> In the browser everything is exposed to everyone by default

Several critical or potential annoying functions have opt-in prompts by default, unlike your typical desktop OS.

It makes no difference whatsoever

An OS doesn't protect you from outside, it protects the system from apps and users

Imagine if your OS asked you if you would like to allocate a block of memory at address X everytime it does

That's what to a regular user the prompt means

They just click 'Yes Forever' and are done with it

But that's still an application settings, it has nothing to do with being an OS, browsers are mostly a system for distributing malware in the easiest of ways

At the cost of being as complex as a full OS, without any of the benefits

Wanna bet that if vendors started distributing naked browsers and the extra functionality (of course approved by W3C as standards) were bundled in plugins, which is entirely possible, half of those would linger there with zero downloads?

kernel = browser, user land = web apps

I don't understand what you mean by "In the browser everything is exposed to everyone by default". Browsers have a much more robust security and privacy model than normal OSes.

False.

For starters, browsers can only implement sandboxing thanks to the OS facilities, otherwise it would be impossible.

And that is modern ones. 5 years ago some browsers were still a security nightmare with not even multiprocess separation.

There's a difference between what features OSes have and which ones they are effectively using.

If you ran untrusted native apps with the same level of consideration that people run untrusted web sites, your identity would be stolen every 30 seconds. That is solid empirical evidence of a better security model.

This is a classic false sense of security

People identities are stolen constantly by web apps, they just don't know

An app like Excel could steal my data, yes, but it is my willingness to give away all my connections to Facebook and let them spy my interactions that gave away my identity and also the identity of people that do not use Facebook, but are mentioned by me or my other contacts (for example my parents)

That's the real danger

The difference is that nobody runs untrusted binary apps.

If we wanted to do so, then the "run" operation on an executable would be different.

There is no difference, and in fact, OS have more features and capabilities to make running untrusted code safe.

Five years ago was 2015. Chrome has had multiprocess and sandboxing for a lot longer than that.

And if you had read carefully I said some browsers.

In 2015 Firefox still did not have multiprocessing. IE did not either, and it was massively used back then.

Despite the idiotic downvotes, you are absolutely right.

Browsers are terrible. No other applications or OS components are so monolithic expose the same attack surface.

What? Running a native desktop app exposes a much larger attack surface than opening a webpage.

> native desktop app exposes a much larger attack surface

If we're talking about code executed as a result of, say, buffer overflow attacks, then the impact is the same both for the native app and for the browser. The latter, however, has way much more places where that overflow could happen! And they still happen, security updates for the browsers get pushed all the time.

(And we're not even talking about the world of XSS/CSRF attacks here! Those are pretty much exclusive to the browsers, and widen the attack surface tremendously.)

Not to mention that native apps can be properly reviewed and vetted by Linux distributions.

And have a tiny codebase compared to a browser. And even tinier compared to a browser + all the potentially hostile javascript, css, html, sng, png out there.

And run in native sandboxes or external sandboxes like firejail.

what about the software that opens that web page?