From the people who brought you "referer"...



  • The MegaCorp Google, the collection of well-meaning but frankly really stupid people known as Mozilla, and the ivory-tower numbskulls at the W3C have decided that the small ant-like insignificant beings known as "the public" haven't been secure enough on the web and especially have not been respectful enough of the Holy Priesthood Of Technology. Therefore, we are enacting a new policy to gently make their lives a wide-awake nightmare forevermore.

    You see, some time ago, apparently, at some place somewhere, maybe, a ISP or I guess wifi network? snooped HTTP traffic and injected (gasp!) an ad into it! Despite the fact that the Googleplex is powered solely by advertising, they strangely have decided that this will not stand. As a result, starting soon, all websites that do not use the holy High Priesthood-blessed HTTPS protocol will be marked as "insecure", and no longer allowed to use various new JavaScript APIs that are releasing soon.

    Sure, we've done that incrementally for almost a full year now (starting with only warning about insecure sites that had login forms), but now we're going full-tilt.

    Here's a quick FAQ to answer your questions about this upcoming change:

    Q) What if I develop web applications locally and want to use those new JavaScript APIs during development?
    A) Fuck you.

    Q) What if I install a internet connected appliance to my home network, for example a network-attached storage, and want to visit its management page?
    A) Fuck you.

    Q) Is there an easy way to make that NAS management page work?
    A) Sure, all you have to do is be a giant corporation that owns a large website, then have your dozens of engineers create a system where the NAS punches a hole through your firewall, your back-end grabs a wildcard cert or uses a cert from Let's Encrypt, which then might enable your customer's browser use the site normally. See? Easy! All you have to do is open a hole in your firewall and make your internet-connected device forever dependent on a third-party server you don't control and a domain name anybody else could buy or hijack at any time and redirect your device to serve up child porn. Doesn't this just go to prove how this change makes everybody on the web more secure!? (Also fuck you.)

    Q) So with this change in place, I suppose it implies that this email I got with the URL baknofamericka.logiin.l33thax.com must be perfectly trustworthy because it has a HTTPS connection, right? Since HTTPS indicates trust now.
    A) Sure why not.

    Q) The beauty of the Internet is how accessible it is. Anybody who can figure out how to use a GUI FTP client and a copy of Word can make a webpage and put it out there to share their thoughts with everybody, at little to zero costs. Is that difficult? Yeah, it's difficult, but it's not so difficult that it served as a barrier to TimeCube guy. How do you address the fact that this change will make everybody who wants to make a website either have to buy one from a gigantic megacorp, or have to learn Linux CLI scripting or PowerShell just to ensure other people can read their thoughts?
    A) Fuck you. And fuck them. Fuck everybody, we're the W3C.



  • @blakeyrat said in From the people who brought you "referer"...:

    Q) What if I develop web applications locally and want to use those new JavaScript APIs during development?

    You can make a local development server certificate, and most browsers can be set to ignore certificate errors on localhost.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) What if I install a internet connected appliance to my home network, for example a network-attached storage, and want to visit its management page?

    You will get a "not secure" warning in the address bar and nothing else will change.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) Is there an easy way to make that NAS management page work?

    It will not be broken by this change. There are already APIs (like the cache API) that require https.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) The beauty of the Internet is how accessible it is. Anybody who can figure out how to use a GUI FTP client and a copy of Word can make a webpage and put it out there to share their thoughts with everybody, at little to zero costs. Is that difficult? Yeah, it's difficult, but it's not so difficult that it served as a barrier to TimeCube guy. How do you address the fact that this change will make everybody who wants to make a website either have to buy one from a gigantic megacorp, or have to learn Linux CLI scripting or PowerShell just to ensure other people can read their thoughts?

    thedailywtf.com gets its certificate through letsencrypt-win-simple, which you can double click and then follow the prompts once and be done having to manage SSL forever.



  • @blakeyrat Agreed entirely.

    The entire internet security mindset and landscape is entirely broken.

    But, what can you do, this is how it usually goes.

    When any given thing is new, it's a wide open space for little guys to jump in and participate. Enthusiasm and free market make the thing successful and attract investments.

    Once the big money comes in, though, then we suddenly need to make it "safe" and "secure" and "organized" for everyone. Enter the bureaucracy, rules, gatekeepers. Big corp can trivially dot all the i-s and take care of all the fiddly bits with certificates and licenses or whatever. Not so trivial for the little guy though, who might have otherwise made "the next big thing", if they were only given the chance.



