Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday May 08 2018, @11:56PM   Printer-friendly
from the ain't-no-control dept.

Submitted via IRC for SoyCow3941

We think of our job as controlling the user's experience. But the reality is, we control far less than we imagine.

Last week, two events reminded us, yet again, of how right Douglas Crockford was when he declared the web "the most hostile software engineering environment imaginable." Both were serious enough to take down an entire site—actually hundreds of entire sites, as it turned out. And both were avoidable.

[...] The first of these incidents involved the launch of Chrome 66. With that release, Google implemented a security patch with serious implications for folks who weren't paying attention. You might recall that quite a few questionable SSL certificates issued by Symantec Corporation's PKI began to surface early last year. Apparently, Symantec had subcontracted the creation of certificates without providing a whole lot of oversight. Long story short, the Chrome team decided the best course of action with respect to these potentially bogus (and security-threatening) SSL certificates was to set an "end of life" for accepting them as secure. They set Chrome 66 as the cutoff.

So, when Chrome 66 rolled out (an automatic, transparent update for pretty much everyone), suddenly any site running HTTPS on one of these certificates would no longer be considered secure. That's a major problem if the certificate in question is for our primary domain, but it's also a problem it's for a CDN we're using. You see, my server may be running on a valid SSL certificate, but if I have my assets—images, CSS, JavaScript—hosted on a CDN that is not secure, browsers will block those resources. It's like CSS Naked Day all over again.

To be completely honest, I wasn't really paying attention to this until Michael Spellacy looped me in on Twitter. Two hundred of his employer's sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.

The second incident was actually quite similar in that it also involved SSL, and specifically the expiration of an SSL certificate being used by jQuery's CDN. If a site relied on that CDN to serve an HTTPS-hosted version of jQuery, their users wouldn't have received it. And if that site was dependent on jQuery to be usable ... well, ouch!

It can be easy to shrug off news like this. Surely we'd make smarter implementation decisions if we were in charge. We'd certainly have included a local copy of jQuery like the good Boilerplate tells us to. The thing is, even with that extra bit of protection in place, we're falling for one of the most attractive fallacies when it comes to building for the web: that we have control.

Source: http://alistapart.com/article/the-illusion-of-control-in-web-design


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Appalbarry on Wednesday May 09 2018, @01:50AM (8 children)

    by Appalbarry (66) on Wednesday May 09 2018, @01:50AM (#677289) Journal

    Of late I've been wondering how practical it would be to just write small sites in a text editor with just HTML and maybe a little CSS to dress it up.

    If your content is mostly static you really don't need a big CMS, or even WordPress. Maybe it's time to go back to our roots and abandon all of stuff that makes giant, unwieldy, security hole prone web sites. And maybe a really minimal HTML site will give users a way to browse with no worries about trackers and cookies.

    I think I'll go and see if blink still works....

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Wednesday May 09 2018, @02:02AM

    by Anonymous Coward on Wednesday May 09 2018, @02:02AM (#677295)

    Nah, lots of sites demand interconnected content authoring which simply can not be done manually within a reasonable amount of time. Yes there are a lot of sites that would fit the static model well enough, but no one likes making simple content updates that a 10 year old could do after 15 mins of training.

  • (Score: 3, Insightful) by Arik on Wednesday May 09 2018, @02:32AM (3 children)

    by Arik (4543) on Wednesday May 09 2018, @02:32AM (#677310) Journal
    For small, simple sites it's very easy to do. I've done it many times.

    But more complicated sites do require more automation, and the existing tools for automation (insofar as I know) are extremely poorly done; that is they output invalid gibberish by design.

    Another complication is that browsers simply don't do their job. It's been years since they even appeared to make any sort of attempt. Instead of making intelligent (or even semi-intelligent) rendering decisions, they tend to rely on the site to do what it's not supposed to be doing - making all the presentation decisions on the server!

    So from that perspective the entire infrastructure seems thoroughly rotten. Most of it is probably unsalvageable.

    The HTML 3 standard, dated 28 march 1996, was 89kb. The "current" HTML standard doesn't have a version number anymore, the free fliers at W3c today find versions too limiting, but at any rate it's currently up to a meg and a half. Virtually EVERYTHING added since 3 is garbage that a sane browser would simply ignore.
    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 3, Informative) by bzipitidoo on Wednesday May 09 2018, @05:59AM (2 children)

      by bzipitidoo (4388) on Wednesday May 09 2018, @05:59AM (#677352) Journal

      Um, no.

