With Chrome 70, hundreds of popular websites are about to break

On 10/10/2018 20.12, J.O. Aho wrote:
On 10/10/18 7:26 PM, Carlos E.R. wrote:
On 10/10/2018 18.02, J.O. Aho wrote:
On 10/10/18 2:46 PM, Carlos E.R. wrote:
On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

I do, as it's important for my employer that our customer can access our
websites. I do spend at least 30 mins a day at work just browsing
through article subjects to see if there is something happening that
affects us. If you can't spend that time to keep yourself up to date
with information, then do you really care about your customers?

No, again, that does not follow. I'd pay someone with the knowledge to
put up the web. Or use a service out there to create my own web. Hey,
computers are just appliances, just like washing machines, they tell us.
I do not need to read how they work inside.

So you hire who ever, don't care if they are "experts" or some stranger
from the streets of Calcutta? You know you get what you pay for,
spending a buck or two and you get ****.

No, I assume they are competent in their field. Who says I hire a
nobody, you? They come with college or university degrees and years of
experience.

You are different, they pay you to do it.

Sure I get paid, in the same way as the one you hire to setup your web site.



--
Cheers, Carlos.

On 10/10/2018 22.22, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 06:45:40 +0200, J.O. Aho wrote:

On 10/10/18 12:18 AM, Grant Taylor wrote:

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.
If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

Many don't care and that is okay in my opinion. You also DON'T check
with your car dealer if there is a recall or something as customer. You
will get informed if that happens.

If you are a big corporation then you have a webmaster who likely will
learn about this.

But if you are a small business you might be you own webmaster and not
look up what's going on with certs and other webmaster stuff. You expect
you will get informed.

What IMO should had happened is that cert issuers inform their customers
what is about to hit them. They take care of it or inform their customers
what is about to come. Going down the chain until the last authority who
deals with certificates updates them.

Exactly...

It is like telling someone that owns a car that he should know that this
particular brand of oil is bad for the car.

--
Cheers, Carlos.

On 10/10/2018 16.31, Mayayana wrote:
"Carlos E.R." wrote

| They pull in a 4.4 MB js file just to do basic things
| like load pages from an anchor tag. The internal
| links don't work without script! The script is coming
| from Cloudfront. They also have Google-Analytics code.
| So both Google and Amazon would be tracking me if
| I allowed script.
|
| Is it not possible that those scripts are placed there by some web
| designer tool kit out there? You just place the visual things and you
| get all the crap besides?
|

Might be. But it's deeply integrated. Either way:
A webmaster with a WYSIWYG toolkit or a webmaster
collecting js libraries and code snippets because it's
trendy. So many sites now are broken with script
and load several MBs worth of that stuff. I think a
lot of it is "widgets" that only require simple coding
but must have the "library" loaded to use that code.
In other words, webmasters who don't actually know
how to code what they want.

But stuff like Google Analytics and Google tag manager
are separate snippets, deliberately added to the page.
The site I detailed had Google Analytics, probably
because they don't know how to process their own
server logs to track visitors. So they let Google
spy in exchange for a traffic report.

I know of small sites that simply hire the space somewhere, and it is
the hosters who puts the commercials, not the person that wrote the
site, the real content. And nowdays having commercials to make some
revenue and pay the hosting means all the google things.


--
Cheers, Carlos.

On 2018-10-10, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 06:45:40 +0200, J.O. Aho wrote:

On 10/10/18 12:18 AM, Grant Taylor wrote:

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.
If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

Many don't care and that is okay in my opinion. You also DON'T check
with your car dealer if there is a recall or something as customer. You
will get informed if that happens.

If you are a big corporation then you have a webmaster who likely will
learn about this.

But if you are a small business you might be you own webmaster and not
look up what's going on with certs and other webmaster stuff. You expect
you will get informed.

What IMO should had happened is that cert issuers inform their customers
what is about to hit them. They take care of it or inform their customers
what is about to come. Going down the chain until the last authority who
deals with certificates updates them.

