1. 10

    We compete with Google not because it’s a good business opportunity.

    Bear in mind that a lot of Mozilla’s Firefox revenue comes from Google. Mozilla competes with Google because Google lets them. I would speculate that’s to keep the semblance of an open “The Web”, the same way Microsoft paid to prop up Apple in the 1990s.

    1. 3

      There can be other revenue sources, Mozilla has had other partners in the previous years. If Google or Mozilla decides that that agreement is no longer interesting, there are other partners to work with. For example, some years ago it was Yahoo! who was paying.

      Personally, I’d like to see Mozilla going towards a more pulverized way of funding by people voluntarily contributing money to keep it afloat but I don’t think that with the current mindset of the web users this is viable.

      1. 4

        Personally, I’d like to see Mozilla going towards a more pulverized way of funding by people voluntarily contributing money

        That’s more or less the 2019 plan. If you want to support us, there will be a way to “subscribe”. I hope more people realize how important this is, but I also understand your skepticism.

        1. 1

          I already support with yearly donations and I am also a Mozilla TechSpeaker and Rep. ;-) doing what I can for the web ecosystem.

          1. 1

            Could you go into that some more (if you’re able)?

            1. 2
              1. if you’re interested in purchasing a VPN, you can start buying it through Mozilla and send a few dollars in the right direction. See https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/
              2. follow our blogs or get a Firefox account and I’m sure you’ll get mail about this :)
        2. 1

          With all the criticism that I and others have with Mozilla, I found that their strategy around funding has been very clever in the recent years. They have played their position as a neutral player very well. Google funds them to keep other from funding them, not as a smoke screen.

        1. 81

          I beg all my fellow crustaceans to please, please use Firefox. Not because you think it’s better, but because it needs our support. Technology only gets better with investment, and if we don’t invest in Firefox, we will lose the web to chrome.

          1. 59

            Not because you think it’s better

            But that certainly helps too. It is a great browser.

            • privacy stuff — the cookie container API for things like Facebook Container, built-in tracker blocker, various anti-fingerprinting things they’re backporting from the Tor Browser
            • honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<
            • nice devtools things — e.g. the CSS Grid inspector
            • more WebExtension APIs (nice example: only on Firefox can Signed Pages actually prevent the page from even loading when the signature check fails)
            • the fastest (IIRC) WASM engine (+ now in Nightly behind a pref: even better codegen backend based on Cranelift)
            • ongoing but already usable Wayland implementation (directly in the official tree now, not as a fork)
            • WebRender!!!
            1. 7

              On the other hand, WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension. I try not to install any extensions that I don’t absolutely need and Chrome has been treating me just fine in this regard[1].

              Whether or not I agree with Google’s direction is now a moot point. I need Chrome to do what I do with extensions.

              As soon as Firefox supports WebSocket debugging natively, I will be perfectly happy to switch.

              [1] I mostly oppose extensions because of questionable maintenance cycles. I allow uBlock and aXe because they have large communities backing them.

              1. 3

                Axe (https://www.deque.com/axe/) seems amazing. I know it wasn’t the focus of your post – but I somehow missed this when debugging an accessibility issue just recently, I wish I had stumbled onto it. Thanks!

                1. 1

                  You’re welcome!

                  At $work, we used aXe and NVDA to make our webcomponents AA compliant with WCAG. aXe was invaluable for things like contrast and missing role attributes.

                2. 3

                  WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension

                  Is it possible with an extension? I can’t seem to find one.

                  1. 1

                    I have never needed to debug WebSockets and see no reason for that functionality to bloat the basic browser for everybody. Too many extensions might not be a good thing but if you need specific functionality, there’s no reason to hold back. If it really bothers you, run separate profiles for web development and browsing. I have somewhat more than two extensions and haven’t had any problems.

                    1. 1

                      I do understand your sentiment, but the only extension that I see these days is marked “Experimental”.

                      On the other hand, I don’t see how it would “bloat” a browser very much. (Disclaimer: I have never written a browser or contributed to any. I am open to being proved wrong.) I have written a WebSockets library myself, and it’s not a complex protocol. It can’t be too expensive to update a UI element on every (websocket) frame.

                  2. 5

                    Yes! I don’t know about you, but I love the fact that Firefox uses so much less ram than chrome.

                    1. 2

                      This was one of the major reasons I stuck with FF for a long time. It is still a pronounced difference.

                    2. 3

                      honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<

                      Yeah, what’s the deal with the latest version of Chrome? All those bubbly menus feel very mid-2000’s. Everything old is new again.

                      1. 3

                        I found a way to go back to the old ui from https://www.c0ffee.net/blog/openbsd-on-a-laptop/ (it was posted here a few weeks ago):

                        Also, set the following in chrome://flags:

                        • Smooth Scrolling: (personal preference)
                        • UI Layout for the browser’s top chrome: set to “Normal” to get the classic Chromium look back
                        • Identity consistency between browser and cookie jar: set to “Disabled” to keep Google from hijacking any Google > - login to sign you into Chrome
                        • SafeSearch URLs reporting: disabled

                        (emphasis mine)

                      2. 1

                        The Wayland implementation is not usable quite yet, though, but it is close. I tried it under Sway, but it was crashy.

                        1. -3

                          Not really. Not to mention Pocked integration and recent vpn advertisement. Ah, and they have removed RSS support.

                          It’s just another product made by a for-profit corporation.

                          I think web got over-complicated. There are none usable truly independent browsers and probably will never be. It’s a read-only “opensource”.

                          1. 16

                            It’s just another product made by a for-profit corporation.

                            They (Mozilla) are actually a non-profit.

                            1. 2

                              There is also Mozilla corporation.

                              1. 12

                                …which is 100% owned by the Mozilla Foundation, and:

                                The Mozilla Corporation reinvests all of its profits back into the Mozilla projects.

                                Forming for-profit corporations is not uncommon for NGOs, because NGOs in many countries are severely legally limited in the amount of commercial activities they’re able to do.

                                1. 3

                                  Adding to that, funding FOSS software development is not considered 501(c)3-eligible in the US.

                            2. 5

                              I had the same impression with that over-complication of JS into ES6. CSS is also looking more like a programming language. HTTP/2 is now a binary protocol. So to have a modern web platform, you need to support all of these, and none are trivial anymore. On the other hand, I find it amazing to be able to do netwroking, audio, video, 3d and highly customizable user interfaces with (relatively) few efforts at a pretty good speed. As a platform for creativity and experimentation, it is without equivalent.

                              1. 2

                                without equivalent.

                                Java applets - done right?

                                1. 3

                                  Or Flash/Shockwave done openly and right?

                                  1. 4

                                    Both Java applets and Flash were actually more like trojan horses. See how Flash ( very good scenegraph at the time) became Air (ie. a tentative to take over the Web like Java) and thankfully died because Apple killed it with the iPhone. The intention was to run programs within a walled garden, not to interoperate with the Web at large. At least that’s how I read it.

                                    1. 4

                                      Good point on long-term risk. Do note I said Flash/Shockwave the tech. That was made by Macromedia, not Adobe. Macromedia was a company whose pricey tech was kick-ass but no attempt to be open or interoperate past maybe Dreamweaver. Catchy name many lay people could spell, too.

                                      I think Adobe acquiring them made me drop some F-bombs, sigh a bit, eye rolls, and so on. I knew there would be short-term improvements before the large company FUBARed its value over time. Apple’s position sealed its fate.

                                      1. 2

                                        Indeed, Macromedia had a much better stewardship than Adobe in this respect. What I find really ironic is that before the acquisition, Adobe was pushing SVG and SVG animations as an alternative to Flash, embracing and pushing the web standards. After the acquisition, everything stalled and it’s only with Apple creating the Canvas API and standardizing it through the newly created WHATWG that we started to catch up and be able to do so fast interactive graphics on the Web. What we lost, though, is one of the best tool to create vector animations with programmatic behaviour. One step ahead, two steps back some might say.

                                    2. 3

                                      I think the difference is that aplets and flash were supposed to extend the web experience, new technologies are replacing it. It’s convenient but dangerous as it promotes monoculture. I don’t know if there is a safe middle ground.

                                      1. 5

                                        There is a lot being lost with the death of Flash. It was amazingly lightweight when it started out. You can take that Homestar Runner e-mail and the original Flash, resize it to 4k, and it will still render correctly and sharply. You can’t do that when you export animation to YouTube at a set resolution. Not to mention all the games that were made in Flash that we’ll loose soon.

                                        Adobe really butchered all the Macromedia stuff when they acquired that company. It’s pretty sad.

                                2. 2

                                  What does “removes RSS support” mean? Was it possible to use it as a feed reader before?

                                  1. 3

                                    Yeah, it was called “Live Bookmarks” and basically made your RSS feed subs show up in your bookmarks bar (or accessible from a page). It actually looked really neat, but I only found about it when/because they removed it.

                                    1. 10

                                      “Live Bookmarks” still exist, in Firefox 63.0.3 released on Nov 15th, 2018. I use them. Go to any RSS feed in FF and they will pop up. I use them for multiple Discourse forums.

                                        1. 1

                                          Ah, sad times, thanks for the link!

