Submitted via IRC for SoyCow3941
We think of our job as controlling the user's experience. But the reality is, we control far less than we imagine.
Last week, two events reminded us, yet again, of how right Douglas Crockford was when he declared the web "the most hostile software engineering environment imaginable." Both were serious enough to take down an entire site—actually hundreds of entire sites, as it turned out. And both were avoidable.
[...] The first of these incidents involved the launch of Chrome 66. With that release, Google implemented a security patch with serious implications for folks who weren't paying attention. You might recall that quite a few questionable SSL certificates issued by Symantec Corporation's PKI began to surface early last year. Apparently, Symantec had subcontracted the creation of certificates without providing a whole lot of oversight. Long story short, the Chrome team decided the best course of action with respect to these potentially bogus (and security-threatening) SSL certificates was to set an "end of life" for accepting them as secure. They set Chrome 66 as the cutoff.
So, when Chrome 66 rolled out (an automatic, transparent update for pretty much everyone), suddenly any site running HTTPS on one of these certificates would no longer be considered secure. That's a major problem if the certificate in question is for our primary domain, but it's also a problem it's for a CDN we're using. You see, my server may be running on a valid SSL certificate, but if I have my assets—images, CSS, JavaScript—hosted on a CDN that is not secure, browsers will block those resources. It's like CSS Naked Day all over again.
To be completely honest, I wasn't really paying attention to this until Michael Spellacy looped me in on Twitter. Two hundred of his employer's sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.
The second incident was actually quite similar in that it also involved SSL, and specifically the expiration of an SSL certificate being used by jQuery's CDN. If a site relied on that CDN to serve an HTTPS-hosted version of jQuery, their users wouldn't have received it. And if that site was dependent on jQuery to be usable ... well, ouch!
It can be easy to shrug off news like this. Surely we'd make smarter implementation decisions if we were in charge. We'd certainly have included a local copy of jQuery like the good Boilerplate tells us to. The thing is, even with that extra bit of protection in place, we're falling for one of the most attractive fallacies when it comes to building for the web: that we have control.
Source: http://alistapart.com/article/the-illusion-of-control-in-web-design
(Score: 5, Insightful) by bob_super on Wednesday May 09 2018, @12:04AM (8 children)
> Two hundred of his employer's sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.
I fail to see a problem. Did they learn, copy the images over, and make the result permanent ?
(Score: 2, Informative) by Anonymous Coward on Wednesday May 09 2018, @12:09AM (3 children)
Certs are *EASY* to make once you know how. That this dude did not fix that is not my problem. In fact I can not really feel too sorry for them. This has been know for well over a year. What did he plan to do when the certs just naturally expired?
(Score: 4, Insightful) by driverless on Wednesday May 09 2018, @02:01AM (2 children)
The same can be said for rocket surgery. Certs are way, way, waaaay too complex for most people, who are in the business of operating a pharmacy, flower shop, bookstore, or whatever, not being PKI jockeys because Chrome has decided they want you to jump through X number of hoops in order to be allowed to play.
(Score: 2) by pendorbound on Wednesday May 09 2018, @03:06PM
I'd imagine people in most of the professions you mentioned would engage the services of a professional rocket surgeon should they have a rocket in need of surgery. Not sure why they'd consider the website of their business to be something they should half-ass on their own without a professional's advice and assistance.
The hoops Chrome requires you to jump through in order to play safely and securely are the same hoops that were jumped through on a yearly basis to issue and maintain the original certificate for the site. Chrome now requires that you not-use one particular certificate authority which has been shown repeatedly to cheat and lie about the fact they cheated.
If you and/or your amateur firework trepanist have been ignoring field-related news for the last 18-24 months, maybe you'll need to do that certificate hoop dance a little earlier and more urgently than normal, but you don't have to learn any new dance steps.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @03:12PM
That's why I liked the idea of notaries.
Basically, a site posts a cert, self signed is ok.
When you go to that site, you get the cert, then ask the notaries for their version of the cert. They will go to the site (if they haven't already) and give you their recent history of the cert for the site in question. If some number (user settable) of the notaries agree the cert is the one for the site, you say, ok, either this site is completely pwned around the world, or it is safe.
(Score: 5, Insightful) by RS3 on Wednesday May 09 2018, @12:09AM (1 child)
I agree 100%. Back to nice clean simple basics works for me. I don't use the web for an "experience" in someone's controlled environment. I just want to read information, look at some simple non-moving pictures, or watch an occasional video.
Sorry for the rant; I'll get off my own lawn now...
(Score: 2) by acid andy on Wednesday May 09 2018, @08:56PM
Yeah, Fuck Beta! ;)
Master of the science of the art of the science of art.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @02:19AM
No big issue. Cross domain is blocked in my world. Blocks ads very nicely. All the crap on top of html. Makes the most ntrtnet slow.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @05:23AM
Yeah. That's the part that caught my eye as well.