The cert issuer is incompetent. That is why they are being shut out.
You expect them to notify customers that they are incompetent?

On 10/10/18 13:55, Mayayana wrote:
Anyone who knows enough
to paste in Google tracking code has a basic idea
of what's going on.

No, they dont.

In genereal websites are generated by computer illiterate 'creatives'
who just use 'frameworks' of other peoples code and bugger with it till
it looks good enough to get paid for.

They have zero clue about code efficiency, privacy or whatever. They
just use a template to include google **** because the customer asked
them to because *she* gets money and stats for so doing, and SHE doesnt
have a clue either.


--
"First, find out who are the people you can not criticise. They are your
oppressors."
- George Orwell

On 10/10/18 15:10, Carlos E.R. wrote:
On 10/10/2018 14.55, Mayayana wrote:


Last night I visited a site I found in a Michael
Pollan book: csp.org. Council on Spiritual Practices.
They're some kind of clearing house for ideas about
psychedelic drugs and religious experience. Sounded
interesting. It's people who want to experience life
more fully, deeply and joyfully. And they think there
might be a correlation between what chemicals like
psilocybin do and what advanced meditation
techniques do. A bit of a 60s, consumer-goes-
shopping-for-spirituality-on-sale rehash. But I was
curious what they're up to. Ironically, their webpage
was entirely broken. Entirely unnecessarily. And they
don't care about your privacy.

They pull in a 4.4 MB js file just to do basic things
like load pages from an anchor tag. The internal
links don't work without script! The script is coming
from Cloudfront. They also have Google-Analytics code.
So both Google and Amazon would be tracking me if
I allowed script.

Is it not possible that those scripts are placed there by some web
designer tool kit out there? You just place the visual things and you
get all the crap besides?

Exactly.

Wordpress, Joomla, et al. You import their **** and you build using high
level tools that rely on low level libraries that are often not even
hosted on your server.




--
"Nature does not give up the winter because people dislike the cold."

― Confucius

On 11/10/2018 15.24, Mayayana wrote:
"The Natural Philosopher" wrote

| Anyone who knows enough
| to paste in Google tracking code has a basic idea
| of what's going on.
|
| No, they dont.
|
| In genereal websites are generated by computer illiterate 'creatives'
| who just use 'frameworks' of other peoples code

I think we all agree on that. As you clearly put it
above, they're pulling in vast piles of external code.
Its changing the definition of a webpage. But adding
Google Analytics is a couple of lines that one specifically
pastes in to get Google visitor reports. Pasting in
Google Tag Manager is specifically done as part of
advertising strategies. Those are not the same as
the gobs of so-called libraries used to add pizzazz
by WYSIWYG webmasters.

In the example I gave, the page writer is using
overproduced crap from Amazon, probably for the
reason you detailed: They can make it look professional
with a WYSIWYG editor tool. But they also, separately,
added Google Analytics for tracking. That doesn't just
show up by accident because people don't know what
they're doing. It shows up because they want visitor
tracking and don't care about your privacy.

Not necessarily. Maybe they think different about privacy and don't
consider it important.

Like not thinking that doing this:


"By choosing "I agree" below, you agree that NPR's sites use cookies,
similar tracking and storage technologies, and information about the device
you use to access our sites to enhance your viewing, listening and user
experience, personalize content, personalize messages from NPR's sponsors,
provide social media features, and analyze NPR's traffic. This information
is shared with social media services, sponsorship, analytics and other
third-party service providers."

.... harms your privacy. After all, they are not asking for a nude photo
of you.

--
Cheers, Carlos.

"Carlos E.R." wrote

| It shows up because they want visitor
| tracking and don't care about your privacy.
|
| Not necessarily. Maybe they think different about privacy and don't
| consider it important.
|

Well, I guess I can't disagree with someone
who argues with me by asserting my own point.
I think you missed your calling in the field of law.