                                    2. -1

                                      Sure, using live bookmarks and integrated reader. But RSS collided with the their new commercial and closed product namely Pocket.

                                      1. 4

                                        That’s not completely fair. I’m not sure if anything has happened yet, but Mozilla does have plans to open-source Pocket:

                                        As a result of this strategic acquisition, Pocket will become a wholly owned subsidiary of Mozilla Corporation and will become part of the Mozilla open source project.

                                3. 16

                                  I switched to Firefox last year, and I have to say I don’t miss Chrome in the slightest.

                                  1. 13

                                    And those with a little financial liberty, consider donating to Mozilla. They do a lot of important work free a free and open web.

                                    1. 10

                                      I recently came back to Firefox from Vivaldi. That’s another Chromium/Webkit based browser and it’s closed source to boot.

                                      Firefox has improved greatly in speed as of late and I feel like we’re back in the era of the mid-2000s, asking people to chose Firefox over Chrome this time instead of IE.

                                      1. 2

                                        I’d love to switch from Vivaldi, but it’s simply not an option given the current (terrible) state of vertical tab support in Firefox.

                                        1. 2

                                          How is it terrible? The hiding of the regular tab bar is not an API yet and you have to use CSS for that, sure, but there are some very good tree style tab webextensions.

                                          1. 2

                                            The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore.

                                            Mozilla is chasing their idealized “average user” and is determined to push everyone into their one-size-fits-all idea of user interface design – anyone not happy with that can screw off, if it was for Mozilla.

                                            It’s 2018 – I don’t see why I even have to argue for vertical tabs and mouse gestures anymore. I just pick a browser vendor which hasn’t been asleep on the wheel for the last 5 years and ships with these features out of the box.

                                            And if the web in the future ends up as some proprietary API defined by whatever Google Chrome implements, because Firefox went down, Mozilla has only itself to blame.

                                            1. 2

                                              The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore. The whole point of moving to WebExtensions was long term support. They couldn’t make significant changes without breaking a lot of the old extensions. The whole point was to unhook extensions from the internals so they can refactor around them and keep supporting them.

                                              1. 0

                                                That’s like a car manufacturer removing all electronics from a car – sure it makes the car easier to support … but now the car doesn’t even turn on anymore!

                                                Considering that cars are usually used for transportation, not for having them sit in the garage, you shouldn’t be surprised that customers buy other cars in the future.

                                                (And no, blaming “car enthusiasts” for having unrealistic expectations, like it happens in the case of browser users, doesn’t cut it.)

                                                1. 3

                                                  So you’d rather they didn’t improve it at all? Or would you rather they broke most extensions every release?

                                                  1. 3

                                                    I’m not @soc, but I wish Firefox had delayed their disabling of old-style extensions in Firefox 57 until they had replicated more of the old functionality with the WebExtensions API – mainly functionality related to interface customization, tabs, and sessions.

                                                    Yes, during the time of that delay, old-style extensions would continue to break with each release, but the maintainers of Tree Style Tabs and other powerful extensions had already been keeping up with each release by releasing fixed versions. They probably could have continued updating their extensions until WebExtensions supported their required functionality. And some users might prefer to run slightly-buggy older extensions for a bit instead of switching to the feature-lacking new extensions straight away – they should have that choice.

                                                    1. 1

                                                      What’s the improvement? The new API was so bad that they literally had to pull the plug on the existing API to force extension authors to migrate. That just doesn’t happen in cases where the API is “good”, developers are usually eager to adopt them and migrate their code.

                                                      Let’s not accuse people you disagree with that they are “against improvements” – it’s just that the improvements have to actually exist, and in this case the API clearly wasn’t ready. This whole fiasco feels like another instance of CADT-driven development and the failure of management to reign in on it.

                                                      1. 3

                                                        The old extension API provided direct access to the JavaScript context of both the chrome and the tab within a single thread, so installing an XUL extension was disabling multiprocess mode. Multiprocess mode seems like an improvement; in old Firefox, a misbehaving piece of JavaScript would lock up the browser for about a second before eventually popping up a dialog offering to kill it, whereas in a multiprocess browser, it should be possible to switch and close tabs no matter what the web page inside does. The fact that nobody notices when it works correctly seems to make it the opposite of Attention-Deficient-Driven-Design; it’s the “focus on quality of implementation, even at the expense of features” design that we should be encouraging.

                                                        The logical alternative to “WebExtension For The Future(tm)” would’ve been to just expose all of the relevant threads of execution directly to the XUL extensions. run-this-in-the-chome.xul and run-this-in-every-tab.xul and message pass between them. But at that point, we’re talking about having three different extension APIs in Firefox.

                                                        Which isn’t to say that I think you’re against improvement. I am saying that you’re thinking too much like a developer, and not enough like the poor sod who has to do QA and Support triage.

                                                        1. 2

                                                          Improving the actual core of Firefox. They’re basically ripping out and replacing large components every other release. This would break large amount of plugins constantly. Hell, plugins wouldn’t even work in Nightly. I do agree with @roryokane that they should have tried to improve it before cutting support. The new API is definitely missing many things but it was the right decision to make for the long term stability of Firefox.

                                                          1. 1

                                                            They could have made the decision to ax the old API after extension authors adopted it. That adoption failed so hard that they had to force developers to use the new API speaks for itself.

                                                            I’d rather have extension that I have to fix from time to time, than no working extensions at all.

                                                  2. 1

                                                    Why should Mozilla care that much about your niche use case? They already have a ton of stuff to deal with and barely enough funding.

                                                    It’s open source, make your own VerticalTabFox fork :)

                                                    1. 3

                                                      Eh … WAT? Mozilla went the extra mile with their recent extension API changes to make things – that worked before – impossible to implement with a recent Firefox version. The current state of tab extensions is this terrible, because Mozilla explicitly made it this way.

                                                      I used Firefox for more than 15 years – the only thing I wanted was to be left alone.

                                                      It’s open source, make your own VerticalTabFox fork :)

                                                      Feel free to read my comment above to understand why that doesn’t cut it.

                                                      Also, Stuff that works >> open source. Sincerely, a happy Vivaldi user.

                                                      1. 2

                                                        It’s one of the laws of the internet at this point: Every thread about Firefox is always bound to attract someone complaining about WebExtensions not supporting their pet feature that was possible with the awful and insecure old extension system.

                                                        If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                        But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                        1. 3

                                                          If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                          If you compare the current state of the art of vertical tabs extensions, even Mozilla thinks they suck – just compare them to their own Tab Center experiment: https://testpilot.firefox.com/static/images/experiments/tab-center/details/tab-center-1.1957e169.jpg

                                                          Picking just one example: Having the navigation bar at a higher level of the visual hierarchy is just wrong – the tab panel isn’t owned by the navigation bar, the navigation bar belongs to a specific tab! Needless to say, all of the vertical tab extensions are forced to be wrong, because they lack the API do implement the UI correctly.

                                                          This is how my browser currently looks like, for comparison: https://i.imgur.com/5dTX8Do.png

                                                          But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                          You can only go so far alienating the most loyal users that use Firefox for specific purposes until the stop installing/recommending it to their less technically-inclined friends and relatives.

                                                          Mozilla is so busy chasing after Chrome that it doesn’t even realize that most Chrome users will never switch. They use Chrome because “the internet” (www.google.com) told them so. As long as Mozilla can’t make Google recommend Firefox on their frontpage, this will not change.

                                                          Discarding their most loyal users while trying to get people to adopt Firefox who simply aren’t interested – this is a recipe for disaster.

                                                      2. 1

                                                        and barely enough funding

                                                        Last I checked they pulled in half a billion in revenue (2016). Do you believe this is barely enough?

                                                        1. 2

                                                          For hundreds of millions users?

                                                          Yeah.

                                                    2. 1

                                                      At least with multi-row tabs in CSS you can’t dragndrop tabs. That’s about as bad as it gets.

                                                    3. 2

                                                      Are vertical tabs so essential?

                                                      1. 3

                                                        Considering the change in screen ratios over the past ten years (displays get shorter and wider), yes, it absolutely is.

                                                        With vertical tabs I can get almost 30 full-width tabs on screen, with horizontal tabs I can start fishing for the right tab after about 15, as the tab width gets increasingly smaller.

                                                        Additionally, vertical tabs reduce the way of travel substantially when selecting a different tab.

                                                        1. 1

                                                          I still miss them, didn’t cripple me, but really hurt. The other thing about Tree (not just vertical) tabs that FF used to have was that the subtree was contextual to the parent tree. So, when you opened a link in a background tab, it was opened in a new tab that was a child of your current tab. For doing like documentation hunting / research it was amazing and I still haven’t found its peer.

                                                      2. 1

                                                        It’s at least partially open source. They provide tarballs.

                                                        1. 4

                                                          https://help.vivaldi.com/article/is-vivaldi-open-source/

                                                          The chromium part is legally required to be open, the rest of their code is like readable source, don’t get me wrong that’s way better than unreadable source but it’s also very wut.

                                                          1. 2

                                                            Very wut. It’s a weird uneasy mix.

                                                            1. 1

                                                              that’s way better than unreadable source but it’s also very wut.

                                                              I wouldn’t be sure of that. It makes it auditable, but has legal ramifications should you want to build something like vivaldi, but free.