By default, I block everything that isn't readable text.
Occasionally, I find it useful to whitelist some images.
On the sites that I typically visit, that's enough to get the big idea.
Now and then, I'll find something via a search engine or linked in somebody's article and that looks like it might be interesting.
Going there, with my default config, and finding e.g. a dark background with unreadable dark text on that tells me that the "developer" certainly didn't check his code in an HTML-only rendering.
I figure the dude simply lifted somebody else's boilerplate HTML and started pasting CSS all over it.
It makes me wonder how many of those sites referred to in TFS had visitors experiencing stuff like that.
Sometimes, one of those searched|linked pages has all or part of its basic (text!) content obfuscated behind scripts.
If it seems worthwhile, I'll hand the URL to archive.is and see if they can make the page readable by running the scripts on their box and showing the result via HTML.
That mostly works out.
They will also run the CSS and OMFG some of the stuff that gets displayed just makes me want to barf.
-- OriginalOwner_ [soylentnews.org]
(Score: 3, Touché) by Anonymous Coward on Wednesday May 09 2018, @12:10AM (6 children)
And the moral of this story is: control your own assets (and destiny). If you are responsible for websites that use SSLs, or rely on CDNs that use SSLs, then you should make sure the partners you rely on are using valid SSLs. If you can't be sure about the reliability of your partners then protect yourself by controlling what you can control.
When the Symantec debacle came to light we made sure all of our partners were not using Symantec certs. We contacted the two that were and made sure that they got new SSLs, and not just because of Google announcing that it would stop accepting those certificates at a future date. If the Symantec certificates were untrustworthy then they shouldn't be used whether or not Google, Mozilla, Apple, Microsoft, etc would stop accepting them.
This isn't rocket science. When you are responsible for mission critical portions of your business (or your employer's business) you either pay attention or you pay the price.
(Score: 5, Insightful) by The Mighty Buzzard on Wednesday May 09 2018, @12:13AM (3 children)
That kind of anti-cloud heresy is no way to get yourself employed by a major tech company. It is, however, a good way to get yourself employed by a smaller, non-tech shop that will appreciate the hell out of you, pay you pretty well, and not work your entire ass off.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @01:34AM
While we may not agree on a whole hell of a lot it is nice to see some techies who don't like JS for everything and relying on other people's services.
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @02:30AM (1 child)
It's like you know me.
(Score: 3, Interesting) by The Mighty Buzzard on Wednesday May 09 2018, @03:29AM
To take it to the next step you find yourself enough even smaller shops that have no need of a full time admin but do need someone, then sell them N hours per month of presence (may as well do general upkeep and look into a few complaints while you're there, maybe bring donuts) and a moderate extra fee if you have to work over those number of hours. Repeat until you find a happy balance between money and time for doing whatever the hell you feel like. Or repeat until you've had to take on dozens of helpers in many locations then sell the company for a fat wad of cash and retire.
My rights don't end where your fear begins.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 09 2018, @12:23AM
No, the moral of the story is that HTTPS is bullshit. But it does serve very well for tracking purposes. The web should be pure HTML and nothing more.
(Score: 4, Interesting) by c0lo on Wednesday May 09 2018, @12:41AM
Huh! If that would be that simple.
You reckon the control over assets is enough? To paraphrase:
Yes, I know you never said that, but the context is 'illusion of control' - your answer suggest a better way to deal with, but if one imagins that's foolproof, the illusion of control will still persists.
And I tell you a more reliable way to make sure the access to your assets doesn't depend as much on others. It involves relinquishing most of the control on your assets - replicate them in a P2P network and let many independent third parties certify their authenticity (use of a DHT).
Of course this is barely possible in the today's mainstream internet, having control' drives profits and power for those able to exercise it.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 5, Insightful) by requerdanos on Wednesday May 09 2018, @12:16AM
If someone's site depends on jQuery (or, alternately, anything with "script" or "flash" in the name) to be *usable*... not to be "enhanced", not to be "more convenient", not to be "more functional", but just to be usable at all... Then the explanation why that's not a good idea would probably bounce right off their worldview and do them no good at all.
I get that sites like this exist, lots of them, but really, I don't think that makes it a good strategy. If your site is like this and your CDN's certificate suddenly stops working, sure, you've got problems, but the certificate isn't the biggest one.
(Score: 4, Insightful) by c0lo on Wednesday May 09 2018, @12:20AM
FTFY
Relying on networking, in the general sense, means relying on resources potentially controlled by others. Web programming has nothing special.
The only worthy news is 'Google decided to end the trust in a bunch of certificates issued by Symantec, some CDNes affected'. See, no need to waste your time reading thousands of words.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 4, Informative) by Arik on Wednesday May 09 2018, @12:30AM (11 children)
Semantic markup from the server, smart browser presents it as appropriate for the display device.