On 10/11/2018 2:40 PM, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 21:14:17 -0000 (UTC), William Unruh wrote:

On 2018-10-10, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 06:45:40 +0200, J.O. Aho wrote:

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.
If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

Many don't care and that is okay in my opinion. You also DON'T check
with your car dealer if there is a recall or something as customer. You
will get informed if that happens.

If you are a big corporation then you have a webmaster who likely will
learn about this.

But if you are a small business you might be you own webmaster and not
look up what's going on with certs and other webmaster stuff. You expect
you will get informed.

What IMO should had happened is that cert issuers inform their customers
what is about to hit them. They take care of it or inform their customers
what is about to come. Going down the chain until the last authority who
deals with certificates updates them.

The cert issuer is incompetent. That is why they are being shut out.
You expect them to notify customers that they are incompetent?

I understood that you, me and 70 year old grandma Gladys must know that
the ISP of their private web site hasn't updated the certificate and take
action like moving it elsewhere.

As much as I agree with Chrome's need to do this I feel that way too
many of the older crowd are going to see it as a failure of Chrome.

Who knows how many people are going to switch to what ever browser lets
them still access the sites they are used to...

On 2018-10-11, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 21:14:17 -0000 (UTC), William Unruh wrote:

On 2018-10-10, Andreas Kohlbach wrote:
On Wed, 10 Oct 2018 06:45:40 +0200, J.O. Aho wrote:

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.
If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

Many don't care and that is okay in my opinion. You also DON'T check
with your car dealer if there is a recall or something as customer. You
will get informed if that happens.

If you are a big corporation then you have a webmaster who likely will
learn about this.

But if you are a small business you might be you own webmaster and not
look up what's going on with certs and other webmaster stuff. You expect
you will get informed.

What IMO should had happened is that cert issuers inform their customers
what is about to hit them. They take care of it or inform their customers
what is about to come. Going down the chain until the last authority who
deals with certificates updates them.

The cert issuer is incompetent. That is why they are being shut out.
You expect them to notify customers that they are incompetent?

I understood that you, me and 70 year old grandma Gladys must know that
the ISP of their private web site hasn't updated the certificate and take
action like moving it elsewhere.

All I am saying is that it is not to the cert issuer that one should
look for a solution, or even notification. Maybe your web host is.

On 11/10/2018 20.12, Mayayana wrote:
"Carlos E.R." wrote

| It shows up because they want visitor
| tracking and don't care about your privacy.
|
| Not necessarily. Maybe they think different about privacy and don't
| consider it important.
|

Well, I guess I can't disagree with someone
who argues with me by asserting my own point.
I think you missed your calling in the field of law.

Well, English is not my first language, maybe I misunderstood.

--
Cheers, Carlos.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 11 Oct 2018 09:24:30 -0400
"Mayayana" wrote:


I'm periodically getting a redirect from NPR.org to a
page that insists I choose to allow them to spy on me.


Have you tried:

o https://thin.npr.org

It's a no-graphics, no-script, text-only version of the NPR website
that was set up for use during the hurricane season when many viewers'
Internet bandwidth was likely to be severely restricted during bad
weather and recovery from it.

- --
.. Be Seeing You,
.. Chuck Rhode, Sheboygan, WI, USA
.. Weather: http://LacusVeris.com/WX
.. 38° — Wind WNW 8 mph — Sky overcast.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlvBSskACgkQYNv8YqSjllLRsQCeMle2dm/DRs8e3vkjGjYDu7sg
1q4An3+qc+i+B4tGvY3ilpEQJf2AAJD9
=djBx
-----END PGP SIGNATURE-----

"Chuck Rhode" wrote

|
| I'm periodically getting a redirect from NPR.org to a
| page that insists I choose to allow them to spy on me.
|
| Have you tried:
|
| o https://thin.npr.org
|
| It's a no-graphics, no-script, text-only version of the NPR website
| that was set up for use during the hurricane season when many viewers'
| Internet bandwidth was likely to be severely restricted during bad
| weather and recovery from it.
|

Actually a text-only version is the option for anyone
who doesn't want to accept the spying. Your link
redirects to it: text.npr.org. There are two buttons on
their "please accept our spying" page. One, requiring
script, is to agree to spying. The other, to reject
spying, sends one to the blank page with about 8 plain
links. Each link then goes to a text-only story page.

