If least likely to have 0 days is the thing I am optimizing for, what should it be?
OS requirements: Windows, MacOS, Linux, iOS a nice to have
Sub-question: Does each OS have their own historically “most secure” [1] browser, making a single browser not ideal?
[0] https://news.ycombinator.com/item?id=30572925
[1] meaning least 0 days, or maybe CTF event history?
Currently, I am still building my own fork of WebKit (RetroKit [1] ) that removes all attack surfaces it still has (e.g. canvas, webgl, webaudio, applet and embed support, pdf plugins...you name it).
I realized at some point that all bridge concepts are super buggy, in Gecko, in WebKit, in Blink...and the only way to reduce the attack surface is to remove the featureset.
Tried to do the same with chromium and gecko before...but arguably both projects come with so much overhead (repo tools, hardcoded git urls everywhere, custom clone scripts for each platform and environment etc) that they're inforkable.
Take a look at projects like nwjs, where the maintainer has to go almost insane trying to keep up to date with upstream...and he basically didn't change anything else than the public headers to be able to embed chromium more easily.
I don't need WebGL to browse websites. If I want to visit a web experiment I can still use ungoogled chromium --user-data-dir=/tmp/...
As for the alternative in the meantime: I'm using ungoogled chromium with my own Browser Extension [2] to block off all tracking and filtering/rewriting the actual content.
[1] Still WIP. Would love to get more people on board: https://github.com/tholian-network/retrokit
Chrome has the best resourced development. Brave leverages Google's investment, and adds their own features (and vulnerabilities). Opera similarly.
So ... there's not a lot of choice, really. Firefox or the mono-culture.
Lynx
Really, any thing is better than Chromium based browsers... And Lynx is actually great! (If you like this kind of software!!!)
There is also Firefox based browsers... But I'm not sure you would like them...