YOU AREN'T SUPPOSED TO BE ABLE TO CONTROL PRESENTATION ON THE SERVER! ]
Googles motives here may be questioned but if it taught one single person that lesson then at least it did some good, if unwillingly.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Interesting) by Appalbarry on Wednesday May 09 2018, @01:50AM (8 children)
Of late I've been wondering how practical it would be to just write small sites in a text editor with just HTML and maybe a little CSS to dress it up.
If your content is mostly static you really don't need a big CMS, or even WordPress. Maybe it's time to go back to our roots and abandon all of stuff that makes giant, unwieldy, security hole prone web sites. And maybe a really minimal HTML site will give users a way to browse with no worries about trackers and cookies.
I think I'll go and see if blink still works....
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @02:02AM
Nah, lots of sites demand interconnected content authoring which simply can not be done manually within a reasonable amount of time. Yes there are a lot of sites that would fit the static model well enough, but no one likes making simple content updates that a 10 year old could do after 15 mins of training.
(Score: 3, Insightful) by Arik on Wednesday May 09 2018, @02:32AM (3 children)
But more complicated sites do require more automation, and the existing tools for automation (insofar as I know) are extremely poorly done; that is they output invalid gibberish by design.
Another complication is that browsers simply don't do their job. It's been years since they even appeared to make any sort of attempt. Instead of making intelligent (or even semi-intelligent) rendering decisions, they tend to rely on the site to do what it's not supposed to be doing - making all the presentation decisions on the server!
So from that perspective the entire infrastructure seems thoroughly rotten. Most of it is probably unsalvageable.
The HTML 3 standard, dated 28 march 1996, was 89kb. The "current" HTML standard doesn't have a version number anymore, the free fliers at W3c today find versions too limiting, but at any rate it's currently up to a meg and a half. Virtually EVERYTHING added since 3 is garbage that a sane browser would simply ignore.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by bzipitidoo on Wednesday May 09 2018, @05:59AM (2 children)
Um, no.
> The "current" HTML standard doesn't have a version number anymore
Yes it does, it's 5, and it's plastered all over the place, even burned into the logo.
> Virtually EVERYTHING added since 3 is garbage
HTML still has lots of deficiencies, needs more clean up, but version 5 is much better than version 3. The video and audio tags with the open standards of VP9 and Opus are far better than proprietary Flash crap. A whole lot of repetitive formatting info was moved from HTML attributes to CSS. I suppose you feel all video is ripe for abuse. However, there are many other improvements and additions-- MathML, SVG, Canvas ....
(Score: 2) by c0lo on Wednesday May 09 2018, @09:31AM
Canvas is a useless construct without JavaScript. Yes, SVG and MathML may internally use a canvas to render but a dynamically/programmatically drawable surface without a programming language?
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 3, Interesting) by Arik on Wednesday May 09 2018, @11:38AM
Not the one I'm looking at.
https://html.spec.whatwg.org/
"version 5 is much better than version 3. The video and audio tags with the open standards of VP9 and Opus are far better than proprietary Flash crap."
Neither version has any business being part of HTML. The Flash crap was never part of HTML, and version 5 is much worse because it brings that crap into the spec!
"A whole lot of repetitive formatting info was moved from HTML attributes to CSS."
Moving presentation tags to CSS is a poor substitute for eliminating them entirely.
"I suppose you feel all video is ripe for abuse."
I can't even imagine what you meant by that.
"MathML, SVG, Canvas"
You may not have intended it, but that does cover the range from OK to utter trash quite well.
Mathml actually seems useful, I'll give you that. It really doesn't amount to much of that increased size though.
SVG seems like an interesting experiment, it brings some of the same principles used in HTML to a graphic format, the only graphic format that I can think of that could, arguably, be described as 'human readable' and that's actually pretty cool. On the other hand, in practice it seems to be little used and not so well supported. And the inclusion of an explicitly graphic format appears to contradict the idea of device-independence, in practice if not on theory; the idea that this is human readable would evaporate very quickly in an audio browser I would imagine.
Canvas? Fingerpaint with javascript? This is EXACTLY the kind of garbage I'm talking about! My browser is not a playpen for 'web designers!'
If laughter is the best medicine, who are the best doctors?
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 09 2018, @09:08AM (1 child)
That's how my personal web site is done.
Human readable HTML, with a layer of CSS turning into a modern, responsive, menu sliding in from the left, overlays to show images in full size when clicked, HTML5 video, etc.
Not a single line of Javascript so far. Not that I'm against using Javascript, I actually like the language, I just have this idea that something can be done with CSS, it will be faster and more reliable than doing it with Javascript. At some point I expect to use Javascript to do syntax-higlighting on code examples (with syntax-highlighting simply missing for those who have Javascript off). No jQuery, though, not touching that collection of line noise with a ten foot pole.