      > The "current" HTML standard doesn't have a version number anymore

      Yes it does, it's 5, and it's plastered all over the place, even burned into the logo.

      > Virtually EVERYTHING added since 3 is garbage

      HTML still has lots of deficiencies, needs more clean up, but version 5 is much better than version 3. The video and audio tags with the open standards of VP9 and Opus are far better than proprietary Flash crap. A whole lot of repetitive formatting info was moved from HTML attributes to CSS. I suppose you feel all video is ripe for abuse. However, there are many other improvements and additions-- MathML, SVG, Canvas ....

      • (Score: 2) by c0lo on Wednesday May 09 2018, @09:31AM

        by c0lo (156) Subscriber Badge on Wednesday May 09 2018, @09:31AM (#677387) Journal

        Canvas is a useless construct without JavaScript. Yes, SVG and MathML may internally use a canvas to render but a dynamically/programmatically drawable surface without a programming language?

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 3, Interesting) by Arik on Wednesday May 09 2018, @11:38AM

        by Arik (4543) on Wednesday May 09 2018, @11:38AM (#677406) Journal
        "Yes it does, it's 5, and it's plastered all over the place, even burned into the logo."

        Not the one I'm looking at.

        https://html.spec.whatwg.org/

        "version 5 is much better than version 3. The video and audio tags with the open standards of VP9 and Opus are far better than proprietary Flash crap."

        Neither version has any business being part of HTML. The Flash crap was never part of HTML, and version 5 is much worse because it brings that crap into the spec!

        "A whole lot of repetitive formatting info was moved from HTML attributes to CSS."

        Moving presentation tags to CSS is a poor substitute for eliminating them entirely.

        "I suppose you feel all video is ripe for abuse."

        I can't even imagine what you meant by that.

        "MathML, SVG, Canvas"

        You may not have intended it, but that does cover the range from OK to utter trash quite well.

        Mathml actually seems useful, I'll give you that. It really doesn't amount to much of that increased size though.

        SVG seems like an interesting experiment, it brings some of the same principles used in HTML to a graphic format, the only graphic format that I can think of that could, arguably, be described as 'human readable' and that's actually pretty cool. On the other hand, in practice it seems to be little used and not so well supported. And the inclusion of an explicitly graphic format appears to contradict the idea of device-independence, in practice if not on theory; the idea that this is human readable would evaporate very quickly in an audio browser I would imagine.

        Canvas? Fingerpaint with javascript? This is EXACTLY the kind of garbage I'm talking about! My browser is not a playpen for 'web designers!'

        --
        If laughter is the best medicine, who are the best doctors?
  • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 09 2018, @09:08AM (1 child)

    by Anonymous Coward on Wednesday May 09 2018, @09:08AM (#677377)

    Of late I've been wondering how practical it would be to just write small sites in a text editor with just HTML and maybe a little CSS to dress it up.

    That's how my personal web site is done.

    Human readable HTML, with a layer of CSS turning into a modern, responsive, menu sliding in from the left, overlays to show images in full size when clicked, HTML5 video, etc.

    Not a single line of Javascript so far. Not that I'm against using Javascript, I actually like the language, I just have this idea that something can be done with CSS, it will be faster and more reliable than doing it with Javascript. At some point I expect to use Javascript to do syntax-higlighting on code examples (with syntax-highlighting simply missing for those who have Javascript off). No jQuery, though, not touching that collection of line noise with a ten foot pole.

    I've had fun showing deverloper colleagues the page, telling them to click around, and guessing (without using view source) how much Javascript the page contains. Nobody has gotten it right so far.

    • (Score: 2) by Appalbarry on Wednesday May 09 2018, @11:50PM

      by Appalbarry (66) on Wednesday May 09 2018, @11:50PM (#677667) Journal

      URL? Is it possible to email or message me via the site?

  • (Score: 2) by MichaelDavidCrawford on Wednesday May 09 2018, @03:59PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Wednesday May 09 2018, @03:59PM (#677479) Homepage Journal

    You mean like http://soggywizards.com/ [soggywizards.com] ?

    I use BBEdit on my Mac and notepad++ and vim on my Acer

    --
    Yes I Have No Bananas. [gofundme.com]