                                                        2. 8

                                                          firefox does not get better with investment, it gets worse.

                                                          the real solution is to use netsurf or dillo or mothra, so that webmasters have to come to us and write websites that work with browsers that are simple enough to be independently maintained.

                                                          1. 9

                                                            Good luck getting more than 1‰ adoption 😉

                                                            1. 5

                                                              good luck achieving independence from Google by using a browser funded by Google

                                                              1. 1

                                                                I can achieve independence from Google without using netsurf, dillo, or mothra; to be quite honest, those will never catch on.

                                                                1. 2

                                                                  can you achieve independence from google in a way that will catch on?

                                                                  1. 1

                                                                    I don’t think we’ll ever get the majority of browser share back into the hands of a (relatively) sane organization like Mozilla—but we can at least get enough people to make supporting alternative browsers a priority. On the other hand, the chances that web devs will ever feel pressured to support the browsers you mentioned, is close to nil. (No pun intended.)

                                                                    1. 0

                                                                      what is the value of having an alternative, if that alternative is funded by google and sends data to google by default?

                                                                      1. 1

                                                                        what is the value of having an alternative

                                                                        What would you like me to say, that Firefox’s existence is worthless? This is an absurd thing to insinuate.

                                                                        funded by google

                                                                        No. I’m not sure whether you’re speaking in hyperbole, misunderstood what I was saying, and/or altogether skipped reading what I wrote. But this is just not correct. If Google really had Mozilla by the balls as you suggest, they would coerce them to stop adding privacy features to their browser that, e.g., block Google Analytics on all sites.

                                                                        sends data to google by default

                                                                        Yes, though it seems they’ve been as careful as one could be about this. Also to be fair, if you’re browsing with DNT off, you’re likely to get tracked by Google at some point anyway. But the fact that extensions can’t block this does have me worried.

                                                                        1. 1

                                                                          i’m sorry if i misread something you wrote. i’m just curious what benefit you expect to gain if more people start using firefox. if everyone switched to firefox, google could simply tighten their control over mozilla (continuing the trend of the past 10 years), and they would still have control over how people access the web.

                                                                          1. 1

                                                                            It seems you’re using “control” in a very abstract sense, and I’m having trouble following. Maybe I’m just missing some context, but what concrete actions have Google taken over the past decade to control the whole of Mozilla?

                                                                            1. 1

                                                                              Google has pushed through complex standards such as HTTP/2 and new rendering behaviors, which Mozilla implements in order to not “fall behind.” They are able implement and maintain such complexity due to funding they receive from Google, including their deal to make Google the default search engine in Firefox (as I said earlier, I couldn’t find any breakdown of what % of Mozilla’s funding comes from Google).

                                                                              For evidence of the influence this funding has, compare the existence of Mozilla’s Facebook Container to the non-existence of a Google Container.

                                                                              1. 1

                                                                                what % of Mozilla’s funding comes from Google

                                                                                No word on the exact breakdown. Visit their 2017 report and scroll all the way to the bottom, and you’ll get a couple of helpful links. One of them is to a wiki page that describes exactly what each search engine gets in return for their investment.

                                                                                I would also like to know the exact breakdown, but I’d expect all those companies would get a little testy if the exact amount were disclosed. And anyway, we know what the lump sum is (around half a billion), and we can assume that most of it comes from Google.

                                                                                the non-existence of a Google Container

                                                                                They certainly haven’t made one themselves, but there’s nothing stopping others from forking one off! And anyway, I think it’s more so fear on Mozilla’s part than any concrete warning from Google against doing so.

                                                                                Perhaps this is naïveté on my part, but I really do think Google just want their search engine to be the default for Firefox. In any case, if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla. Remember: Google is in the “web market” first & the “software market” second. Having browser dominance is just one of many means to the same end. I believe their continued funding of Mozilla attests to that.

                                                                                1. 2

                                                                                  It doesn’t have to be a direct threat from Google to make a difference. Direct threats are a very narrow way in which power operates and there’s no reason that should be the only type of control we care about.

                                                                                  Yes Google’s goal of dominating the browser market is secondary to their goal of dominating the web. Then we agree that Google’s funding of Firefox is in keeping with their long-term goal of web dominance.

                                                                                  if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla.

                                                                                  Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance? At least Google doesn’t think so.

                                                                                  1. 1

                                                                                    Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance?

                                                                                    You make some good points, but you’re ultimately using the language of a “black or white” argument here. In my view, if Google were to stop funding Mozilla they would still have other sponsors. And that’s not to mention the huge wave this would make in the press—even if most people don’t use Firefox, they’re at least aware of it. In a strange sense, Google cannot afford to stop funding Mozilla. If they do, they lose their influence over the Firefox project and get huge backlash.

                                                                                    I think this is something the Mozilla organization were well aware of when they made the decision to accept search engines as a funding source. They made themselves the center of attention, something to be competed over. And in so doing, they ensured their longevity, even as Google’s influence continued to grow.

                                                                                    Of course this has negative side effects, such as companies like Google having influence over them. But in this day & age, the game is no longer to be free of influence from Google; that’s Round 2. Round 1 is to achieve enough usage to exert influence on what technologies are actually adopted. In that sense, Mozilla is at the discussion table, while netsurf, dillo, and mothra (as much as I’d love to love them) are not and likely never will be.

                                                              2. 3

                                                                Just switch to Gopher.

                                                                1. 5

                                                                  Just switch to Gopher

                                                                  I know you were joking, but I do feel like there is something to be said for the simplicity of systems like gopher. The web is so complicated nowadays that building a fully functional web browser requires software engineering on a grand scale.

                                                                  1. 3

                                                                    yeah. i miss when the web was simpler.

                                                                    1. 1

                                                                      I was partially joking. I know there are new ActivityPub tools like Pleroma that support Gopher and I’ve though about adding support to generate/server gopher content for my own blog. I realize it’s still kinda a joke within the community, but you’re right about there being something simple about just having content without all the noise.

                                                                2. 1

                                                                  Unless more than (rounded) 0% of people use it for Facebook, it won’t make a large enough blip for people to care. Also this is how IE was dominant, because so much only worked for them.

                                                                  1. 1

                                                                    yes, it would require masses of people. and yes it won’t happen, which is why the web is lost.

                                                                3. 2

                                                                  I’ve relatively recently switched to FF, but still use Chrome for web dev. The dev tools still seem quite more advanced and the browser is much less likely to lock up completely if I have a JS issue that’s chewing CPU.

                                                                  1. 2

                                                                    I tried to use Firefox on my desktop. It was okay, not any better or worse than Chrome for casual browsing apart from private browsing Not Working The Way It Should relative to Chrome (certain cookies didn’t work across tabs in the same Firefox private window). I’d actually want to use Firefox if this was my entire Firefox experience.

                                                                    I tried to use Firefox on my laptop. Site icons from bookmarks don’t sync for whatever reason (I looked up the ticket and it seems to be a policy problem where the perfect is the enemy of the kinda good enough), but it’s just a minor annoyance. The laptop is also pretty old and for that or whatever reason has hardware accelerated video decoding blacklisted in Firefox with no way to turn it back on (it used to work a few years ago with Firefox until it didn’t), so I can’t even play 720p YouTube videos at an acceptable framerate and noise level.

                                                                    I tried to use Firefox on my Android phone. Bookmarks were completely useless with no way to organize them. I couldn’t even organize on a desktop Firefox and sync them over to the phone since they just came out in some random order with no way to sort them alphabetically. There was also something buggy with the history where clearing history didn’t quite clear history (pages didn’t show up in history, but links remained colored as visited if I opened the page again) unless I also exited the app, but I don’t remember the details exactly. At least I could use UBO.

                                                                    This was all within the last month. I used to use Firefox before I used Chrome, but Chrome just works right now.

                                                                    1. 6

                                                                      I definitely understand that Chrome works better for many users and you gave some good examples of where firefox fails. My point was that people need to use and support firefox despite it being worse than chrome in many ways. I’m asking people to make sacrifices by taking a principled position. I also recognize most users might not do that, but certainly, tech people might!? But maybe I’m wrong here, maybe the new kids don’t care about an open internet.

                                                                  1. 1

                                                                    Never miss a story from Ferdy Christant, when you sign up for Medium. Learn more

                                                                    can we block medium already

                                                                    1. 1

                                                                      This is off-topic. Are you complaining that medium has a banner in the footer?

                                                                      1. 1

                                                                        the thing i quoted was the most prominent text on the page that was linked to. i think the most prominent text on a page should be fair game for comments.

                                                                        1. 1

                                                                          No, it’s the annoying sign up messages on what is essentially a glorified pastebin.

                                                                      1. 5

                                                                        Please - the word you wanted is “lose” and not “loose”. “loose” is the opposite of “tight”, not of “gain”. (I realise you’re probably not a native English speaker and I wouldn’t complain, but it’s right there in the title and it reads wrong - because the words are pronounced differently).

                                                                        I too am concerned about the web browser monoculture. I personally continue to use Firefox, although some of the practices of Mozilla occasionally irk me, I still find it preferable (and far easier to build) than Chrome. The question is, though, what can we actually do about it? Chrome is very successful and has a lot of resources behind it. But web renderers are far from trivial; it’s not like it’s an easy to produce a quality feature-complete competitor. That’s why webkit is doing so well - it’s packaged as a component, not a full browser. (Just as Firefox has Gecko, or whatever its current incarnation is called, in theory).