  • @ben_lubar said in From the people who brought you "referer"...:

    thedailywtf.com gets its certificate through letsencrypt-win-simple, which you can double click and then follow the prompts once and be done having to manage SSL forever.

    Interesting. I presume this somehow injects itself into ISS and hijacks requests towards /.well-known url-s? Or does it set up a proxy in front of ISS?



  • @cartman82 said in From the people who brought you "referer"...:

    @ben_lubar said in From the people who brought you "referer"...:

    thedailywtf.com gets its certificate through letsencrypt-win-simple, which you can double click and then follow the prompts once and be done having to manage SSL forever.

    Interesting. I presume this somehow injects itself into ISS and hijacks requests towards /.well-known url-s? Or does it set up a proxy in front of ISS?

    The methods it uses are documented here: https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Target-Plugins



  • @cartman82 said in From the people who brought you "referer"...:

    Interesting. I presume this somehow injects itself into ISS and hijacks requests towards /.well-known url-s? Or does it set up a proxy in front of ISS?

    It probably just changes IIS' configuration, since that's all scriptable and despite Ben's claims this is just a glorified PowerShell script, not something that's actually easy-to-use for actual normal human beings.

    But don't get sidetracked by this shit; barriers are barriers. The web needs fewer barriers, not more.

    The irony is I bet the same people at Chrome and the W3C who are praising this change are also having those tear-choking speeches about how great the web is because it lets oppressed people speak-out against corrupt regimes and such.



  • @blakeyrat With everybody getting broadband and sometimes even fiber, and with IPv6 spreading, it seems like we should be heading towards the world when people can just trivially put up a shingle on web from their home computer.

    But that's not where we are actually heading. NAT is not going away anytime soon and home routers are dumb closed boxes that prevent you from appearing online as first-class participant. People are ditching stationary production-capable computers for mobile consumption devices. 99% of internet users are dynamic IPv4-s who are free to pirate and be anonymous shitheads online.

    There are upsides to that, but we certainly have the capacity to make a different (better?) internet than what we have now.



  • Good thread on this from Hacker News, there's still at least one person on that site that Gets it:

    In any case, why should I be forced to support a model where I have to beg for permission to host anything. I believe in stating my opinions and let others make up their own mind. The opposition believes in forcing everyone to adopt their position by fiat. Why not put the information out there, and let people switch to HTTPS if they feel like the benfits make sense to them.

    Damn straight. That's the web that was sold to us. That's the whole point of the damned thing in the first place.



  • @blakeyrat I've started reading through other comments on that thread, there are some good ones.

    So it's the online equivalent of plastering Warning: Contains chemicals known to the state of California to cause cancer all over everything from gas pumps to gerbils.

    But then this one is light gray which I assume means it was downvoted by some critical mass of HN idiots

    Except it works.
    No, it doesn't, unless your goal is to condition users to ignore yet another warning.
    There are downsides to doing that, believe it or not.


  • area_pol

    This post is deleted!

  • BINNED

    @blakeyrat I have to disagree with your intro rant about ISPs reading your traffic and injecting ads in it. That's terrible.
    Imagine the post office reading your mail and deciding you mentioned the family dog, so they put dog food ads in the envelope. Or Jeff liking your PMs.

    The rest I mostly agree with.
    But hey, at least they're being more consistent, for better or worse. Before now I could serve a http page from the local automation server and it went without warning, but turning encryption on I go a complaint about the https certificate being self signed. Because, you know, that makes fucking sense. No encryption and no authentication must be better than encryption without authentication.
    And good luck trying to get a certificate for your LAN address. :rolleyes:



  • @blakeyrat said in From the people who brought you "referer"...:

    starting soon, all websites that do not use the holy High Priesthood-blessed HTTPS protocol will be marked as "insecure", and no longer allowed to use various new JavaScript APIs that are releasing soon.

    Sounds good to me.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) What if I develop web applications locally and want to use those new JavaScript APIs during development?
    A) Fuck you.

    ORLY? Where'd you learn this? Because from your link... it sounds like these morons actually might've thought of that...

    0_1518288298022_1b738584-dd2c-493f-bf24-14e22a50b559-image.png

    @blakeyrat said in From the people who brought you "referer"...:

    Q) What if I install a internet connected appliance to my home network, for example a network-attached storage, and want to visit its management page?
    A) Fuck you.

