was developed in total secrecy by Kerbal Motion's R&D team over the course of a year and a half. When it was finally revealed to the company's chairman, he stared in shock, screamed 'WHY', and subsequently dropped dead on the spot.
The reaction is about the same, anyway.
> Fatal error
Not quite!
To make the web entirely like a TV, everything should be rendered on canvases. To let you truly deploy your org chart, each team should be responsible for one isolated canvas.
It's just how the universe works.
I'd put my money on C, almost everything is bootstrapped from it.
Forth is a another candidate if you'd have to build everything yourself.
"Yo dawg, I heard you like browsing, so we put a browser in your browser so you can browse while you browse"