                                                                        So: what do we do? How do we avoid blinking?

                                                                        1. 12

                                                                          I think we lost when we allowed web standards to get so complex that they can’t be independently implemented without a billion dollar company funding a large team. I don’t think that this is solvable. The existing players are so far ahead that there’s really no catching up.

                                                                          1. 3

                                                                            Servo is not a billion dollar project.

                                                                            1. 6

                                                                              Mozilla’s annual revenue is half a billion dollars. Since it’s a non-profit, there’s no real valuation that I’m aware of, but just going off of typical P/E ratios, that would make them a multi-billion dollar company.

                                                                              1. 1

                                                                                Mozilla Corporation is a for-profit corporation owned by Mozilla Foundation, a nonprofit. That means the private part does have a value. They usually do profit times 10 in straight-forward sales of businesses. Using their 2016 financial, here’s the numbers to look at:

                                                                                Revenue: $520 mil

                                                                                Development cost: $225 mil

                                                                                Marketing: $47 mil

                                                                                Administrative: $59.9 mil

                                                                                Net gains: $102 mil (if I’m reading it right cuz it’s different than ones I did in college)

                                                                                They’re worth somewhere between $1-5 billion if looking at operating profit or revenues with no consideration for up/down swings in the future. Also, there’s two numbers there that look inflated: development cost; administrative. For the former, they use a lot of developers in high-wage areas. They could move a good chunk of development to places where good talent, esp their real estate, is cheaper to free up money for more developers and/or acquisitions. For administrative, that’s a big number that’s above their marketing spending. I think that should be other way around. More money into marketing might equal larger share of users.

                                                                          2. 6

                                                                            So: what do we do? How do we avoid blinking?

                                                                            It seems that Mozilla’s answer to that question is the Servo project. I guess we could start contributing.

                                                                            1. 6

                                                                              While I like rust and servo as a research project - mozilla does not hold a good track record when it comes to providing a browser as an reusable component. It has been a long time since Gecko could be easily embedded in other browsers, and this does not seem to be a priority for servo either.

                                                                              FWIW I think the main competitor to Blink is actually Webkit in the sense that it is the easiest open source browser for someone to modify. I would prefer to see people put their effort there.

                                                                              1. 13

                                                                                GeckoView is an upcoming embedding API. It’s supposed to fix that and already used in some Firefox products, most notably Focus.

                                                                                1. 2

                                                                                  This needs to be on desktop platforms, too, though, not just Android. But I’m happy to see the progress.

                                                                                  1. 2

                                                                                    I haven’t seen any code using GeckoView on the Desktop, is it Android only or can it be used to build Desktop browsers?

                                                                                    1. 6

                                                                                      It runs a where Gecko runs. Which is Linux/Windows/OSX on Intel, ARM, ARM64 etc.

                                                                                      First iterations happened to be in mobile because we need to cash in on the Quantum improvements on mobile. That’s not due to technical constraints.

                                                                                      1. 3

                                                                                        oh that is awesome news. I was looking at the repo but could only find examples for Android and it being mentioned as an Android component. I wish there was a sample for the Desktop, something like QtGeckoView would make it quite popular.

                                                                                        1. 1

                                                                                          Is it Java, though? Because, if so - ick. It would be much better to have a C, C++ or Rust API - something that doesn’t automatically add a large runtime overhead. I don’t foresee many desktop browsers being built on top of a Java API no matter how powerful/easy-to-use it is.

                                                                                          (Not that I think Java doesn’t have its place, I just don’t think it fits this niche particularly well, except for the obvious case of Android).

                                                                                          1. 1

                                                                                            No. On Android, we use embed GeckoView within a Java projects (obviously). This is mostly based on our Android Components.

                                                                                      2. 1

                                                                                        That also looks incredibly easy to use. That’s cool.

                                                                                  2. 1

                                                                                    Thanks for the feedback. I’ve realized the mistake about that typo too late and unfortunately the URL is tied to it. Fixing it makes a new URL and I can’t edit the URL here. :-(

                                                                                    I agree with you, building an engine as a component that is easy to embed and build upon is the reason why WebKit became the dominant force here. I wish Mozilla paid more attention for the embedability of Gecko (which I’ve heard is a mess to build your product on top of). There is no easy way out of the current mess we’re in, people who are concerned about that can basically throw some effort and action towards Mozilla strengthening the remaining engine before it is too late.

                                                                                    1. 1

                                                                                      Fixing it makes a new URL and I can’t edit the URL here.

                                                                                      Can you add a redirect?

                                                                                      1. 1

                                                                                        I will look into crafting a redirect tomorrow as I don’t want to disrupt the little server today. This is not a jekyll blog. I think that adding a redirect using .htaccess should work but as the server is being accessed a lot right now, I am a bit afraid of breaking the post and potential readers reaching a broken URL.

                                                                                  1. 4

                                                                                    would be amazing if ms open sourced the engine now. could be interesting to see an engine written from scratch for the current technologies.

                                                                                    but i guess this will never happen, just like opera didn’t release the presto engine :/

                                                                                    1. 4

                                                                                      EdgeHTML wasn’t rewritten form scratch, AFAIU that’s a myth they want people to believe. It’s still pretty close to Trident (IE rendering engine), from which they removed lots of Microsoft-legacy/proprietary and then added some features.

                                                                                      1. 2

                                                                                        AFAIU that’s a myth they want people to believe

                                                                                        I don’t think MS has ever promulgated this, actually; the Edge page definitely doesn’t claim it’s brand-new, and they initially launched Edge as literally just a document mode for IE—definitely not as some sort of total rewrite. I think the idea that EdgeHTML is an outright new browser got started by fans who either conflated the fact that the Edge chrome is brand-new (which it was) for the rendering engine being new (which it emphatically isn’t); who conflated EdgeHTML in general with the Chakra JavaScript engine (which was indeed new and has now been open-sourced); or who just straight-up exaggerated what Microsoft had done to Trident to make the Edge rendering engine.

                                                                                        Microsoft itself though has been quite clear in everything I’ve read that Edge is a direct descendent of IE’s rendering engine, because it’s honestly their marketing for why it’s okay to use Edge in corporations currently stuck on IE: it’s the same stuff you know and love, but now it can also scale cleanly into Chrome/Firefox territory. That messaging makes no sense if it’s a brand-new engine.

                                                                                        1. 1

                                                                                          ah, thanks (also gecko for the background information) for the clarification, is must have got that mixed up :)

                                                                                      1. 7

                                                                                        I really have no idea what problem this would fix.

                                                                                        1. 15

                                                                                          First, it’d unify what Edge even means: “Edge” on Android and iOS is Blink and WebKit, respectively, while it’s Trident on Windows. It’d now be a WebKit-based everywhere. (And mean that they could do Edge for macOS or Linux with a straight face, too.)

                                                                                          Second, as freddyb points out, it drastically cuts resource use. I disagree that Chrome is more secure, and definitely that it’s less resource-heavy, but it almost certainly takes fewer engineers to improve Chrome than build an entirely separate browser.

                                                                                          Third, Microsoft is already using Chromium, via their Electron apps, especially dev tooling (Visual Studio Code and various Azure components). This would allow more devs to focus on just one engine, and perhaps pave the way for better Windows integration there.

                                                                                          Fourth, it ironically gets Microsoft out of compatibility hell. Many sites are incompatible with Edge because they’re so tightly bound to Chrome. This sidesteps that.

                                                                                          And finally, having Edge just isn’t a competitive advantage anymore. Even if, for sake of argument, Edge is lighter and more secure than Chrome, no one is buying Windows over it. That makes it a lousy thing to emphasize as much as they are, dev-resource-wise.

                                                                                          1. 1

                                                                                            “Edge” on Android and iOS is Blink and WebKit, respectively, while it’s Trident on Windows.

                                                                                            All browsers on iOS are WebKit, even Firefox. Nobody has a choice there. But I don’t see Edge on Android switching away from Blink either, where they could if they wanted to. The three codebases for all three platform have essentially nothing to do with each other either.

                                                                                          2. 6

                                                                                            Market share. Revenue. Ressource allocation. Security. Lots, really.

                                                                                            1. 2
                                                                                              1. 2

                                                                                                That certainly seems plausible. Thanks.

                                                                                            1. 19

                                                                                              I followed this tutorial to get started on my falling sand game project*. It’s a concise introduction to some really useful tools - using this ecosystem has been a total joy and has enabled me to build things in the browser with incredible performance, without sacrificing the web niceties I’m used to like quick feedback cycles and performance tracing via devtools. The browser support is also really strong, my game (mostly, WIP!) works on mobile and most browsers (I think) Highly recommend this book!

                                                                                              * https://maxbittker.github.io/sandtable/

                                                                                              https://github.com/MaxBittker/sandtable

                                                                                              1. 7

                                                                                                This is so so so awesome <3

                                                                                                1. 4

                                                                                                  Holy crap. That game is awesome. The way the different elements interact so intuitively is just incredible. I was playing around with destroying things with acid, but then I realized half my screen was acid and it was fun trying to get rid of it. I love how gas and lava interact, and also how ice will cause surrounding water to freeze. And also, putting a bit of lava under some wood and then using wind on the wood actually scatters the embers of the wood. Wow.