    Yeah, because security exceptions aren't a thing, and you certainly can't permanently store them...
    0_1518290513994_fe50a9b3-0b32-460a-9e03-92682028d48b-image.png
    Hey look, HTTPS to a LAN IP address. What do you know, it must be possible.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) So with this change in place, I suppose it implies that this email I got with the URL baknofamericka.logiin.l33thax.com must be perfectly trustworthy because it has a HTTPS connection, right? Since HTTPS indicates trust now.
    A) Sure why not.

    It wouldn't be able to access any data stored by the real Bank of America site. And HTTPS can't, nor is it intended to, prevent phishing.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) The beauty of the Internet is how accessible it is. Anybody who can figure out how to use a GUI FTP client and a copy of Word can make a webpage and put it out there to share their thoughts with everybody, at little to zero costs. Is that difficult? Yeah, it's difficult, but it's not so difficult that it served as a barrier to TimeCube guy. How do you address the fact that this change will make everybody who wants to make a website either have to buy one from a gigantic megacorp, or have to learn Linux CLI scripting or PowerShell just to ensure other people can read their thoughts?
    A) Fuck you. And fuck them. Fuck everybody, we're the W3C.

    You know how much scripting it requires to set up a Wordpress site?

    Anyway, the web is obviously crippled by lack of enough JS APIs, I mean there are like two websites on the whole internet and one of them is a boring "Hello world". /sarc



  • @anotherusername said in From the people who brought you "referer"...:

    And HTTPS can't, nor is it intended to, prevent phishing.

    That's not the point at all. The point is that Chrome already shows a nice re-assuring "Secure" padlock on sites that are not even remotely secure. And with this change, it'll show "Not secure" on sites it has no way of knowing are secure or not.

    As Ben pointed out in Discord, "well it's referring to the connection protocol", but how do actual users viewing actual websites KNOW that? All they know is they go to l33thax.com and Chrome says "hey this site is secure". And while this change doesn't necessarily make that worse, it does introduce the idea that all HTTP sites are "not secure" (which is not true), which implies to the average user that all HTTPS sites are "secure" (which is also not true).

    And ironically, the preparation for this change was creating Lets Encrypt, which makes HTTPS sites less secure as certificates are now free and require no kind of communication between the issuer and the issuee. At least before you had to fake-sign a stupid oath to get a cert, which was stupid and useless but at least it was something.

    @anotherusername said in From the people who brought you "referer"...:

    You know how much scripting it requires to set up a Wordpress site?

    Do you know how much scripting it requires to save a Word (or LibreWriter or whatever) document as HTML and drag & drop it into a FTP window?



  • @blakeyrat said in From the people who brought you "referer"...:

    That's not the point at all. The point is that Chrome already shows a nice re-assuring "Secure" padlock on sites that are not even remotely secure.

    The "nice re-assuring" padlock icon means that nobody can eavesdrop on your connection. All it means is that the data passing between you and that server can only be read by you and the server itself. It does not, and cannot, mean that you're connected to the correct server, because that would require it reading your mind to know which server you wanted to connect to.

    with this change, it'll show "Not secure" on sites it has no way of knowing are secure or not

    It has no way to know whether someone is eavesdropping on your HTTP connections; all it knows is that someone could. This means that HTTP connections are, by definition, not secure.

    "Secure" implies that nobody can get your private data; if someone can, then it's not secure. What you're doing amounts to bitching about someone trying to tell you that the tin can buried in the park with all your cash in it is "not secure", because hey, it might still be there. They have no way of knowing whether your money is secure or not.

    @blakeyrat said in From the people who brought you "referer"...:

    Do you know how much scripting it requires to save a Word (or LibreWriter or whatever) document as HTML and drag & drop it into a FTP window?

    None whatsoever, which is why new JS APIs that require HTTPS aren't going to have any impact whatsoever on someone who does that. They're not using them anyway.


  • ♿ (Parody)

    @blakeyrat said in From the people who brought you "referer"...:

    You see, some time ago, apparently, at some place somewhere, maybe, a ISP or I guess wifi network? snooped HTTP traffic and injected (gasp!) an ad into it! Despite the fact that the Googleplex is powered solely by advertising, they strangely have decided that this will not stand.

    Of course not. They don't want anyone else muscling in on their turf.