That's not really so bad. Most of the pictures used on
news sites are of little or no value to the story. At best,
on a major news site, a story about Trump will probably
at least have a picture of Trump. So it *seems* sort of
visual. Often it's not relevant at all. An article at a tech
site about, say, Microsoft might just have a photo of
a keyboard -- something easy and royalty-free to make it
look like the article comes with pictures. But it really
doesn't.
And I often end up turning off CSS on sites because the
design of most has become horrendous. With 18-20px text
and triple spacing, many sites are all but unreadable without
CSS disabled.

But still, NPR's dual option feels like a bit of a tantrum
on their part:
"Oh, you don't like spying? OK, wiseguy. See how you like
this stripped down version!" Apparently they hope people
will relent and decide they'd rather allow spying than to
be cast into the dreary graphical world of Internet circa
1996.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 Oct 2018 22:05:55 -0400
"Mayayana" wrote:


the dreary graphical world of Internet circa 1996.


Hah! I was surprised how good Navigator looked compared to
green-screen terminals. I still am.

We ought to remember where we've been and offer a little tribute to
our forebearers from time to time. After all, *html* was the basis
for all that has come along since. Somebody needs to close the circle
and make plain gray backgrounds fashionable again.

- --
.. Be Seeing You,
.. Chuck Rhode, Sheboygan, WI, USA
.. Weather: http://LacusVeris.com/WX
.. 28° — Wind SSW 3 mph

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlvB5+QACgkQYNv8YqSjllIcygCdGY76MxF8iI 7wplU4+zEPwQOr
BVkAnirIJE56sgq6mgT4gztfnaZnCwEL
=1X7g
-----END PGP SIGNATURE-----

"Chuck Rhode" wrote
|
| the dreary graphical world of Internet circa 1996.
|
| Hah! I was surprised how good Navigator looked compared to
| green-screen terminals. I still am.
|
| We ought to remember where we've been and offer a little tribute to
| our forebearers from time to time. After all, *html* was the basis
| for all that has come along since. Somebody needs to close the circle
| and make plain gray backgrounds fashionable again.
|

Yes. I wouldn't mind a bit if no-nonsense design
became fashionable. But no-nonsense design doesn't
have to be bad design, or lack of it. Actually, I see
very little in terms of design these days. It's more
like a sales flyer meets Miracle Mile: Lots of white
space, imprudent font properties, pages that break
without script, and *lots* of flashing lights and
jumping around if script is enabled.

I've even had to block a lot of CSS just to stop
pointless movement while I'm trying to read. I've
got all this in my userContent.css file for Firefox
and Pale Moon:

/* stop CSS animation */

* {transform: none !important;
-moz-transform: none !important;
transition-property: none !important;
-moz-transition-property: none !important;
-moz-transition-duration: none !important;
animation: none !important;
-moz-animation: none !important;
-webkit-animation: none !important;}

:before {display: none !important;}
:after {display: none !important;}

The top section was mostly to stop forced
slideshows. The latter two lines are to stop
clever inventions like jiggling, chartreuse ooze
wrapping text characters.

But with their text-only page NPR have gone out
of their way to make it unattractive. There's no CSS
at all, link lines are jammed up next to each other
vertically, and unlike the normal page, there's no
blurb describing each link. None of that needs to be
left out for a text-only version. A 1 KB page can afford
to be 2 KB. If someone on a slow connection can load
a 100 KB article they can certainly handle 1 KB of
formatting and descriptions on the homepage. It's just
spiteful on the part of NPR. And probably deliberately
misleading -- hoping that people will be fooled into
believing that what they're presenting is the inevitable
result of eliminating "modern technologies" like script,
cookies and spying.