                                                                                                  That’s a really incredible project!

                                                                                                  1. 3

                                                                                                    thank you so much! falling sand games were a part of my childhood, I love their mode of play through experiment-building.

                                                                                                    My eventual goal is to allow the user to program, fork, and share new elements of their own design, and mix them. Defining an element right now has an intentionally simple cellular automata api surface, and I hope to eventually figure out how to compile and link wasm modules in the browser to allow hundreds of elements, so you can try out usernameFoo’s “Alien Plant v4” against usernameBar’s “pink super acid”

                                                                                                    I’ll need to understand the wasm toolchain a lot better to make that happen though

                                                                                                  2. 3

                                                                                                    This game is amazing. thank you. Also, I want the last two hours of my life back 😅

                                                                                                    1. 8

                                                                                                      Thank you! This is a bit silly considering that I posted this on a public forum, but my one request is to please not share the game more broadly yet, I have a lot of things I still want to implement before I show it to people outside the context of it being a tech demo. Posted it here because I appreciate this learning resource so much!

                                                                                                    2. 2

                                                                                                      I love the smoke effect!

                                                                                                      As I sit here posting my girlfriend is whispering in my ear, “what is clone?”

                                                                                                      1. 2

                                                                                                        Thanks! I adapted most of the fluid simulation code from here, learned a lot about webgl doing so! https://github.com/PavelDoGreat/WebGL-Fluid-Simulation

                                                                                                      2. 1

                                                                                                        holy shit the plant actually catches on fire when it touches lava this is awesome

                                                                                                        1. 1

                                                                                                          the dust can explode…..

                                                                                                      1. 2

                                                                                                        I’m @freddyb@mstdn.io

                                                                                                        Though I almost never toot :(

                                                                                                        1. 3

                                                                                                          Using Fira Mono (developed for Firefox OS back in the days) for terminal & coding. Fira Sans for my website.

                                                                                                          1. 2

                                                                                                            Have you tried Fira Code?

                                                                                                            1. 4

                                                                                                              I find the concept entertaining, but personally don’t like ligatures as they appear untrue to me. I’m feeling that this obscures the actual code I am writing - even if it’s just a local display aspect.

                                                                                                              I admit, that’s not a very meaningful or objective reply. But, after all, this is a matter of taste :)

                                                                                                              1. 3

                                                                                                                Nothing obscured as long as the mapping is bijective. shrugs

                                                                                                          1. 1

                                                                                                            This is interesting research, but being half-way through I’ve already found a few misconceptions.

                                                                                                            • if you listen to an interface, instead of a specific IP, it looks at a sysctl setting net.ipv6.conf.all.use_tempaddr, which most distributions set to 2, that is prefer private addresses
                                                                                                            • dropping ICMP traffic has always been frowned upon. Implications of ICMP6 are not really new, here.
                                                                                                            1. 29

                                                                                                              Mozilla? First I hear we’re supportive. Last time I checked (a week ago), we weren’t.

                                                                                                              But Sunday is bad timing. I’ll follow up later!

                                                                                                              1. 15

                                                                                                                OK, I looked at the threads linked from the article and the specification repo, to see if anything changed. Nobody from Mozilla involved yet. Furthermore, Mozilla hasn’t even written up the official standards position, which our standards people usually do at https://mozilla.github.io/standards-positions/

                                                                                                                My assumption is that we’ll watch it closely, but it seems very early stage.

                                                                                                                1. 2

                                                                                                                  More discussion about Mozilla perspective at https://github.com/mozilla/standards-positions/issues/110

                                                                                                              1. 2

                                                                                                                This is funny, despite its “someone is wrong in the internet” smell.

                                                                                                                1. 0

                                                                                                                  curl remains the world’s most widely used HTTP client

                                                                                                                  I don’t know, I would expect this to be rather Chrome or Blink/WebKit, due to the massive scale of Android deployment.

                                                                                                                    1. 0

                                                                                                                      I still think Android users are more likely to use their browser to do HTTP than curl.

                                                                                                                      1. 4

                                                                                                                        Android is using curl in the background regularly, without the user doing anything. Same is true for all connected devices lately. Game consoles, cars, etc. I don’t think his statement is false.

                                                                                                                  1. 19

                                                                                                                    This is kind of interesting, but it’s neither informative nor actionable–and yet, it’s gotten a bunch of upvotes in solidarity.

                                                                                                                    Let’s not normalize this.

                                                                                                                    1. 28

                                                                                                                      Why does it have to be actionable? Why do you think the votes are out of solidarity? I find this kind of stuff very interesting.

                                                                                                                      1. 16
                                                                                                                        • It’s slacktivism.

                                                                                                                        • It’s a pretty well-supported theory that exposing people to a bunch of news, when they can’t do anything about it, contributes to depression and anxiety.

                                                                                                                        • And, of course, lobste.rs is supposed to complement the other sites, not replace them.

                                                                                                                        1. 18

                                                                                                                          I think I’m missing something here. How could upvoting this story possibly constitute slacktivism? Are you assuming that Stenberg quit Mozilla for some principled reason and that we’re “supporting” him by promoting this blog post? I read the story and didn’t come away with that understanding at all. (And his mention that he can’t get a US visa was a very tangential bit at the end.)

                                                                                                                          1. 12

                                                                                                                            This is such an odd reply. Do you believe that most news on lobste.rs is actionable?

                                                                                                                            1. 8

                                                                                                                              The problem is that lobste.rs wasn’t supposed to be for news.

                                                                                                                              1. 4

                                                                                                                                What’s it supposed to be for then?

                                                                                                                                1. 10

                                                                                                                                  Personally I come here to learn new things and not to catch up on news and drama. I could get that from reddit.

                                                                                                                                  1. 4

                                                                                                                                    Or HN, for that matter. I fully agree; I’d prefer if Lobste.rs would be limited to technical posts. The odd informative post about a person can be interesting, but only if it’s “important news” like a death. Even if someone loudly resigns from a software project I’m not sure I’d want to read about it (it’s just drama).

                                                                                                                                    I can’t actually downvote yet, so bear in mind that the upvotes are skewed; out of all the people who can only upvote, if 50% wants to downvote, they can’t. Worse: if 25% upvotes, it looks like the majority is in favor of the post.

                                                                                                                                2. 4

                                                                                                                                  That’s news to me. I am pretty sure that’s not true.

                                                                                                                              2. 6

                                                                                                                                To adhere to bullet two it would be best just to shut lobsters down.

                                                                                                                                1. 6

                                                                                                                                  There’s good, actionable, technical content here. If you need to see new posts every 15 minutes regardless of quality or relevance, the internet has plenty of that already.

                                                                                                                                  1. 5

                                                                                                                                    Can you tell me which pieces on the frontpage right now you consider actionable, and which action you would take?

                                                                                                                                    1. 13

                                                                                                                                      State of Haskell: I’m not into Haskell, so I haven’t read it, but if I were, then I’d focus on making Haskell better for what people are currently using it for.

                                                                                                                                      Some notes about HTTP/3: I’d remember this information for use when actually implementing services that use it.

                                                                                                                                      Flying for Thanksgiving: I’d take the plane on thanksgiving day, instead of the day before or after.

                                                                                                                                      How to install Yggdrasil in Debian(stretch) and find peers: install Yggdrasil in Debian and find peers.

                                                                                                                                      Scrolling the main document is better for performance, accessibility, and usability: scroll the main document.

                                                                                                                                      Bleeding edge django template focused on code quality and security: scaffold a Django project using it.

                                                                                                                                      Python memoization across program runs: memoize data.

                                                                                                                                      Running x86_64 binaries on the Talos II: run x86_64 binaries on the Talos II.

                                                                                                                                      6 core falsehoods about the digital sphere: not repeat them.

                                                                                                                                      Safer bash scripts with ‘set -euxo pipefail’: put this on the top of my bash scripts.

                                                                                                                                      The History of GNOME: … okay … I’ve got nothing.

                                                                                                                                      Kobzol/hardware-effects: write software that isn’t slow.

                                                                                                                                      MEMs oscillator sensitivity to helium (helium kills iPhones): keep helium away from iPhones, and keep this in mind if I ever end up in charge of hardware design.

                                                                                                                                      Formal Verification of Distributed Checkpointing Using Event-B (2015): build better distributed systems.

                                                                                                                                      NN based self-driving car with Lego Mindstorms and a Raspberry Pi 3: build a demo self-driving car.

                                                                                                                                      Open-Source, Bitstream Generation (2013): generate bitstreams.

                                                                                                                                      Computing History at Bell Labs: again, historical documents might not have immediate worth, but in the long term, copying an old forgotten design can make you seem smarter than you actually are.

                                                                                                                                      A verified email address will be required to publish to crates.io starting on 2019-02-28: avoid getting in trouble with the DMCA if I ever end up in charge of something like crates.io.

                                                                                                                                      elm-ui: Forget CSS and enjoy creating UIs in pure Elm: enjoy creating UIs in pure Elm.