    @blakeyrat said in From the people who brought you "referer"...:

    Q) What if I develop web applications locally and want to use those new JavaScript APIs during development?
    A) Fuck you.

    Ugh. Also, if you have a self signed cert, chromium already won't remember your username and password. At least, I've never found a way to tell it to just trust the fucking cert.



  • @anotherusername said in From the people who brought you "referer"...:

    The "nice re-assuring" padlock icon means that nobody can eavesdrop on your connection. All it means is that the data passing between you and that server can only be read by you and the server itself. It does not, and cannot, mean that you're connected to the correct server, because that would require it reading your mind to know which server you wanted to connect to.

    Indeed, and I don't know why you're explaining it to me like I'm an idiot; but the word "Secure" hardly communicates that, does it?

    @anotherusername said in From the people who brought you "referer"...:

    It has no way to know whether someone is eavesdropping on your HTTP connections; all it knows is that someone could. This means that HTTP connections are, by definition, not secure.

    If it's a site that's hosted on the LAN and firewalled entirely, or literally not even connected to, the Internet at large, it is guaranteed to be secure. Chrome's opinion on the matter is plain wrong.



  • @anotherusername said in From the people who brought you "referer"...:

    @blakeyrat said in From the people who brought you "referer"...:

    That's not the point at all. The point is that Chrome already shows a nice re-assuring "Secure" padlock on sites that are not even remotely secure.

    The "nice re-assuring" padlock icon means that nobody can eavesdrop on your connection. All it means is that the data passing between you and that server can only be read by you and the server itself. It does not, and cannot, mean that you're connected to the correct server, because that would require it reading your mind to know which server you wanted to connect to.

    It seems to me like you guys are in violent agreement on this point. Everyone on WTDWTF knows what "secure" means in this context, but the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"


  • ♿ (Parody)

    @anotherusername said in From the people who brought you "referer"...:

    The "nice re-assuring" padlock icon means that nobody can eavesdrop on your connection. All it means is that the data passing between you and that server can only be read by you and the server itself. It does not, and cannot, mean that you're connected to the correct server, because that would require it reading your mind to know which server you wanted to connect to.

    Yes, people on this site know that. Most people probably do not, however.


  • ♿ (Parody)

    Also: Every time I see this thread's title, I read it as:

    From the people who brought you "reefer"


  • Banned

    I agree with you on the general principle that crippling unrelated features because you were too lazy to setup encryption is bullshit. However:

    1. You talk about '"average" users who just want to put their Word document on the internet. Those "average" users won't use their personal computers, but rather use some free hosting services that already has all the software installed and configured. So this change doesn't affect them.

    2. Even if someone is setting web server on their PC. It's only about some obscure JS API they'll likely never use, and even if they wanted to, it won't hurt them much because the existing JS functionality is enough for 100% of webapps currently in existence (as evident by them existing without this API being available).

    3. You don't make websites in Word. You make them in FrontPage.



  • @gąska said in From the people who brought you "referer"...:

    You talk about '"average" users who just want to put their Word document on the internet. Those "average" users won't use their personal computers, but rather use some free hosting services that already has all the software installed and configured.

    But I also disagree that that should be the case. I think there's too many barriers to people communicating their thoughts now. We're talking about a change that adds more barriers.

    @gąska said in From the people who brought you "referer"...:

    Even if someone is setting web server on their PC. It's only about some obscure JS API they'll likely never use, and even if they wanted to, it won't hurt them much because the existing JS functionality is enough for 100% of webapps currently in existence (as evident by them existing without this API being available).

    I see no reason why this hypothetical person should be excluded from any browser feature. Why? Because they can't figure out IIS configuration PowerShell scripts? Because they didn't spent 4 years studying Linux at a university? No, the whole concept is bullshit. High Priesthood bullshit.



  • @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users? Blakey's a moron if he thinks that browsers getting rid of "secure" and using a different word instead would suddenly enlighten those idiots.


  • 🚽 Regular

    @ben_lubar said in From the people who brought you "referer"...:

    Q) What if I install a internet connected appliance to my home network, for example a network-attached storage, and want to visit its management page?

    You will get a "not secure" warning in the address bar and nothing else will change.

    Not if that appliance is using JavaScript APIs that aren't approved on sites they deem insecure.


  • Banned

    @blakeyrat said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    You talk about '"average" users who just want to put their Word document on the internet. Those "average" users won't use their personal computers, but rather use some free hosting services that already has all the software installed and configured.

