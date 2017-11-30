Wondering Why Your Internal
.dev Web App Has Stopped Working? (theregister.co.uk)
Kieren McCarthy, writing for The Register: Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection." How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems. Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
I think you mean "unwelcome" and "for greater tracking accuracy".
There is little reason for HTTPS to be used for much if not most of the content on the internet. There are reasons to use caching and defeat endpoint trackers, though.
Truth is most compromises start as a phishing email. Will HTTPS stop the email? No. Will HTTPS stop a network email scanner from detecting malicious links in the email? Yes. Will HTTPS stop a malware scanner from analyzing a mali
I am not rightly able to apprehend what kind of confusion of ideas could provoke such a statement.
HTTP is plain-text, and easy to read in-flight. There are fewer browser restrictions around cross-domain access to HTTP. Tracking HTTP is easy.
HTTPS is encrypted, and has a lot of browser restrictions to prevent cross-domain access. It's harder to make embedded IFrame tracking bugs work with HTTPS.
HTTP is plain-text, and easy to read in-flight. There are fewer browser restrictions around cross-domain access to HTTP. Tracking HTTP is easy.
HTTPS hides what is sent from middle men.
HTTP allows hiding who accesses the endpoint from the endpoint itself.
These days, the endpoints being monitored and users tracked, quite often by Google (and thus by extension TLAs with access to Google), is a hell of a lot bigger problem than man-in-the-middle.
It's harder to make embedded IFrame tracking bugs work with HTTPS.
Sorry, that is not really plausible.
What has HTTP/HTTPS to do with HTML?
The #1 reason to use HTTPS everywhere is that it adds a lot of noise, which is non-trivial in relation to thwarting a potential eavesdropper.
The problem is that these days, the eavesdropper sits on the server, and HTTPS does nothing to prevent that. It only provides the eavesdropper on the server with unique session information so they can log who accessed content.
It also largely[*] defeats proxy caching so they can easier enforce that it is accessed individually by each user -- all in order to better monitor users.
That is a much bigger problem than eavesdropping. You can (to some degree) choose your ISP, or use VPNs, but you cannot excise gr
Fuck off with this security bullshit. (Score:5, Interesting)
We got hit by this, and promptly rolled back our browser versions. They're internal fucking development systems for fuck's sake, they're allowed to be insecure if **WE** want them to be.
I'm so sick and tired of dealing with this fucking nanny state of modern day technology where some dipshit developer thinks they know best, and they're just going to outright disable a feature that worked perfectly fine before.
So on behalf of all the developers at my company, fuck you Google. Keep it up, and we'll actually be inclined to go out of our way to strip out your shit and replace it with something else (which I'm told we're probably doing, given the lack of options to override this behaviour).
what kind of idiot would invent their own false tld to make this a problem?!
You don't own the
.dev tld!
You don't own the
.dev tld!
On a private network, yes, you do.
You don't own it on the Internet, but on your own network, you own every domain and TLD.
That, and its really fucking easy and free to configure SSL everywhere these days. Stop whining.
So, how do you configure HP switches to accept a wildcard certificate? I haven't been able to figure it out. Wireless routers - yes. HP switches no.
No, it's not. For one, the ludicrously short expiration times on free certs is just silly, especially for a damned INTERNAL only system. Two, the verification process doesn't actually work when the INTRERNAL ONLY server cannot be accessed externally.
Why not let the user decide? At least let the user decide that self-signed certs are OK without some crazy procedure akin to reciting the pledge of allegiance backwards while hopping on one foot, rubbing your belly and patting your head at the same time.
I'm not
Sorry but my sympathy is thin on this topic -- this is DNS 101. This isn't Google forcing you to be secure. Don't use a domain name you don't own.
I think most of us know about the IP block 10.x and 192.168.x.x --- and I know not to use somebody else's IP range (e.g. don't use 3.x.x.x) And I knew enough about DNS not to make domains up - we had the same need years ago, private domain for testing, and I was stumped until somebody showed me that
.local was reserved for this purpose so we built out a QA l
So on behalf of all the developers at my company, fuck you Google. Keep it up
On behalf of all the developers outside your company, great work Google. Keep it up.
Nanny states develop in an attempt to shield idiots from themselves. If you were affected by this there's a good chance you're part of the problem.
Don't use spyware posing as a web browser.
Because you didn't use a reserved TLD you numpty. The same people probably use non-private subnets for their internal networks and then wonder why some websites that had the audacity to use that IP don't work...
Okay... I understand using
Is using
Is using .test a drop in replacement? Basically I'd like something that can't accidentally leak requests on the Internet. And I *DO NOT* want to use HTTPS/certs internally for development because it's a pain in situations where I'd currently resort to Wireshark to