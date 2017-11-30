Become a fan of Slashdot on Facebook

 


Kieren McCarthy, writing for The Register: Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection." How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems. Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.

  • This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.

    I think you mean "unwelcome" and "for greater tracking accuracy".

    There is little reason for HTTPS to be used for much if not most of the content on the internet. There are reasons to use caching and defeat endpoint trackers, though.

    • Bullshit. There is plenty of reason to use HTTPS and eschew HTTP. For one thing it eliminates the need to explain to laypersons, which is most people, how to tell the difference. This reason alone justified it. Worries about snooping and government spying are just icing on the cake.

    • I am not rightly able to apprehend what kind of confusion of ideas could provoke such a statement.

      HTTP is plain-text, and easy to read in-flight. There are fewer browser restrictions around cross-domain access to HTTP. Tracking HTTP is easy.

      HTTPS is encrypted, and has a lot of browser restrictions to prevent cross-domain access. It's harder to make embedded IFrame tracking bugs work with HTTPS.

      • Re: (Score:2)

        by arth1 ( 260657 )

        HTTP is plain-text, and easy to read in-flight. There are fewer browser restrictions around cross-domain access to HTTP. Tracking HTTP is easy.

        HTTPS hides what is sent from middle men.
        HTTP allows hiding who accesses the endpoint from the endpoint itself.

        These days, the endpoints being monitored and users tracked, quite often by Google (and thus by extension TLAs with access to Google), is a hell of a lot bigger problem than man-in-the-middle.

      • It's harder to make embedded IFrame tracking bugs work with HTTPS.
        Sorry, that is not really plausible.

        What has HTTP/HTTPS to do with HTML?

    • The #1 reason to use HTTPS everywhere is that it adds a lot of noise, which is non-trivial in relation to thwarting a potential eavesdropper. If you know anything encrypted is worth snooping on (as it was years ago and still is to some degree) then you know where to focus your efforts. On the other hand, if EVERYTHING is encrypted at all times then you have to have some foreknowledge of what you are looking for in order to start looking. A fully encrypted web is inherently a much more secure web, if noth

      • Re: (Score:2)

        by arth1 ( 260657 )

        The #1 reason to use HTTPS everywhere is that it adds a lot of noise, which is non-trivial in relation to thwarting a potential eavesdropper.

        The problem is that these days, the eavesdropper sits on the server, and HTTPS does nothing to prevent that. It only provides the eavesdropper on the server with unique session information so they can log who accessed content.
        It also largely[*] defeats proxy caching so they can easier enforce that it is accessed individually by each user -- all in order to better monitor users.

        That is a much bigger problem than eavesdropping. You can (to some degree) choose your ISP, or use VPNs, but you cannot excise gr

  • Fuck off with this security bullshit. (Score:5, Interesting)

    by Anonymous Coward on Thursday November 30, 2017 @12:33PM (#55651363)

    We got hit by this, and promptly rolled back our browser versions. They're internal fucking development systems for fuck's sake, they're allowed to be insecure if **WE** want them to be.

    I'm so sick and tired of dealing with this fucking nanny state of modern day technology where some dipshit developer thinks they know best, and they're just going to outright disable a feature that worked perfectly fine before.

    So on behalf of all the developers at my company, fuck you Google. Keep it up, and we'll actually be inclined to go out of our way to strip out your shit and replace it with something else (which I'm told we're probably doing, given the lack of options to override this behaviour).

    • Re: (Score:1)

      by Anonymous Coward

      what kind of idiot would invent their own false tld to make this a problem?!

    • You don't own the .dev tld!

      • Re: (Score:2)

        by arth1 ( 260657 )

        You don't own the .dev tld!

        On a private network, yes, you do.
        You don't own it on the Internet, but on your own network, you own every domain and TLD.

    • That, and its really fucking easy and free to configure SSL everywhere these days. Stop whining.

      • So, how do you configure HP switches to accept a wildcard certificate? I haven't been able to figure it out. Wireless routers - yes. HP switches no.

      • Re: (Score:2)

        by sjames ( 1099 )

        No, it's not. For one, the ludicrously short expiration times on free certs is just silly, especially for a damned INTERNAL only system. Two, the verification process doesn't actually work when the INTRERNAL ONLY server cannot be accessed externally.

        Why not let the user decide? At least let the user decide that self-signed certs are OK without some crazy procedure akin to reciting the pledge of allegiance backwards while hopping on one foot, rubbing your belly and patting your head at the same time.

        I'm not

    • I keep all my internal dev servers on https, as our developers have tended to hard-code HTTP and then complain about cross-domain forwarding restrictions when I redirect to HTTPS in the production server.

    • Sorry but my sympathy is thin on this topic -- this is DNS 101. This isn't Google forcing you to be secure. Don't use a domain name you don't own.

      I think most of us know about the IP block 10.x and 192.168.x.x --- and I know not to use somebody else's IP range (e.g. don't use 3.x.x.x) And I knew enough about DNS not to make domains up - we had the same need years ago, private domain for testing, and I was stumped until somebody showed me that .local was reserved for this purpose so we built out a QA l

    • So on behalf of all the developers at my company, fuck you Google. Keep it up

      On behalf of all the developers outside your company, great work Google. Keep it up.

      Nanny states develop in an attempt to shield idiots from themselves. If you were affected by this there's a good chance you're part of the problem.

  • Don't use spyware posing as a web browser.

  • If I want to set up a development system on an air-gapped network, I don't really want to deal with the bullshit and the fragility of having certificates up to date. Especially if set air-gapped network is used for controlling machinery or other specialized equipment. Repeat after me: the computer shall do what it's told by its owner, not what some desk jockey in California thinks it should do.

  • Because you didn't use a reserved TLD you numpty. The same people probably use non-private subnets for their internal networks and then wonder why some websites that had the audacity to use that IP don't work...

  • As a web developer, this really isn't an issue, always use HTTPS even internally. The only way you'd really be locked out is if you didn't follow smart practices.
  • I prefer to use .local for my internal network. Problem solved.
  • So if I understand this correctly, I can't use .dev internally even if my local DNS resolves a domain because Chrome will want a cert?

    Okay... I understand using .dev maybe wasn't the best idea. So what's the alternative?
    • .test
    • use my own domain

    Is using .test a drop in replacement? Basically I'd like something that can't accidentally leak requests on the Internet. And I *DO NOT* want to use HTTPS/certs internally for development because it's a pain in situations where I'd currently resort to Wireshark to

