BigFatDave - Lynx

Lynx

Lynx is a user-friendly Web browser, with a lot of advantages over Firefox, Internet Explorer, Opera, and other suboptimal Web browsers. You get the WWW delivered straight to your text terminal with no CSS to muck with your display, and no JavaScript to get in your way. It also conveniently ignores Flash, Java and ActiveX applets, resulting in a far more pleasurable user experience.

Of course, Lynx does have a few disadvantages, as well, mostly as a direct result of it being a product of the Internet Software Consortium, the same guys who created BIND, the giant monolithic DNS server and DNS cache rolled into one with all the bugs that sits at the heart of the Internet. (Hey, don't take my word for it: as of this writing (20090422), out of the four news items at the top of the page linked above, the top three are all breaking news about security vulnerabilities. The last one is an advertisement for BIND's broken implementation of DNSSEC, which itself is the flawed product of countless years of expensive research.)

Well, here's an interesting April Fool's joke from Netcraft: Deluge of Browser Security Issues Drives Mass Migration ... small excerpt:

Financial institutions have noted that the Lynx browser is particularly suitable for online banking, as it supports the latest cryptographic ciphers used in ecommerce, and is immune to attacks via JavaScript, Flash and other multimedia content. Lynx's algorithms for dealing with such threats are so comprehensive, it is just as safe as if the multimedia content was not there.

The really funny thing here is that everything they said in the article (except the bit about their anti-phishing toolbar being available for Lynx) is actually correct:

Lynx _does_ support the latest cryptographic ciphers, and doesn't have a clutter of CA (Certificate Authority) certificates installed by default, so you can explicitly decide which CAs you want to trust and which you don't, dramatically improving your ability to trust SSL certificates that your browser thinks you should trust.
Lynx is immune from attacks via JavaScript, Flash, and other multimedia content by simply not processing the content in question.
Lynx's algorithms for dealing with such threats are indeed very comprehensive: it simply ignores most of them, and offers to do the equivalent of "Save as..." for the rest.
Lynx is a lot faster than Firefox, Internet Explorer, or Opera, not just because the code is a lot more efficient, but also because it doesn't hog your bandwidth downloading all sorts of useless content.
Lynx has never suffered a buffer overflow in its image processing code, since it's hard to suffer a buffer overflow in code that doesn't exist ;-)
Lynx has suffered no security vulnerabilities at all in the last 2 years, because virtually no code has changed during the last two years.
Okay, here's a second incorrect statement: Telnet is _not_ more secure than Lynx, since telnet allows your terminal to interpret escape sequences in potentially dangerous ways.
Lynx _is_ vulnerable to phishing scams, but because it doesn't ship preloaded with half a zillion "trustworthy" CA certificates, it gives you substantially better tools when it comes to combating phishing schemes targetting secure URLs. In all cases, you can hit the equal sign (=) to quickly get the full URL displayed on your terminal, along with a bunch of other useful information about the page you're looking at, making it quite easy to spot most phishing attacks ... so yeah, it doesn't have any protection against phishing, but due to its nature doesn't really need them.
The Netcraft Toolbar for Lynx link is buggy: it takes you to the download page for the Netcraft Toolbar for FF/IE/etc. Presumably, the alleged screenshot was forged.

I'm surprised they didn't review w3m, BTW, but that's a topic for another (April?) day. . .

20090520: I just bumped into this:

Sorry, your web browser does not support Java applets, or you have turned them off. Try Netscape 3.0 or better, or MSIE 3.0 or better.

Lynx 2.8.6rel.5 is better than both Netscape 3.0 _and_ MSIE 3.0; what's their problem?

20090707: I just noticed something interesting: the Debian project Web recommends Lynx as well, due to it being the only browser known to support HTTP content negotiation properly.

20090717: The June 15, 2009 issue of eWeek had an interesting column by "Chief Technology Analyst" Jim Rapoza, titled "Web bug alert." Here are some choice quotes:

"...practices that potentially dwarf the threat of cookies when it comes to invading the privacy of Web users. And, as opposed to cookies, which users have some control over, there is very little one can do to protect privacy from the Web bug threat."

So what are Web bugs? Simply put, they are small bits of code embedded in Websites [technically, Web pages] that add functionality and share information. They are used by everything from Google Analytics, to ad networks, to popular blogging platforms, to social networks, to affiliate shopping programs.

Here's another one:

So, when you open my Website [Web], you are also sending information to my analytics provider, my ad network and any other sites I may be partnering with.

No, I'm not ;-P

And your data can be tracked across every site [Web] that uses the bug, even if you block cookies and do everything else possible to protect your privacy.

False :-)

What can you do to protect yourself? Outside of not using the [World-Wide] Web, constantly changing your IP address or using an anonymous network such as Tor, there isn't much you can do.

Chief Technology Analyst Jim Rapoza clearly didn't do his research, and is making invalid generalizations. (Incidentally, he had a multipage article in the pages right before this column, comparing a bunch of Web browsers (Apple Safari, Google Chrome, Microsoft IE 8, Mozilla Firefox, and Opera), conveniently leaving out Lynx and w3m.) If you're using Lynx in the default configuration, you're already fully protected, minus referrer tracking (which you can easily prevent with the -noreferer switch). Here's his proposal:

That's why users need to become aware and vigilant about Web bugs, and make sure that sites [Webs] explain how they are using this data.

Users don't need to understand the intricacies of JavaScript in order to protect themselves; simply switching to a Web browser that's secure by design will do the trick. (Notably, none of the Web browsers he reviewed in his previous article scored better than "Fair" on his "Security" metric. Clearly, he agrees that the Web browsers he's looking at are insecure by design.) However, our favorite Chief Technology Analyst doesn't even make a note in passing about the existence of standards-compliant Web browsers that are secure by design. Then again, this is coming, after all, from the same guy who actually thinks Linux is a platform (and any Chief Technology Analyst worth his salt really ought to know better), so what were we expecting? Trust the media to teach you about your world, and you deserve what you get: misinformation disguised by "Chief Technology Analysts" to sound authoritative. As with everything else in the world, if you want something done right, do your own research (using science), so you can do it right yourself.

20091210: Well, I just thought I'd point out, for all you free software lovers out there, that you can avoid falling victim to the freedom-sucking JavaScript trap by switching from Firefox to Lynx. Lynx is produced by the ISC, an organization with a proven track record of releasing loads of free software. (Of course, you're supposed to ignore the fact that the ISC is hardly obsessed with openness and transparency (Google "djb namedroppers" for some fun), but since Daniel J. Bernstein isn't too popular among the FSF crowd, their hostility to his quest for openness should be irrelevant to you.)

20091231: Microsoft is now proactively telling European Windows users about up to 12 of their options to augment Internet Explorer. I wonder if Lynx will end up in that list. (For that matter, I wonder if the Windows port of Lynx still even compiles.) In mostly unrelated news, it's worth pointing out that the guys over at Canonical are a bunch of idiots: they're trying to dilute the Lynx trademark by calling the new version of their operating system (Ubuntu, a GNU/Linux distribution) Lynx. (Hey, if the name of a Web browser (Firebird, the original name of Firefox) can be claimed to infringe on the trademark of a database package, why can't an operating system (which includes Web browsers that directly compete with the real Lynx, as well as Lynx itself) be claimed infringing on the ISC's trademark for a popular Web browser that's still under heavy development?) Don't you just love this thing we call "intellectual property" (TCILB)?

Best Viewed with Lynx or Elvis

Copyright (C) 2006-2008 Dave Cohen; permission granted to modify and/or redistribute subject to the terms of the GNU Free Documentation License version 1.2 or later