With Chrome 70, hundreds of popular websites are about to break

On 10/10/2018 14.55, Mayayana wrote:


Last night I visited a site I found in a Michael
Pollan book: csp.org. Council on Spiritual Practices.
They're some kind of clearing house for ideas about
psychedelic drugs and religious experience. Sounded
interesting. It's people who want to experience life
more fully, deeply and joyfully. And they think there
might be a correlation between what chemicals like
psilocybin do and what advanced meditation
techniques do. A bit of a 60s, consumer-goes-
shopping-for-spirituality-on-sale rehash. But I was
curious what they're up to. Ironically, their webpage
was entirely broken. Entirely unnecessarily. And they
don't care about your privacy.

They pull in a 4.4 MB js file just to do basic things
like load pages from an anchor tag. The internal
links don't work without script! The script is coming
from Cloudfront. They also have Google-Analytics code.
So both Google and Amazon would be tracking me if
I allowed script.

Is it not possible that those scripts are placed there by some web
designer tool kit out there? You just place the visual things and you
get all the crap besides?

--
Cheers, Carlos.

"Carlos E.R." wrote

| And who doesn't know to avoid Symantec?
|
| I don't.
|
| They've got a shady history going all the way back
| to the 90s.
|
| News to me. O:-)
|
Their system tools were increasingly bloated and
the "doctor" was of no real value.
They also have a trdition of buying up top-ed
software gutting it.

Quarterdeck Clean Sweep -- Started out as a program
that could back up virtually any installed program into
a portable, installable package. Symantec bought it
and put it into their system works as a useless tool.

AtGuard -- The first really good Windows firewall. Arguably
still the best. Symantec licensed it, repackaged it as
their own firewall, set 700+ programs to be allowed
through by default, doubled the price, and marketed
the hell out of it.

Powerquest disk utilities -- Symantec bought them
and gutted them, turning Drive Image (a floppy-
based disk imaging tool) into a useless, .Net-based,
bloated backup tool. (Not only my opinion. It was
widely panned in the tech media.)

It's a pattern. Buy the best. Gut it so that people
won't need tech support. Raise the price. Market
like crazy. They succeed on name recognition.
I wouldn't ever buy anything from Symantec and
haven't for many years. But I did buy each of the
original products above and loved them.


| I used PCtools back then and it was a wonderful tool. I think I also
| used an antivirus from them at some point.
|

I think they weren't so bad in the early days.
I don't know any details about the company. I just know
their products went downhill. Maybe the company
was sold or restructured? I don't know.

"Carlos E.R." wrote

| They pull in a 4.4 MB js file just to do basic things
| like load pages from an anchor tag. The internal
| links don't work without script! The script is coming
| from Cloudfront. They also have Google-Analytics code.
| So both Google and Amazon would be tracking me if
| I allowed script.
|
| Is it not possible that those scripts are placed there by some web
| designer tool kit out there? You just place the visual things and you
| get all the crap besides?
|

Might be. But it's deeply integrated. Either way:
A webmaster with a WYSIWYG toolkit or a webmaster
collecting js libraries and code snippets because it's
trendy. So many sites now are broken with script
and load several MBs worth of that stuff. I think a
lot of it is "widgets" that only require simple coding
but must have the "library" loaded to use that code.
In other words, webmasters who don't actually know
how to code what they want.

But stuff like Google Analytics and Google tag manager
are separate snippets, deliberately added to the page.
The site I detailed had Google Analytics, probably
because they don't know how to process their own
server logs to track visitors. So they let Google
spy in exchange for a traffic report.

On 10/10/2018 06:55 AM, Mayayana wrote:
Anyone who knows enough to paste in Google tracking code has a basic
idea of what's going on.

I disagree.

I've seen WAY TOO MANY ""recreational webmasters (some that get paid for
pretending to be professionals) that have zero clue what the code that
they are copying and pasting actually does. They just think they know
that if they but this blob of text somewhere on their page that it will
do something they think they want.

It's the difference between wrote memory and actual knowledge.



--
Grant. . . .
unix || die

On 10/10/18 7:05 AM, Carlos E.R. wrote:
On 10/10/2018 15.28, Mayayana wrote:
"Carlos E.R." wrote

| If you manage to miss this for a such long time, you don't really care
| about anything, you just have a certificate as everyone else has it or
| there is a regulation that mandates you to have one without really
| knowing why. IMHO it's the same as not caring.
|
| No, I do not agree.
|

If you bought the certificate directly then why
wouldn't you have looked into that? Personally I
care about privacy but only regard https as a
nice extra. My webhost handles that and I don't
know where they're getting the certificate. But
if you buy it yourself you should know what you're
buying. And who doesn't know to avoid Symantec?

I don't.

They've got a shady history going all the way back
to the 90s.