I've had fun showing deverloper colleagues the page, telling them to click around, and guessing (without using view source) how much Javascript the page contains. Nobody has gotten it right so far.
(Score: 2) by Appalbarry on Wednesday May 09 2018, @11:50PM
URL? Is it possible to email or message me via the site?
(Score: 2) by MichaelDavidCrawford on Wednesday May 09 2018, @03:59PM
You mean like http://soggywizards.com/ [soggywizards.com] ?
I use BBEdit on my Mac and notepad++ and vim on my Acer
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by theluggage on Wednesday May 09 2018, @10:25AM (1 child)
The web has turned into something quite unlike the original concept - a way for scientists to share data and images online using a simple markup language. A large part of the purpose of the modern web is as a replacement for the commercial printing press; the shop window; an alternative to the TV commercial and a "thin client" computing platform. The early 1990s concept of the WWW as a distributed hypertext system is now a small subset of what the web has become.
Semantic web people have been banging on about the semantic web for years. Sorry, inconvenient truth: People and organisations who use the web to publish their own work or promote their own products want fine control over the presentation of their message - they don't give a flying fuck about the semantic web.
Now, the idea of a semantic web coupled with a powerful layout engine driven by optional stylesheets might have legs but, unfortunately, what we have is CSS, a system apparently devised by someone who had never seen a styles-based word-processor, a DTP package, a GUI layout manager or, for that matter, a website. Semantic web proponents were quick to declare frames and the use of tables for layout as "considered harmful" but provided no viable alternative - CSS simply wasn't fit to replace those things, let alone go beyond their limitations - even if you mastered its bizarre quirks, side-effects and rafts of browser incompatibilities. So people turned to things like Flash and (...because Javascript missed the obvious trick of using CSS selectors and DOM/XPath APIs were cumbersome to use) jQuery. One of the early appeals of jQuery was that it contained unified work-arounds for a bunch of browser incompatibilities.
I say this as someone who has always tried to do the Right Thing and ensure that my sites remain navigable and legible with CSS and scripting turned off - but it is a labour of love with little pay-off between personal satisfaction (and minimal compliance with accessibility guidelines - nice warm feeling but, in reality, if it hasn't been tested by a bone-fide blind person using a screen-reader then it probably won't work like that).
With HTML5 and the latest incarnations of CSS - plus the whole security thing which provides the perfect pretext to stop worrying about supporting older browsers - we finally have something almost fit for purpose, but its been a long time coming, and now we just need to completely re-work any website > 3 years old... just as lovingly hand-crafted HTML is being rendered uneconomical by CMSs.
(Score: 2) by FatPhil on Wednesday May 09 2018, @11:12AM
I remember those who were the strongest anti-"tag soup" campaigners (complainers?), are now the largest spewers of "div/class"-soup, where none of the content has any type that describes what it is at all, and only classes tell the browser how and where to render it so that it looks like a what it is, which is a <table>, for instance. When used for simply laying things out in columns, that's *worse* than using a <table>, one of the much-maligned traps of early webpage design, because at least in the tables the cells had an explicit before/after/above/below relation to each other in the structure of the document - now they are totally at the mercy of whatever stylesheet is active - you could reverse the order of the columns by dicking around with a stylesheet, for example.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 09 2018, @12:57AM
>Apparently, Symantec had subcontracted the creation of certificates without providing a whole lot of oversight.
>To be completely honest, I wasn't really paying attention to this until Michael Spellacy looped me in on Twitter. Two hundred of his employer's sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.
It's parallel, isn't it? Relying on CDN = subcontracting out "without providing a whole lot of oversight"?
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @08:51AM (1 child)
That would mean that all those shitty web designs are deliberate, and not just a combination of incompetence and not caring about anything but the web designers preferred browser (probably Safari).
Javascript errors, "responsive" design that puts sidebars over the content when the browser window is smaller than 1920x1080, long download times due to third party script libraries such as jQuery, ads overlaying the content, auto-playing video and audio - often in several of the 25 open background tabs, ads redirecting the user away from the site, ads that are really virus'es...
(Score: 2) by MichaelDavidCrawford on Wednesday May 09 2018, @03:56PM
Before Apple removed safari's activity window I would see urls like
http://code.google.com/jquery.js?nocache=123456789 [google.com]
That really sucks on my mom's dialup. She's happy with her iMac but very unhappy with many of the sites she visits
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @02:59PM
anyone who uses a cdn and external resources is an idiot and they deserve what they get.
(Score: 2) by MichaelDavidCrawford on Wednesday May 09 2018, @03:52PM
I don't want my gadgets to update automatically. I don't always know to opt out
This because I archive every installer I ever use. Sometimes I need to fall back to an older version, often to regress bugs
Yes I Have No Bananas. [gofundme.com]