                                                                                                                                      Yet another memory leak in ImageMagick or how to exploit CVE-2018–16323: stop writing C (“perform a DoS attack” would also be a valid, but less accepted, answer).

                                                                                                                                      If I were to invent a programming language for the 21st century: this one should probably be tagged “satire”, but in any case, it’s a call to stop repeating history, so while it might not be immediately actionable, keep it in mind before you ever start writing a programming language.

                                                                                                                                      Time is Partial, or: why do distributed consistency models and weak memory models look so similar, anyway?: build better distributed systems using these consistency models.

                                                                                                                                      boar - Tool for archiving your digital life: archive my digital life.

                                                                                                                                      Developer to Manager - Experiences going from development to management: avoid repeating their mistakes.

                                                                                                                            2. 24

                                                                                                                              I knew this would be a controversial post generating a few down votes. I almost felt like not submitting at all, but I decided to submit for those reasons:

                                                                                                                              • the author of curl is a somewhat noteworthy person, his blog is often times featured here.
                                                                                                                              • there is a person tag on lobsters
                                                                                                                              • the upvote/down vote system will tell me if I was right.

                                                                                                                              Regarding my last point: I value friendlysocks comment here. I think he’s right. 4 downvotes (“off topic”) is a strong supporting signal. I’ve gotten less downvotes for stuff that was truly controversial :-)

                                                                                                                              1. 4

                                                                                                                                Thank you for participating in the site, and even more for explaining your reasoning!

                                                                                                                              2. 17

                                                                                                                                Please stop policing content.

                                                                                                                                1. 10

                                                                                                                                  Fwiw, it didn’t come across to me as policing. Imho, It’s good we have healthy discussions on content from time to time.

                                                                                                                                  1. 11

                                                                                                                                    Consider it opening a discussion about content, rather than policing it. It is surely agreeable that not all content (even high-quality content) is desirable on lobste.rs; so we need to reach a rough consensus on where the line should be drawn. Doing that exclusively by “letting the votes decide” has been demonstrated over and over again to lead to low-effort content; so there needs to be discussion. And here we are, discussing. =)

                                                                                                                                    So: why do you think this article should stay? What does it bring to lobste.rs that’s valuable to the community? I’m not generally in agreement with @friendlysock that news and current events should be outright banned, but in my opinion this particular article doesn’t really bring much to the table. It’s basically saying that Daniel is leaving Mozilla, he’s not telling us why, and we shouldn’t worry about it. Okay? Is this useful or important for significant numbers of people to know? I don’t feel I benefited much from reading the article.

                                                                                                                                    1. 6

                                                                                                                                      An appropriate response to a post you don’t want to see on the website is to downvote it, flag it, or hide it. An inappropriate response is to comment and complain that the post doesn’t meet your perceived standards for content. The latter, especially when coming from a member and not a moderator, is pure moralizing noise, actually and substantially worse than the “offending” content being submitted in the first place.

                                                                                                                                      1. 16

                                                                                                                                        I have to agree with @whbboyd and @danielrheath. It’s obvious that voting mechanisms are not effective for maintaining quality (for examples, see Hacker News, Reddit and a plethora of other sites). Maintaining norms through interaction seems like a better approach worth experimenting with, and moreover, it seems to be working for Lobste.rs.

                                                                                                                                        1. 13

                                                                                                                                          This is a community, and communities find (and maintain) their cultural norms by interacting with one another.

                                                                                                                                          Perhaps this norm has changed as the site has grown, and perhaps not.

                                                                                                                                          especially when coming from a member and not a moderator

                                                                                                                                          Having a database bit set (or not) has nothing to do with your credibility or standing in the community. He’s one of the oldest and most active site members, and (as evidenced by karma/post ratio) is well regarded.

                                                                                                                                      2. 9

                                                                                                                                        I, for one, appreciate that someone is doing it.

                                                                                                                                        The internet has no shortage of sites with a poor SNR; lobsters has remained high-quality primarily because the cultural norms lean towards ‘keep the noise low’.

                                                                                                                                        1. 1

                                                                                                                                          Having less discussion on why content may not be a great fit for lobsters isn’t a great long-term strategy. FWIW, it’s exactly the difference between low-quality communities like /r/programming and higher-quality communities like /r/netsec on reddit. I would really prefer that we don’t end up like /r/programming or HN, and a little introspection can’t hurt.

                                                                                                                                        2. 5

                                                                                                                                          it’s actionable in the sense that there could be someone here that 1. likes his work on curl and mozilla and 2. have a company that might want to hire him.

                                                                                                                                          1. 1

                                                                                                                                            That would be the case if the post indicated he was looking for work - but it explicitly says he has other plans.

                                                                                                                                            1. 4

                                                                                                                                              well it didn’t quite say that. it just stated that he was unsure where he was going and was in talks. perhaps someone else wants to get in on those talks.

                                                                                                                                              I don’t yet know what to do next.

                                                                                                                                              I have some ideas and communications with friends and companies, but nothing is firmly decided yet. I will certainly entertain you with a totally separate post on this blog once I have that figured out! Don’t worry.

                                                                                                                                              1. 2

                                                                                                                                                Fair enough.

                                                                                                                                        1. 1

                                                                                                                                          I’m curious as to how hard it would be for other browsers to support Firefox Sync via plugins. I only really use Firefox on my Android phone, and use Safari on my Mac and iPad. It would be great if I could use Firefox Sync between all of them.

                                                                                                                                          1. 2

                                                                                                                                            Gnome’s browser implements it, according to https://blogs.gnome.org/mcatanzaro/2017/08/09/on-firefox-sync/

                                                                                                                                            In fact, Mozilla has multiple implementations of the protocol themselves. The iOS browser has to use a webkit webview (due to Apple appstore policies), so there is a Sync implementation on top of that.

                                                                                                                                            1. 1

                                                                                                                                              Safari uses iCloud storage, which uses the two-password method (that Mozilla dismissed as “too complicated”), so you might as well use Safari’s built-in sync; it’s just as secure.

                                                                                                                                              (Let’s ignore paranoia surrounding the fact that it’s closed-source, since using a Firefox Sync Add-On wouldn’t do anything if the browser was going to lie and give Apple an unencrypted copy of your passwords anyway.)

                                                                                                                                              https://support.apple.com/en-us/HT202303

                                                                                                                                              These features and their data are transmitted and stored in iCloud using end-to-end encryption:

                                                                                                                                              • Home data
                                                                                                                                              • Health data
                                                                                                                                              • iCloud Keychain (includes all of your saved accounts and passwords)
                                                                                                                                              • Payment information
                                                                                                                                              • Siri information
                                                                                                                                              • Wi-Fi network information

                                                                                                                                              To use end-to-end encryption, you must have two-factor authentication turned on for your Apple ID. To access your data on a new device, you might have to enter the passcode for an existing or former device.

                                                                                                                                              Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple.

                                                                                                                                              Note that they announced this stuff back in 2016, and have been gradually rolling it out to everything. They also tie it to 2FA: you have to turn that on before they’ll turn on E2E encryption, I assume because of trying to avoid forgotten password lockouts. In particular, I notice that this is only passwords, not bookmarks.

                                                                                                                                            1. 15

                                                                                                                                              Q: is the HTTP protocol really the problem that needs fixing?

                                                                                                                                              I’m under the belief that if the HTTP overhead is causing you issues then there are many alternative ways to fix this that don’t require more complexity. A site doesn’t load slowly because of HTTP, it loads slowly because it’s poorly designed in other ways.

                                                                                                                                              I’m also suspicious by Google’s involvement. TCP HTTP 1.1 is very simple to debug and do by hand. Google seems to like closing or controlling open things (Google chat support for XMPP, Google AMP, etc). Extra complexity is something that should be avoided, especially for the open web.

                                                                                                                                              1. 10

                                                                                                                                                They have to do the fix on HTTP because massive ecosystems already depend on HTTP and browsers with no intent to switch. There’s billions of dollars riding on staying on that gravy train, too. It’s also worth noting lots of firewalls in big companies let HTTP traffic through but not better-designed protocols. The low-friction improvements get more uptake by IT departments.

                                                                                                                                                1. 7

                                                                                                                                                  WAFs and the like barely support HTTP/2 tho; a friend gave a whole talk on bypasses and scanning for it, for example

                                                                                                                                                  1. 6

                                                                                                                                                    Thanks for feedback. I’m skimming the talk’s slides right now. So far, it looks like HTTP/2 got big adoption but WAF’s lagged behind. Probably just riding their cash cows minimizing further investment. I’m also sensing business opportunity if anyone wants to build a HTTP/2 and /3 WAF that works with independent testing showing nothing else or others didn’t. Might help bootstrap the company.

                                                                                                                                                    1. 3

                                                                                                                                                      ja, that’s exactly correct: lots of the big-name WAFs/NGFWs/&c. are missing support for HTTP/2 but many of the mainline servers support it, so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                                                                                                                                      I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…

                                                                                                                                                      1. 4

                                                                                                                                                        so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                                                                                                                                        Unbelievable… That shit is why I’m not in the security industry. People mostly building and buying bullshit. There’s exceptions but usually setup to sell out later. Products based on dual-licensed code are about only thing immune to vendor risk. Seemingly. Still exploring hybrid models to root out this kind of BS or force it to change faster.