    But I also disagree that that should be the case. I think there's too many barriers to people communicating their thoughts now. We're talking about a change that adds more barriers.

    Sure. But you're exaggerating and picking wrong examples. It'll be an annoyance mostly for professional frontend devs, not people that want a personal blag.

    @blakeyrat said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    Even if someone is setting web server on their PC. It's only about some obscure JS API they'll likely never use, and even if they wanted to, it won't hurt them much because the existing JS functionality is enough for 100% of webapps currently in existence (as evident by them existing without this API being available).

    I see no reason why this hypothetical person should be excluded from any browser feature. Why? Because they can't figure out IIS configuration PowerShell scripts? Because they didn't spent 4 years studying Linux at a university? No, the whole concept is bullshit. High Priesthood bullshit.

    Again, exaggerating and wrong example. People who want a website on their PCs already have to figure out public IP, router config, IIS/Apache/whatever installation, domain setup, and probably hundred other things that I don't know about because I never set up public website from scratch but would definitely tens of hours figuring out the first time I did. If one can figure all of these out, they'll have no problem figuring out certificates as well.

    The only statistically significant group of people who will actually have a problem due to these new rules are professional frontend developers setting up dev environments.



  • @gąska said in From the people who brought you "referer"...:

    Again, exaggerating and wrong example. People who want a website on their PCs already have to figure out public IP, router config, IIS/Apache/whatever installation, domain setup, and probably hundred other things that I don't know about because I never set up public website from scratch but would definitely tens of hours figuring out the first time I did. If one can figure all of these out, they'll have no problem figuring out certificates as well.

    Right; like I said, there are already far too many barriers. I am against adding more. What part of that has you confused exactly?

    Blakey: there are too many barriers
    Gaska: you're wrong, because here's a list of a bunch of other barriers you didn't mention


  • Banned

    @anotherusername said in From the people who brought you "referer"...:

    @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users?

    Change the default HTTPS padlock icon to yellow color, and reserve green for verified institutions with certificates pinned in browser's binary.



  • @the_quiet_one said in From the people who brought you "referer"...:

    @ben_lubar said in From the people who brought you "referer"...:

    Q) What if I install a internet connected appliance to my home network, for example a network-attached storage, and want to visit its management page?

    You will get a "not secure" warning in the address bar and nothing else will change.

    Not if that appliance is using JavaScript APIs that aren't approved on sites they deem insecure.

    Although several APIs are currently set up that way, no API has ever been disallowed on non-HTTPS sites after being allowed there in a released version of a major browser. They're not going to break existing sites with this.



  • @ben_lubar said in From the people who brought you "referer"...:

    Although several APIs are currently set up that way, no API has ever been disallowed on non-HTTPS sites after being allowed there in a released version of a major browser. They're not going to break existing sites with this.

    You are very trusting of the morons who gave us "referer", Ben.



  • @gąska said in From the people who brought you "referer"...:

    @anotherusername said in From the people who brought you "referer"...:

    @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users?

    Change the default HTTPS padlock icon to yellow color, and reserve green for verified institutions with certificates pinned in browser's binary.

    Except they already basically do that:

    0_1518294973131_223d103d-7dfe-4812-bd1c-937a7949986f-image.png

    0_1518294994275_2350fa46-1fe3-4e36-876a-ace192abb566-image.png


  • Banned

    @blakeyrat said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    Again, exaggerating and wrong example. People who want a website on their PCs already have to figure out public IP, router config, IIS/Apache/whatever installation, domain setup, and probably hundred other things that I don't know about because I never set up public website from scratch but would definitely tens of hours figuring out the first time I did. If one can figure all of these out, they'll have no problem figuring out certificates as well.

    Right; like I said, there are already far too many barriers. I am against adding more. What part of that has you confused exactly?

    The part where you're focusing on the hypothetical group of people who are too 1337 to use remote hosting service and opt to use their own machines instead, but too n00b to actually do it - instead of real group of people with real problems. You are correct in what you're saying, but you're using wrong arguments to make your point.


  • Banned

    @ben_lubar said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    @anotherusername said in From the people who brought you "referer"...:

    @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users?

    Change the default HTTPS padlock icon to yellow color, and reserve green for verified institutions with certificates pinned in browser's binary.

    Except they already basically do that:

    Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.