News to me. O:-)

I used PCtools back then and it was a wonderful tool. I think I also
used an antivirus from them at some point.

Later on I switched to Linux, so most Windows software companies are
irrelevant to me.


A similar example would be Wordpress denizens.
They use Wordpress for hosting because they don't
know what they're doing. Then they use script
gadgets that WP provides. Then they don't update
them because they don't know it matters, so WP
ends up being a slum of risky websites.
Should they know what they're doing? Of course.
Though WP is partially to blame. If they're going to
enable people with no knowledge to create websites
then they should also be handling things like updating
gadget code when fixes are written.

Why should they know? If I'm a garage owner and they talk me into paying
for a web site to announce my garage, it is very possible that I know
nothing about computers beyond reading my email.

I know people that own Windows computers with updates disabled for two
or more years. Possibly the person that installed Windows disabled the
updates because otherwise they would get phone calls everyday, LOL.

So yes, what google or firefox do blocking those web sites with those
certificates is the correct thing to do.

But I think in a lot of cases websites are being
created mainly by graphic artists who are not
tech-educated. They've just come up with tools
to "get around that problem". With all the WYSIWYG
tools available, people just don't need to know what
they're doing. They're like microwave chefs.

Exactly.

I dunno what you mean by a microwave chef?
Maybe people who buy prepared food and warm it up
in a microwave?

You can do a lot more than that with a microwave
to produce delicious and edible food. Just as some artists
with a little knowledge can produce perfectly functional
web sites but don't blame them for not being administrators
of the ISP which should keep the certification up-to-date.

There are different areas of knowledge and a person
who knows art may not know much about computers and person
who know computers may not know much about art or design.
That is clearly evident from many otherwise interesting
and informative sites which are painful to view.

bliss

--
bliss dash SF 4 ever at dslextreme dot com

On 10/10/18 2:46 PM, Carlos E.R. wrote:
On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

I do, as it's important for my employer that our customer can access our
websites. I do spend at least 30 mins a day at work just browsing
through article subjects to see if there is something happening that
affects us. If you can't spend that time to keep yourself up to date
with information, then do you really care about your customers?


--

//Aho

On 10/10/2018 17.32, Bobbie Sellers wrote:
On 10/10/18 7:05 AM, Carlos E.R. wrote:
On 10/10/2018 15.28, Mayayana wrote:
"Carlos E.R." wrote

| If you manage to miss this for a such long time, you don't really
care
| about anything, you just have a certificate as everyone else has
it or
| there is a regulation that mandates you to have one without really
| knowing why. IMHO it's the same as not caring.
|
| No, I do not agree.
|

Â*Â* If you bought the certificate directly then why
wouldn't you have looked into that? Personally I
care about privacy but only regard https as a
nice extra. My webhost handles that and I don't
know where they're getting the certificate. But
if you buy it yourself you should know what you're
buying. And who doesn't know to avoid Symantec?

I don't.

They've got a shady history going all the way back
to the 90s.

News to me. O:-)

I used PCtools back then and it was a wonderful tool. I think I also
used an antivirus from them at some point.

Later on I switched to Linux, so most Windows software companies are
irrelevant to me.


Â*Â* A similar example would be Wordpress denizens.
They use Wordpress for hosting because they don't
know what they're doing. Then they use script
gadgets that WP provides. Then they don't update
them because they don't know it matters, so WP
ends up being a slum of risky websites.
Â*Â*Â* Should they know what they're doing? Of course.
Though WP is partially to blame. If they're going to
enable people with no knowledge to create websites
then they should also be handling things like updating
gadget code when fixes are written.

Why should they know? If I'm a garage owner and they talk me into paying
for a web site to announce my garage, it is very possible that I know
nothing about computers beyond reading my email.

I know people that own Windows computers with updates disabled for two
or more years. Possibly the person that installed Windows disabled the
updates because otherwise they would get phone calls everyday, LOL.

So yes, what google or firefox do blocking those web sites with those
certificates is the correct thing to do.

Â*Â*Â*Â* But I think in a lot of cases websites are being
created mainly by graphic artists who are not
tech-educated. They've just come up with tools
to "get around that problem". With all the WYSIWYG
tools available, people just don't need to know what
they're doing. They're like microwave chefs.

Exactly.

Â*Â*Â*Â*I dunno what you mean by a microwave chef?
Â*Â*Â*Â*Maybe people who buy prepared food and warm it up
in a microwave?

Â*Â*Â*Â*You can do a lot more than that with a microwave
to produce delicious and edible food.Â* Just as some artists
with a little knowledge can produce perfectly functional
web sites but don't blame them for not being administrators
of the ISP which should keep the certification up-to-date.

Â*Â*Â*Â*There are different areas of knowledge and a person
who knows art may not know much about computers and person
who know computers may not know much about art or design.
Â*Â*Â*Â*That is clearly evident from many otherwise interesting
and informative sites which are painful to view.