                                                                                                                                                        “I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…”

                                                                                                                                                        Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                                                                                                                                        1. 5

                                                                                                                                                          Products based on dual-licensed code

                                                                                                                                                          We do this where I work, and it’s pretty nice, tho of course we have certain things that are completely closed source. We have a few competitors that use our products, so it’s been an interesting ecosystem to dive into for me…

                                                                                                                                                          Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                                                                                                                                          pfff… there’s a “NGFW” vendor I know that…

                                                                                                                                                          • when it sees a connection it doesn’t know, analyzes the first 5k bytes
                                                                                                                                                          • this allows the connection to continue until the 5k+1 byte is met
                                                                                                                                                          • subsequently, if your exfiltration process transfers data in packages of <= 5kB, you’re ok!

                                                                                                                                                          we found this during an adversary simulation assessment (“red team”), and I think it’s one of the most asinine things I’ve seen in a while. The vendor closed it as works as expected

                                                                                                                                                          edit fixed the work link as that’s a known issue.

                                                                                                                                                          1. 3

                                                                                                                                                            BTW, Firefox complains when I go to https://trailofbits.com/ that the cert isn’t configured properly…

                                                                                                                                                            1. 2

                                                                                                                                                              hahaha Nick and I were just talking about that; its been reported before, I’ll kick it up the chain again. Thanks for that! I probably should edit my post for that…

                                                                                                                                                              1. 2

                                                                                                                                                                Adding another data point: latest iOS also complains about the cert

                                                                                                                                                  2. 3

                                                                                                                                                    They have to do the fix on HTTP

                                                                                                                                                    What ‘fix’? Will this benefit anyone other than Google?

                                                                                                                                                    I’m concerned that if this standard is not actually a worthwhile improvement for everyone else, then it won’t be adopted and IETF will lose respect. I’m running on the guess that’s it’s going to have even less adoption than HTTP2.

                                                                                                                                                  3. 13

                                                                                                                                                    I understand and sympathize with your criticism of Google, but it seems misplaced here. This isn’t happening behind closed doors. The IETF is an open forum.

                                                                                                                                                    1. 6

                                                                                                                                                      just because they do some subset of the decision making in the open shouldn’t exempt them from blame

                                                                                                                                                      1. 3

                                                                                                                                                        Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                                                                                                                                        1. 5

                                                                                                                                                          Any browser vendor can ship what they want if they think that makes them more attractive to users or what not. Doesn’t mean it’s a standard. WebUSB has shipped in Chrome (and only in Chrome) more than a year ago. The WebUSB spec is still an Editor’s Draft and it seems unlikely to advance significantly along the standards track.

                                                                                                                                                          The problem is not with the standards bodies, but with user choice, market incentive, blah blah.

                                                                                                                                                          1. 3

                                                                                                                                                            Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                                                                                                                                            “WebUSB”? It’s like kuru crossed with ebola. Where do I get off this train.

                                                                                                                                                          2. 2

                                                                                                                                                            Google is incapable of doing bad things in an open forum? Open forums cannot be influenced in bad ways?

                                                                                                                                                            This does not displace my concerns :/ What do you mean exactly?

                                                                                                                                                            1. 4

                                                                                                                                                              If the majority of the IETF HTTP WG agrees, I find it rather unlikely that this is going according to a great plan towards “closed things”.

                                                                                                                                                              Your “things becoming closed-access” argument doesn’t hold, imho: While I have done lots of plain text debugging for HTTP, SMTP, POP and IRC, I can’t agree with it as a strong argument: Whenever debugging gets serious, I go back to writing a script anyway. Also, I really want the web to become encrypted by default (HTTPS). We need “plain text for easy debugging” to go away. The web needs to be great (secure, private, etc.) for users first - engineers second.

                                                                                                                                                              1. 2

                                                                                                                                                                That “users first-engineers second” mantra leads to things like Apple and Microsoft clamping down on the “general purpose computer”-think of the children the users! They can’t protect themselves. We’re facing this at work (“the network and computers need to be secure, private, etc) and it’s expected we won’t be able to do any development because of course, upper management doesn’t trust us mere engineers with “general purpose computers”. Why can’t it be for “everybody?” Engineers included?

                                                                                                                                                                1. 1

                                                                                                                                                                  No, no, you misunderstand.

                                                                                                                                                                  The users first / engineers second is not about the engineers as end users like in your desktop computer example.

                                                                                                                                                                  what I mean derives from the W3C design principles. That is to say, we shouldn’t avoid significant positive change (e.g., HTTPS over HTTP) just because it’s a bit harder on the engineering end.

                                                                                                                                                                  1. 6

                                                                                                                                                                    Define “positive change.” Google shoved HTTP/2 down our throats because it serves their interests not ours. Google is shoving QUIC down our throats because again, it serves their interests not ours. That it coincides with your biases is good for you; others might feel differently. What “positive change” does running TCP over TCP give us (HTTP/2)? What “positive change” does a reimplementation of SCTP give us (QUIC)? I mean, other than NIH syndrome?

                                                                                                                                                                    1. 3

                                                                                                                                                                      Are you asking what how QUIC and H2 work or are you saying performance isn’t worth improving? If it’s the latter, I think we’ve figured out why we disagree here. If it’s the former, I kindly ask you to find out yourself before you enter this dispute.

                                                                                                                                                                      1. 3

                                                                                                                                                                        I know how they work. I’m asking, why are they reimplementing already implemented concepts? I’m sorry, but TCP over TCP (aka HTTP/2) is plain stupid—one lost packet and every stream on that connection hits a brick wall.

                                                                                                                                                                        1. 1

                                                                                                                                                                          SPDY and its descendants are designed to allow web pages with lots of resources (namely, images, stylesheets, and scripts) to load quickly. A sizable number of people think that web pages should just not have lots of resources.

                                                                                                                                                          1. 10

                                                                                                                                                            Someone should try to squeeze in support for the use of srv records for http/3 too.

                                                                                                                                                            1. 3

                                                                                                                                                              Browsers have pretty soundly rejected using srv records, so that seems DOA.

                                                                                                                                                              1. 4

                                                                                                                                                                Kinda sad because SRV would probably let users host websites at home even if ISPs block port 80.

                                                                                                                                                                1. 1

                                                                                                                                                                  The ISPs specifically want to prevent users from hosting websites. If they can’t do that by blocking port 80, they’ll do it some other way.

                                                                                                                                                              2. 2

                                                                                                                                                                One can use the Alt-Svc header instead.

                                                                                                                                                              1. 5

                                                                                                                                                                The solution to this problem is Keybase.io - full stop. I use it often and find it easier than falling off a log.

                                                                                                                                                                Easy to set up, easy to use, great facilities for using encryption in other contexts besides E-mail. Great stuff. Can’t recommend it highly enough.

                                                                                                                                                                1. 15

                                                                                                                                                                  Keybase is a walled garden with some proprietary components. No thanks.

                                                                                                                                                                  1. 6

                                                                                                                                                                    Yup. That’s very true. It’s also utterly falling off a log easy workmanlike crypto for anyone whose standards are not quite as stringent as yours.

                                                                                                                                                                    Put another way - no crypto at all or reliance on a walled garden with some proprietary components?

                                                                                                                                                                    1. 0

                                                                                                                                                                      There are quite a few ‘easy’ crypto implementations (e.g. Microsoft Outlooks mail encryption crap), the problem is they are all competing and not compatible with each other. I would rather support a company that is working to improve an existing implementation (e.g. gnupg) than go off and create yet another implementation.

                                                                                                                                                                      1. 4

                                                                                                                                                                        I manage my GnuPG keys just fine using Keybase. Are you sure you’re aware of what they’re actually offering or is this just a knee jerk response?

                                                                                                                                                                        1. 0

                                                                                                                                                                          Yes I’m aware that one feature of keybase is to be a flashy gnupg key server interface. But, from what I understand, they also roll their own crypto, and encourage users to use it.

                                                                                                                                                                          https://keybase.io/docs/server_security

                                                                                                                                                                          https://keybase.io/docs/crypto/local-key-security

                                                                                                                                                                          is this just a knee jerk response

                                                                                                                                                                          I figured lobste.rs users would give the benefit of the doubt before making stupid remarks like this, but I guess I was wrong.

                                                                                                                                                                          1. 4

                                                                                                                                                                            I’m perfectly capable of stupid remarks, but I’m unsure whether I’d classify that particular remark in that way.

                                                                                                                                                                            Let’s get back to discussing nuts and bolts shall we?

                                                                                                                                                                            I don’t use any “roll your own crypto” - I use Keybase to manage and utilize my GPG keys.

                                                                                                                                                                            Anyway, you don’t like Keybase. That’s fine. It’s not meant for you. Clearly you’re an educated user who knows something about cryptography.

                                                                                                                                                                            Keybase is meant for the millions of people who aren’t educated, but want some measure of protection with a usable interface on top. To my mind, it succeeds admirably at that. If you disagree, that’s fine, and I’d even maybe give your disagreement more weight than my beleif because, at least if I put stock in the ferocity of your attacks, you know what you’re talking about.

