Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS

Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:

This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },
It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

Maybe...?

[cayenne8]

Maybe use browser other than Chrome??

Re:Maybe...?

[Z00L00K]

All the strive to force users to go https has gone over the top. It's better to be nice about it.

Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

Keep the https available for cases where users want to get the extra security. Assuming that users are stupid makes the users stupid.

Re:Maybe...?

Which browser would that be?

Chrome/Chromium is the only one that supports the major desktop and mobile platforms.

Safari doesn't run on Windows or Linux or the BSDs or Solaris or Android.

Edge doesn't run on macOS or Linux or the BSDs or Solaris or Android.

Modern versions of Opera, Vivaldi, Brave and various other browsers are basically just Chromium with varying degrees of tweaks.

Firefox and Pale Moon aren't options. Firefox is too damn slow for me. After the recent Ad Nauseum extension debacle, I will never consider Pale Moon.

So Chrome/Chromium ends up being the only usable and practical browser available today.

Re:Maybe...?

That's pretty narrow-sighted. http protects users from malicious intent by man-in-the-middle attacks such as injection by their ISP. HTTPS should be everywhere and the faster we get there the better

Re:Maybe...?

Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

It may be true that the content of the connection are not worth to be kept secret, but TLS also adds integrity protection. No-one is going to insert ads (hello, American ISPs!) or malicious scripts (hello, most TOR exits).

Re:Maybe...?

[93+Escort+Wagon]

If you're on multiple platforms, why do you necessarily need to be using the same browser everywhere? Unless you're willing to let Google track you (e.g. by logging in and using their "cloud" bookmarks), there's no particular advantage to it. Web browsers are pretty simple, so it's not exactly hard to adjust to how each one does things.

I use Safari on the Mac, keeping Chrome around specifically for when some site I need to access requires Flash. If I have to venture over to Windows, I generally use Firefox.

Re:Maybe...?

[ArhcAngel]

Might I suggest Waterfox? It's based on the current Firefox code but strips out the tracking and puts NPAPI plugins back. It runs on Windows, Mac, and Linux. No mobile version yet.

Re:Maybe...?

[grub]

What "Ad Nauseum extension debacle" is that? I'm familiar with the extension, and did run it for a while, but a cursory search doesn't help me.
Thanks!

Re:Maybe...?

Chrome doesn't work worth a damn on mobile and you would be hard-pressed to find anything less practical. And conversely, you'll find that Firefox is one of the only browsers for Android that is usable, because you can install ublock, privacybadger, etc. (Not sure what the situation on iOS is.)

Re:Maybe...?

Pale Moon made an exception to the policy of letting users run whatever they want, by disabling Ad Nauseum unless you dig into about:config.
It's always a problem when the software we want to use to fight against the scourge that is advertising gets made by people who depend on advertising.

Re:Maybe...?

[grub]

Ah, got it. A search with "Pale Moon" included is returning much. I neglected it the first time.
Thanks, AC!

Re:Maybe...?

Please refer to this discussion in the Pale Moon forums.

In short, the developer of Pale Moon ("Moonchild") decided to blacklist the AdNauseam extension for ideological reasons. This change was forced on Pale Moon's users, who were generally very much against this change happening. Users can still use the extension, but they have to jump through hoops that involve changing about:config values. Then the forum discussion about this debacle was abruptly closed, with Pale Moon's users effectively being told to fuck off.

I'm not a Pale Moon user, but after this debacle I will never be one. I think that this has totally ruined Pale Moon's reputation, at least for me. A browser vendor should never decide which extensions the browser users can or can't use. I don't care if it's possible to break the configuration so that the extension can be used. Users should never have to do that.

I think it's also very distasteful how Pale Moon's users were treated so poorly. Many of them switched to Pale Moon from Firefox because they were tired of Firefox's developers making unwanted changes like this and forcing these changes on Firefox's users. Now Pale Moon is treating them just as badly.

As far as I'm concerned, this one incident makes Pale Moon completely unusable, now and in the future. I just can't trust its development team after this.

Re:Maybe...?

[Captain+Splendid]

Works pretty good on my old, busted up iphone 5. Works pretty good on my 4 year old ipad. Finding it kinda weird it works well on iOS and not on Android.

Re: Maybe...?