  • @ben_lubar Ben as a user, given those example, which am I supposed to trust more? How would I know?

    The top one is saying "ok this site is really GitHub, Inc", but it doesn't say "Secure". Therefore it must be less secure than the second one, right? As a naive user, I'm sitting here going, "well GitHub makes enough money, why haven't they bought the secure padlock yet? Slackers!"


  • 🚽 Regular

    @ben_lubar said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    @anotherusername said in From the people who brought you "referer"...:

    @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users?

    Change the default HTTPS padlock icon to yellow color, and reserve green for verified institutions with certificates pinned in browser's binary.

    Except they already basically do that:

    0_1518294973131_223d103d-7dfe-4812-bd1c-937a7949986f-image.png

    0_1518294994275_2350fa46-1fe3-4e36-876a-ace192abb566-image.png

    That is a decent system, too, as far as I can see. I was tasked with getting that certificate for our company and it involved a process of verifying your company's name and its association with the domain. Hard to say how easy it is to, say, spoof an LLC you got through legal zoom that has a name similar enough to chase or bank of America that it would still fool people but it seems the authority granting these certificates do more than just an automatic approval, as we had to talk to a live person to answer questions.

    Whether that means any company, including tiny businesses should jump through those hoops to accept payment info out of fear they'll discourage patronage by having an orange lock symbol is hard to say, though. Not to mention, you are still possibly giving people a false sense of security because their business itself is full of con artists who just happen to have an LLC with a verified SSL.


  • area_can

    @the_quiet_one said in From the people who brought you "referer"...:

    Whether that means any company, including tiny businesses should jump through those hoops to accept payment info out of fear they'll discourage patronage by having an orange lock symbol is hard to say, though. Not to mention, you are still possibly giving people a false sense of security because their business itself is full of con artists who just happen to have an LLC with a verified SSL.

    I think if the endgame of this is that everyone switches to using HTTPS, then the only thing we gain is resilience against MITM attacks. Third parties injecting ads and other potentially malicious stuff into webpages seems pretty bad and I think we should work to reduce such behaviour.

    but like blakey said, I like the idea of a kid being able to e.g. double click some nginx exe on their computer, and go to localhost on their web browser without the browser straight up blocking them (I know that's quite far from what browsers are proposing and implementing, but I think these systems will become more restrictive over time).



  • @blakeyrat said in From the people who brought you "referer"...:

    How do you address the fact that this change will make everybody who wants to make a website either have to buy one from a gigantic megacorp, or have to learn Linux CLI scripting or PowerShell just to ensure other people can read their thoughts?

    I thought you were the one person here that understood that it's OK to use complex tools to do complex work, rather than trying to keep everything as plain text forever as the "Unix philosophy" says. Even if the LetsEncrypt tools are shitty, I'm sure anyone can make a better version.



  • @gąska said in From the people who brought you "referer"...:

    Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.

    I'd like to know what percentage actually does that. Because I bet it's not exactly big.


  • Garbage Person

    @blakeyrat said in From the people who brought you "referer"...:

    If it's a site that's hosted on the LAN and firewalled entirely, or literally not even connected to, the Internet at large, it is guaranteed to be secure.

    No.



  • @cartman82 said in From the people who brought you "referer"...:

    @blakeyrat With everybody getting broadband and sometimes even fiber, and with IPv6 spreading, it seems like we should be heading towards the world when people can just trivially put up a shingle on web from their home computer.

    But that's not where we are actually heading. NAT is not going away anytime soon and home routers are dumb closed boxes that prevent you from appearing online as first-class participant. People are ditching stationary production-capable computers for mobile consumption devices. 99% of internet users are dynamic IPv4-s who are free to pirate and be anonymous shitheads online.

    There are upsides to that, but we certainly have the capacity to make a different (better?) internet than what we have now.

    Not to mention lots of ISPs plainly forbid you from putting servers in your connection, unless you upgrade to their "business plan" for merely 10x the price. They don't want any leeches using that bandwidth they paid for.

    Of course, you can solve that problem with some sort of neutrality of networks law, but only libtard cucks believe in that.


  • ♿ (Parody)

    @blakeyrat said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    Again, exaggerating and wrong example. People who want a website on their PCs already have to figure out public IP, router config, IIS/Apache/whatever installation, domain setup, and probably hundred other things that I don't know about because I never set up public website from scratch but would definitely tens of hours figuring out the first time I did. If one can figure all of these out, they'll have no problem figuring out certificates as well.