Yes, entirely possible.


--
Cheers, Carlos.

On 10/10/2018 16.26, Mayayana wrote:
"Carlos E.R." wrote

| And who doesn't know to avoid Symantec?
|
| I don't.
|
| They've got a shady history going all the way back
| to the 90s.
|
| News to me. O:-)
|
Their system tools were increasingly bloated and
the "doctor" was of no real value.
They also have a trdition of buying up top-ed
software gutting it.

Quarterdeck Clean Sweep -- Started out as a program
that could back up virtually any installed program into
a portable, installable package. Symantec bought it
and put it into their system works as a useless tool.

AtGuard -- The first really good Windows firewall. Arguably
still the best. Symantec licensed it, repackaged it as
their own firewall, set 700+ programs to be allowed
through by default, doubled the price, and marketed
the hell out of it.

Powerquest disk utilities -- Symantec bought them
and gutted them, turning Drive Image (a floppy-
based disk imaging tool) into a useless, .Net-based,
bloated backup tool. (Not only my opinion. It was
widely panned in the tech media.)

It's a pattern. Buy the best. Gut it so that people
won't need tech support. Raise the price. Market
like crazy. They succeed on name recognition.
I wouldn't ever buy anything from Symantec and
haven't for many years. But I did buy each of the
original products above and loved them.


I used them on MsDOS, on Windows they were not that useful and I went
soon to Linux, so I lost contact.

For instance, the PCtools Backup software at that time was wonderful. On
a machine with two floppies it went so fast that I barely had time to
have the next floppy ready and label the used ones. No need to press a
key to say ready, it detected the floppies itself faster, using A: or B:
alternatively.

IIRC, Microsoft bought that tool in a reduced version for MsDOS 6, I
think. Or was it Norton Backup?


As I said, I lost contact, and I had no idea that they declined.


Not the first certificate issuer that goes bad, either.


| I used PCtools back then and it was a wonderful tool. I think I also
| used an antivirus from them at some point.
|

I think they weren't so bad in the early days.
I don't know any details about the company. I just know
their products went downhill. Maybe the company
was sold or restructured? I don't know.




--
Cheers, Carlos.

On 10/10/2018 18.02, J.O. Aho wrote:
On 10/10/18 2:46 PM, Carlos E.R. wrote:
On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

I do, as it's important for my employer that our customer can access our
websites. I do spend at least 30 mins a day at work just browsing
through article subjects to see if there is something happening that
affects us. If you can't spend that time to keep yourself up to date
with information, then do you really care about your customers?

No, again, that does not follow. I'd pay someone with the knowledge to
put up the web. Or use a service out there to create my own web. Hey,
computers are just appliances, just like washing machines, they tell us.
I do not need to read how they work inside.

You are different, they pay you to do it.

--
Cheers, Carlos.

"Bobbie Sellers" wrote

| I dunno what you mean by a microwave chef?
| Maybe people who buy prepared food and warm it up
| in a microwave?
|
Yes.

| You can do a lot more than that with a microwave
| to produce delicious and edible food.

A little more. If you want to cook something
from scratch you won't be using a microwave.
For instance, a soup that needs to simmer and
will be adjusted as you go along. A microwave just
heats.
My very elderly father used to like to cook a whole
meal in a microwave. But there was something about
that dehydrated, cruchy cauliflower that made me
think steaming in a saucepan might have been a
better idea.

| There are different areas of knowledge and a person
| who knows art may not know much about computers and person
| who know computers may not know much about art or design.
| That is clearly evident from many otherwise interesting
| and informative sites which are painful to view.
|
Yes. And the fact that it's so easy to do makes
for a lot of people making sites who don't know
what they're doing security-wise. But to me the
people who are semi-skilled and want to load up
on javascript gadgets are much worse. The idea
that a site should degrade gracefully has been thrown
out by people who want to run javascript software in
your browser with 3-20 MB of code. Worse, they don't
actually understand any of that code. They just found
snippets to make menus pop up or animations play.
It's WYSIWYG scripting. Those are exactly the
kind of sites where script shouldn't be enabled.

I'm finding more and more that I visit a page and
it's blank. Or it's a jumble. They're trying to force script.
So then I disable CSS and I can read the page. But
the page I linked earlier was even worse. Basic HTML
that doesn't work without script. That problem is
increasing fast.

When they used script for rollover effects it could
be ignored, but now we're getting very close to an
Internet composed of software rather than webpages,
that must use script because that's actually all that's
in the page.

When every page you visit is a software program,
running locally, and infested by the likes of Google,
as well as a dozen other trackers, https seems like a
quaint idea. Who's left to be private from, other than
a possible man-in-the-middle attack? Some malware
even loads through ad iframes, with people buying
ad space to get into your browser. None of that is
protected by https.