                                                                                                                                                                            So maybe Keybase is terrible. It does what I want it to do very well. I’ll leave it there.

                                                                                                                                                                            1. 4

                                                                                                                                                                              I don’t use any “roll your own crypto” - I use Keybase to manage and utilize my GPG keys.

                                                                                                                                                                              Maybe the parent meant that Keybase uses their own PGP library instead of audited open-source one?

                                                                                                                                                                              From my point of view Keybase does two things well: social authentication and append-only log of key changes. Both have been tried for OpenPGP but never really caught on (see Linked Identities and CONIKS). There is also a nice set of tools that Keybase has (encrypted git etc.) but I’ve never tried that so I don’t want to comment on that.

                                                                                                                                                                              1. 2

                                                                                                                                                                                I haven’t used their encrypted git but I’ve used their encrypted portable filesystem and chat/group chat capabilities and they work great!

                                                                                                                                                                                1. 2

                                                                                                                                                                                  Thanks for info! I’ll check it out with my testing account, I’ve heard it previously that the chat is really nice.

                                                                                                                                                                              2. 1

                                                                                                                                                                                Keybase is meant for the millions of people who aren’t educated, but want some measure of protection with a usable interface on top.

                                                                                                                                                                                I completely understand that point, I would love for there to be something providing a measure of protection with a usable interface on top, but implemented with purely FLOSS components and not controlled by exactly 1 company (which may not be around tomorrow, for instance). That’s all I was getting at. I don’t have anything against keybase personally, I just don’t like companies creating more walled gardens than there already are.

                                                                                                                                                                                1. 5

                                                                                                                                                                                  As would we all. But take a step back - look at the breadth of what Keybase provides, and take a ballpark guess at how many person hours that would take to implement.

                                                                                                                                                                                  Now think about volunteers putting in those thousands of hours unpaid with no recompense beyond the knowledge that they will be stuck maintaining the code until they burn out from the continual stream of thankless demands for MOAR EVERYTHING NOW!!! (This may sound like hyperbole but all the high profile maintainer burnout we saw a few years back says otherwise.)

                                                                                                                                                                                  This is the fundamental reality gap I see among many hard core FLOSS advocates. Until we manage to eliminate the entire concept of money, expecting such a heavy lift to come from a purely open source initiative seems highly unlikely to me.

                                                                                                                                                                                  Let’s celebrate open source for what it is, encourage it wherever we can, and be SUPER kind to those who gift the result of their blood sweat and tears to us in that way, but let’s also be realistic about what’s reasonable and what may require some kind of financial backing in order to come to fruition.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    but let’s also be realistic about what’s reasonable and what may require some kind of financial backing in order to come to fruition.

                                                                                                                                                                                    There are many examples of for-profit companies contributing employee time to FLOSS projects. Hell, I am currently working for such a company, doing such a thing. Keybase could be one of those.. but they chose to do their own thing.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      Can you give me a sense of precisely which components you take issue with? Someone has already posted about a library that Keybase uses that they’ve open sourced, and if you look at their Github profile I see a ton of open source?

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        The fact that it’s just under 100MB when I see it in software updates and that it thought it needed my private key for my use-case of just authenticating a public key. When I used it, my work-around for keys was to have Keybase-specific keys to sign real keys. The 70-100MB whatever it was, though? I mean, how trustworthy and attack-proof can a central point of trust handling secrets be if it and/or its dependencies are that large?

                                                                                                                                                                                        I just couldn’t trust it. To this day, it’s usually the largest download or update I get after a browser (basically an OS) or office suite (standard for bloat). Maybe something else in there, too, but it’s a small list. And a large program to do its one thing I wanted: social discovery.

                                                                                                                                                                                        EDIT: Long day, I fired that off too quick. Forgot to add that I agree its usability and features are excellent. They’re one of the apps that sets the bar for how usability should be done by anything people in my camp would prefer.

                                                                                                                                                                                        1. 2

                                                                                                                                                                                          Yup. Again, it’s not for you :) You’re a security expert with highly specific needs :) That 100MB includes as others have said a filesystem, chat/group chat and encrypted SCM features. Not what you want.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            I’m a security expert with mental disability that makes me forget stuff constantly. I use GUI-based, highly-usable apps by default wherever I can. I rarely use stuff like GPG. Even when I do, it’s an ultra-minimal, work flow that ignores vast majority of its features. I might be closer to intended demographic than you might think. :)

                                                                                                                                                                                            Let’s look at Keybase’s target instead of me. If you’re right, then they want to bring in the masses. So, we look at adoption patterns to find out what the masses want. Here’s what they want:

                                                                                                                                                                                            1. Useful stuff a lot of people are already using that lets them leverage any contacts, data, etc they already have. Building on or integrating with existing platforms, centralized or decentralized, lets them do this.

                                                                                                                                                                                            2. Something that prioritizes integrity and availability over confidentiality. They expect stuff to get hacked. They just want it to happen rarely with the company keeping their data as long as possible. Most people trust Google, Apple, Facebook, and Microsoft for this. Dropbox got a lot of them, too.

                                                                                                                                                                                            3. Something that provides what they need or want in exchange for extra effort it introduces. Examples of need are apps for doing important stuff (esp work-related), AV on Windows, backup/sync software or using Facebook cuz family members prefer it for important stuff. Examples of want are Apple’s luxury products, anything adding personalization, anything increasing convenience after initial trouble (eg Dragon Naturally Speaking), and apps for doing fun stuff.

                                                                                                                                                                                            Now, let’s assess Keybase against that list of massively-successful, mass-market goods. For 1, it’s not built into the platforms they don’t want to leave. For 2, the services I mentioned are much more likely to last and have better security teams than Keybase. For 3, existing players already provide a solution with wide adoption that’s usually better than what Keybase offer’s. It is getting a niche in the want/fun category for certain computer geeks and privacy lovers. They’re a tiny, tiny, tiny, tiny drop in the bucket of identity/chat/storage market, though.

                                                                                                                                                                                            Conclusion: Keybase has nothing to offer, no need, and no want for most people you say it targets. It’s a niche product for computer, privacy, and novelty users in consumer or business space who can accept small community of fellow users. A solution working with Gmail or Facebook, which have existed, will have a better shot of wide adoption. Outlook if selling to enterprise. So, there’s still room to do stuff like a highly-usable, front end and/or 3rd-party integrations with GPG since they’re used within some of the same niche markets.

                                                                                                                                                                          2. 2

                                                                                                                                                                            For the record Gpg4Win also ships with GpgOL - a plugin for Outlook. I didn’t use it (Thunderbird+Enigmail work well for me) although it looks okay.

                                                                                                                                                                        2. 0

                                                                                                                                                                          Also, didn’t keybase pivot to being a chat app or something?

                                                                                                                                                                          1. 1

                                                                                                                                                                            Nope. Chat and group chat functionality are included but none of the other features went away, and in fact are being actively maintained.

                                                                                                                                                                            1. 1

                                                                                                                                                                              Ah. Thanks for the info.

                                                                                                                                                                        3. 5

                                                                                                                                                                          I’m not entirely sure keybase will solve things at scale, but it’s filling a gap:

                                                                                                                                                                          Keybase has many features that I’m not using (git, filesystem, chats, teams), but I use it to follow the heck out of people that I know or work with. This gives me fine access to properly managed keys from all the peers. Given your other comments down this thread, I believe this seems to be exactly your use case too.

                                                                                                                                                                          1. 7

                                                                                                                                                                            Exactly. It provides a really nice interface around the aspects of public key crypto that frankly we’ve done a crappy job of socializing (making it easy for you to manage your key, making it easy for you to expose your key to me and visa versa, and then making it easy for us to use our keys to communicate).

                                                                                                                                                                            It’s not perfect, and as has been said it’s got proprietary bits, but it’s a heck of a lot better than what 98% of people do without it, which is decide they should be using GPG, create keys, upload them to a keyserver, make a mistake, realize they are utterly hosed forever, and throw up their hands in dismay and go back to not using crypto (Which is EXACTLY what the author of this article did.)

                                                                                                                                                                            Perfect is the enemy of the good (enough).

                                                                                                                                                                        1. 2

                                                                                                                                                                          I must be out of the loop. Ted, what happened to your self-signed certificate?

                                                                                                                                                                          1. 3

                                                                                                                                                                            I believe he’s switched to using https.www.google.com.tedunangst.com instead now

                                                                                                                                                                            1. 2

                                                                                                                                                                              yeah what’s up with this?

                                                                                                                                                                            1. 3

                                                                                                                                                                              Note, this is for local attackers that are beyond reading files. You need to run code as the user.

                                                                                                                                                                              1. 2

                                                                                                                                                                                Yeah, if someone has that level of access, losing saved chrome cookies is probably the last thing to worry about.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  I dont mean to be facetious but what could be worse than losing your cookies for most people?

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    Having some hidden script running behind the scene and monitoring everything realtime and transmitting back.

                                                                                                                                                                                    Someone making a copy of confidential files (documents, photos, etc.).

                                                                                                                                                                                    Access your browser and take note of any saved passwords (the last time I checked, a user could see their passwords in clear text in Chrome and maybe Firefox).

                                                                                                                                                                                    Delete your precious save games of Skyrim.