    Right; like I said, there are already far too many barriers.

    It's pretty easy to skip all of that crap and just use, e.g., Blogspot by creating an account.


  • ♿ (Parody)

    @ben_lubar said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    @anotherusername said in From the people who brought you "referer"...:

    @hungrier said in From the people who brought you "referer"...:

    the average user will think "Hey, chasebank.com-secure.cn has a green padlock, that means I can enter all my banking information into it!"

    Yes, but what can you do about those users?

    Change the default HTTPS padlock icon to yellow color, and reserve green for verified institutions with certificates pinned in browser's binary.

    Except they already basically do that:

    0_1518294973131_223d103d-7dfe-4812-bd1c-937a7949986f-image.png

    0_1518294994275_2350fa46-1fe3-4e36-876a-ace192abb566-image.png

    The mistake is in using the word, "Secure," since it's too ambivalent. Better to have said, "Encrypted."


  • ♿ (Parody)

    @anonymous234 said in From the people who brought you "referer"...:

    Of course, you can solve that problem with some sort of neutrality of networks law, but only libtard cucks believe in that.

    Suckers. Also, now your residential account is going to cost more, which is why the smart people told all the idiots to stuff their net neutrality where the sun don't shine.


  • Banned

    @blakeyrat said in From the people who brought you "referer"...:

    @ben_lubar Ben as a user, given those example, which am I supposed to trust more? How would I know?

    The top one is saying "ok this site is really GitHub, Inc", but it doesn't say "Secure". Therefore it must be less secure than the second one, right? As a naive user, I'm sitting here going, "well GitHub makes enough money, why haven't they bought the secure padlock yet? Slackers!"

    Right now, you're being purposely obtuse for the sake of being obtuse. Like that one client I've had when I worked in phone shop. He wanted a car GPS that was very easy to use and absolutely foolproof since, as he said, he is very bad with computers and doesn't have time for bullshit. I took random Garmin and showed him how to operate it. After explaining how touchscreens work and what I mean by pressing a button on screen, I proceeded to walk him through setting up a route.

    Gąska: You type in the address here.
    🙎🏻♂: I made a mistake. What now?
    Gąska: Press here. *presses backspace*
    🙎🏻♂: And how was I supposed to know that?
    Gąska: ...
    🙎🏻♂: Okay, I typed the address. What now?
    Gąska: You press search button.
    🙎🏻♂: Where is it?
    Gąska: Over there, with looking glass icon
    🙎🏻♂: Where?
    Gąska: Here. *presses it*
    🙎🏻♂: And how was I supposed to know that?
    Gąska: It has looking glass icon.
    🙎🏻♂: Really? It looks more like tennis racket to me.
    Gąska: ...
    🙎🏻 <- his wife: 😡 :facepalm: :what_did_i_think_when_i_married_him:

    And no, he wasn't old - he seemed to be in his late 30s, which means computers were everywhere around him for at least a third of his life (this took place last year).


  • Banned

    @anonymous234 said in From the people who brought you "referer"...:

    @blakeyrat said in From the people who brought you "referer"...:

    How do you address the fact that this change will make everybody who wants to make a website either have to buy one from a gigantic megacorp, or have to learn Linux CLI scripting or PowerShell just to ensure other people can read their thoughts?

    I thought you were the one person here that understood that it's OK to use complex tools to do complex work

    You must have missed the hundreds of his "IT'S CURRENT YEAR WHY WE HAVE NO DECENT GRAPHICAL PROGRAMMING SOFTWARE YET" rants.


  • Banned

    @anonymous234 said in From the people who brought you "referer"...:

    @gąska said in From the people who brought you "referer"...:

    Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.

    I'd like to know what percentage actually does that. Because I bet it's not exactly big.

    With all these anti-phishing PSA campaigns everywhere that say "before you log into bank account, check the green padlock icon"? Maybe Poland is special, but over here, everyone smart enough not to trust Nigerian prince knows that green padlock = security.


  • Banned

    @anonymous234 said in From the people who brought you "referer"...:

    Not to mention lots of ISPs plainly forbid you from putting servers in your connection, unless you upgrade to their "business plan" for merely 10x the price. They don't want any leeches using that bandwidth they paid for.

    Yeah, I know, living in USA sucks. But please keep country-specific WTFs in country-specific threads.