On 2018-10-10, Carlos E.R. wrote:
On 10/10/2018 18.02, J.O. Aho wrote:
On 10/10/18 2:46 PM, Carlos E.R. wrote:
On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

I do, as it's important for my employer that our customer can access our
websites. I do spend at least 30 mins a day at work just browsing
through article subjects to see if there is something happening that
affects us. If you can't spend that time to keep yourself up to date
with information, then do you really care about your customers?

No, again, that does not follow. I'd pay someone with the knowledge to
put up the web. Or use a service out there to create my own web. Hey,
computers are just appliances, just like washing machines, they tell us.
I do not need to read how they work inside.

And as with all services there are competent people out there, and
incompetent ones. If you pay one of the incompetent ones, I can feel
sorry for you if your car/washing machine/roof/web page breaks due to
shoddy work, but am neither surpized nor am I terribly sympathetic with
your blaming the road/laundry soap/weather/browser for your problems.



You are different, they pay you to do it.

You pay others so it would seem you should be even more concerned with
the competence of those you pay.

On 10/10/18 7:26 PM, Carlos E.R. wrote:
On 10/10/2018 18.02, J.O. Aho wrote:
On 10/10/18 2:46 PM, Carlos E.R. wrote:
On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

I do, as it's important for my employer that our customer can access our
websites. I do spend at least 30 mins a day at work just browsing
through article subjects to see if there is something happening that
affects us. If you can't spend that time to keep yourself up to date
with information, then do you really care about your customers?

No, again, that does not follow. I'd pay someone with the knowledge to
put up the web. Or use a service out there to create my own web. Hey,
computers are just appliances, just like washing machines, they tell us.
I do not need to read how they work inside.

So you hire who ever, don't care if they are "experts" or some stranger
from the streets of Calcutta? You know you get what you pay for,
spending a buck or two and you get ****.


You are different, they pay you to do it.

Sure I get paid, in the same way as the one you hire to setup your web site.

--

//Aho

On 2018-10-10, Mayayana wrote:
"Bobbie Sellers" wrote

| I dunno what you mean by a microwave chef?
| Maybe people who buy prepared food and warm it up
| in a microwave?
|
Yes.

| You can do a lot more than that with a microwave
| to produce delicious and edible food.

A little more. If you want to cook something
from scratch you won't be using a microwave.
For instance, a soup that needs to simmer and
will be adjusted as you go along. A microwave just
heats.

So does a stove just heat.
The key thing a microwave cannot do is to dry out the surface and
initiate the browning reaction just in the surface.

My very elderly father used to like to cook a whole
meal in a microwave. But there was something about
that dehydrated, cruchy cauliflower that made me
think steaming in a saucepan might have been a
better idea.

You can steam in a microwave as well.

"William Unruh" wrote

| For instance, a soup that needs to simmer and
| will be adjusted as you go along. A microwave just
| heats.
|
| So does a stove just heat.

A microwave makes food hot by shaking molecules.
A stove is used to apply heat in measured ways.
It's not the same thing. That's obvious in the different
smells and textures of food cooked each way.

I seem to have accidentally maligned the "Healthy
Choice" crowd here. The Front Page fans of the kitchen?

If you think a microwave only lacks browning then
I'm afraid you don't know how to cook... or eat... or
both. But you can eat as you like. Don't bother to invite
me over for your 120 second lamb stew, or your
spaghetti sauce that somehow magically steeps fresh
herbs in only 27 seconds. I'm not in that much of a
hurry.

Interesting tangent that you may know about:
Microsoft's Nathan Myhrvold got very wrapped up
in cooking as a discipline of chemistry, coming up
with very detailed techniques for preparing various
foods with effects on the molecular level just so.
He gets deeply into how and why specific chemcial
changes make food delicious.
I read that he came up with some very good recipes,
apparently taking the approach that cooking can be
as much a science as an art. But I haven't actually
seen the book.

On 2018-10-10, Mayayana wrote:
"William Unruh" wrote

| For instance, a soup that needs to simmer and
| will be adjusted as you go along. A microwave just
| heats.
|
| So does a stove just heat.

A microwave makes food hot by shaking molecules.
A stove is used to apply heat in measured ways.
It's not the same thing. That's obvious in the different
smells and textures of food cooked each way.

So does a stove make things hot by shaking molecules.
As i said, a microwave does not dry out and begin to burn the surface of
the food (which gives smells and textures you mention).

I seem to have accidentally maligned the "Healthy
Choice" crowd here. The Front Page fans of the kitchen?

If you think a microwave only lacks browning then
I'm afraid you don't know how to cook... or eat... or
both. But you can eat as you like. Don't bother to invite
me over for your 120 second lamb stew, or your
spaghetti sauce that somehow magically steeps fresh
herbs in only 27 seconds. I'm not in that much of a
hurry.

No worries. I was not planning to invite you.