SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow3941
We think of our job as controlling the user's experience. But the reality is, we control far less than we imagine.
Last week, two events reminded us, yet again, of how right Douglas Crockford was when he declared the web "the most hostile software engineering environment imaginable." Both were serious enough to take down an entire site—actually hundreds of entire sites, as it turned out. And both were avoidable.
[...] The first of these incidents involved the launch of Chrome 66. With that release, Google implemented a security patch with serious implications for folks who weren't paying attention. You might recall that quite a few questionable SSL certificates issued by Symantec Corporation's PKI began to surface early last year. Apparently, Symantec had subcontracted the creation of certificates without providing a whole lot of oversight. Long story short, the Chrome team decided the best course of action with respect to these potentially bogus (and security-threatening) SSL certificates was to set an "end of life" for accepting them as secure. They set Chrome 66 as the cutoff.
So, when Chrome 66 rolled out (an automatic, transparent update for pretty much everyone), suddenly any site running HTTPS on one of these certificates would no longer be considered secure. That's a major problem if the certificate in question is for our primary domain, but it's also a problem it's for a CDN we're using. You see, my server may be running on a valid SSL certificate, but if I have my assets—images, CSS, JavaScript—hosted on a CDN that is not secure, browsers will block those resources. It's like CSS Naked Day all over again.
To be completely honest, I wasn't really paying attention to this until Michael Spellacy looped me in on Twitter. Two hundred of his employer's sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.
The second incident was actually quite similar in that it also involved SSL, and specifically the expiration of an SSL certificate being used by jQuery's CDN. If a site relied on that CDN to serve an HTTPS-hosted version of jQuery, their users wouldn't have received it. And if that site was dependent on jQuery to be usable ... well, ouch!
It can be easy to shrug off news like this. Surely we'd make smarter implementation decisions if we were in charge. We'd certainly have included a local copy of jQuery like the good Boilerplate tells us to. The thing is, even with that extra bit of protection in place, we're falling for one of the most attractive fallacies when it comes to building for the web: that we have control.
Source: http://alistapart.com/article/the-illusion-of-control-in-web-design
(Score: 2, Informative) by Anonymous Coward on Wednesday May 09 2018, @12:09AM (3 children)
Certs are *EASY* to make once you know how. That this dude did not fix that is not my problem. In fact I can not really feel too sorry for them. This has been know for well over a year. What did he plan to do when the certs just naturally expired?
(Score: 4, Insightful) by driverless on Wednesday May 09 2018, @02:01AM (2 children)
The same can be said for rocket surgery. Certs are way, way, waaaay too complex for most people, who are in the business of operating a pharmacy, flower shop, bookstore, or whatever, not being PKI jockeys because Chrome has decided they want you to jump through X number of hoops in order to be allowed to play.
(Score: 2) by pendorbound on Wednesday May 09 2018, @03:06PM
I'd imagine people in most of the professions you mentioned would engage the services of a professional rocket surgeon should they have a rocket in need of surgery. Not sure why they'd consider the website of their business to be something they should half-ass on their own without a professional's advice and assistance.
The hoops Chrome requires you to jump through in order to play safely and securely are the same hoops that were jumped through on a yearly basis to issue and maintain the original certificate for the site. Chrome now requires that you not-use one particular certificate authority which has been shown repeatedly to cheat and lie about the fact they cheated.
If you and/or your amateur firework trepanist have been ignoring field-related news for the last 18-24 months, maybe you'll need to do that certificate hoop dance a little earlier and more urgently than normal, but you don't have to learn any new dance steps.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @03:12PM
That's why I liked the idea of notaries.
Basically, a site posts a cert, self signed is ok.
When you go to that site, you get the cert, then ask the notaries for their version of the cert. They will go to the site (if they haven't already) and give you their recent history of the cert for the site in question. If some number (user settable) of the notaries agree the cert is the one for the site, you say, ok, either this site is completely pwned around the world, or it is safe.