  • Banned

    @anonymous234 said in From the people who brought you "referer"...:

    Of course, you can solve that problem with some sort of neutrality of networks law, but only libtard cucks believe in that.

    Only libtard cucks believe that tethering ban isn't a gross violation of net neutrality. And it was as legal in 2016 as it is now, after repealing the laws that were supposed to protect net neutrality.



  • @gąska said in From the people who brought you "referer"...:

    @blakeyrat said in From the people who brought you "referer"...:

    @ben_lubar Ben as a user, given those example, which am I supposed to trust more? How would I know?

    The top one is saying "ok this site is really GitHub, Inc", but it doesn't say "Secure". Therefore it must be less secure than the second one, right? As a naive user, I'm sitting here going, "well GitHub makes enough money, why haven't they bought the secure padlock yet? Slackers!"

    Right now, you're being purposely obtuse for the sake of being obtuse. Like that one client I've had when I worked in phone shop. He wanted a car GPS that was very easy to use and absolutely foolproof since, as he said, he is very bad with computers and doesn't have time for bullshit. I took random Garmin and showed him how to operate it. After explaining how touchscreens work and what I mean by pressing a button on screen, I proceeded to walk him through setting up a route.

    Gąska: You type in the address here.
    🙎🏻♂: I made a mistake. What now?
    Gąska: Press here. *presses backspace*
    🙎🏻♂: And how was I supposed to know that?
    Gąska: ...
    🙎🏻♂: Okay, I typed the address. What now?
    Gąska: You press search button.
    🙎🏻♂: Where is it?
    Gąska: Over there, with looking glass icon
    🙎🏻♂: Where?
    Gąska: Here. *presses it*
    🙎🏻♂: And how was I supposed to know that?
    Gąska: It has looking glass icon.
    🙎🏻♂: Really? It looks more like tennis racket to me.
    Gąska: ...
    🙎🏻 <- his wife: 😡 :facepalm: :what_did_i_think_when_i_married_him:

    And no, he wasn't old - he seemed to be in his late 30s, which means computers were everywhere around him for at least a third of his life (this took place last year).

    Are you sure this wasn't set up by your boss to see what it would take for you to punch a customer?


  • Considered Harmful

    This is incredible.
    Chrome has done two things here.

    1. Displayed the not colored, not blinking, completely unobtrusive flag that says 'Not secure' when you open the website rather than when you start filling out a form, on a site which doesn't have HTTPS (which is easy and free), which changes no existing webpage functionality at all whatsoever.
    2. Implemented the spec correctly, only requiring a grand total of two features that really aren't needed for almost any webapp ever, to be used over HTTPS (which is easy and free), and may add new functionality but changes no existing webpage functionality whatsoever.
    3. Allowed the previous two to be bypassed for local testing.

    And now we've got Blakey going into full Blakey mode, because literally anything changed whaaarrrrrrrgarbl (and people backing him up for whatever reason).

    Yes, website creation is still accessible to any idiot with a FTP client and Microsoft Word. If they are incapable of using LetsEncrypt as well, they just won't be able to use service workers and caching in their JS that they aren't writing because they're an idiot with an FTP client and Word.

    Yes, the information presented is perfectly accurate. amazon-rewards.money is still secure, even though it's not trustworthy. If a user has any questions about what it means, they can click the lock to read more. Maybe add something to those PSAs which says 'make sure the company name appears here', but that's not a UI problem.

    No, this does not add additional barriers to the web and force everyone to conform to some high priesthood's rulings. HTTPS is secure. HTTP is not secure. HTTPS takes two minutes to set up. There is literally no reason not to do it except for the aforementioned local testing exceptions. But as also mentioned before, if you still want to use HTTP for whatever reason, you still can. Two brand new JS APIs that are easily exploitable to permanently hijack the website will be inaccessible (which you almost definitely didn't need whatsoever), certain browsers might display something next to the URL bar, and there will be zero barriers that did not exist before this.

    Jeez.


  • Banned

    @deadfast my boss was just as baffled as me and the customer's wife.


  • ♿ (Parody)

    @pie_flavor said in From the people who brought you "referer"...:

    Yes, the information presented is perfectly accurate. amazon-rewards.money is still secure, even though it's not trustworthy.

    Um...actually, we have no idea how secure amazon-rewards.money is. We just know that traffic between us and them is encrypted.


Log in to reply