Chome is fast and light on my Android phone. Firefox for Android is slow and bloated. I can get a lot more battery life when I use Chrome.

Re:Maybe...?

most TOR exits

You have proof of that most do? Proof that more 50% of exit nodes are injecting malicious scripts?

[citation needed]

Re: Maybe...?

This. Pale moon will sit and rot now. Deservedly so.

Re:Maybe...?

[WaffleMonster]

That's pretty narrow-sighted. http protects users from malicious intent by man-in-the-middle attacks such as injection by their ISP. HTTPS should be everywhere and the faster we get there the better

Encryption requires PERMISSION and thus serves as yet another point of leverage for those wishing to assert censorship over content and entities they don't like.

HTTPS as a destination is laughable... there are hundreds of entities .. some straight up state run by hostile governments with ability to generate keys seen as legitimate globally by the worlds population of web browsers. Better than nothing but hardly what I would deem to be anything approaching trustworthy or secure.

Ends don't justify means. A desire to reduce MITM opportunities does not justify forcing people to use https if they don't want to.

Re:Maybe...?

[cayenne8]

If you're on multiple platforms, why do you necessarily need to be using the same browser everywhere? Unless you're willing to let Google track you (e.g. by logging in and using their "cloud" bookmarks), there's no particular advantage to it.

I do similar to what you do....different browsers for different OSes...

I primarily use Safari on OS X and IOS.

I pretty much use Firefox on Linux and Windows...except some work applications that seem to only want to work with IE. so I use that only for a select few things.

I've tried Chrome a couple of times and just never really cared for it...I think it was almost too minimalist and I could get it set up they way I like things.

I actually don't know many people that use Chrome, but then again, maybe it's a younger crowd primarily for chrome?

Re:Maybe...?

[swillden]

Encryption requires PERMISSION

How so? Outside of North Korea, I mean.

Re:Maybe...?

Thanks!

Re: Maybe...?

I usually develop on "development.mydomain.net". Seems to work for me.

Re:Maybe...?

[swillden]

Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

You're making the common error of believing that the purpose of TLS is to protect the secrecy of the content stream, but that's only one half of it, and in most cases the less important half. The other goal is to ensure the integrity of the content stream, not because your cat pictures are important but because browsers are too big and too complex to secure effectively. TLS ensures that no one can inject anything malicious (or even anything annoying) into your stream of cat pictures. Of course, the site you're getting the pictures from could be malicious (and/or annoying), but with TLS you only have to worry about the origin site, not every network hop between it and you.

Oh, you also have to worry about entities capable of and willing to create bogus site certificates. That's an inherently self-limiting problem, though, because unless it's kept very rare, use of bogus certs will be noticed and the compromised root certs stripped from browsers. Entities who do those sorts of attacks have to limit their use to specific, important cases.

Re:Maybe...?

I am almost dead center of middle aged. And I prefer Chrome over the rest by quite a bit. Most of the developers I know use Chrome.

However Chrome's adherence to SSL standards has been causing me a lot of issues lately. And it looks like this will continue. They really should give us devs a switch that tells chrome to let any SSL issues slide when doing testing.

Re:Maybe...?

This is ignorant, sorry.

If your site is not encrypted, any third party can MITM it and use it to attack users. They can alter your whole webpage in obvious (straight up malware, page hi-jack) and non-obvious (e.g. links, scripts, etc) ways.

Global HTTPS is a requirement for a secure network. ANY non encrypted traffic, regardless of the origin, can be used to attack everyone else.

Re:Maybe...?

[fuzzyf]

Http means anyone can inject BeEF hooks in your browser sitting at the local Starbucks. No matter how unimportant yyour content might be.

http://beefproject.com/
It's so easy you can do it with a phone using an app like dSploit.

Http used to be ok, today every scriptkiddie has access to tools that will pwn any browser with a mitm attack.
Also, any http security header you might add from your site is useless without https.

Re: Maybe...?

It doesn't matter that there are untrustworthy CA's. Unless you are stupid enough to give them your private key, they can't decrypt your traffic.

And things like CAA and the various pinning techniques make it difficult or impossible to launch a MITM attack.

Modern versions of TLS are a lot more secure than you give it credit for.

Re: Maybe...?

CAA and certificate transparency is addressing the problem of compromised CA's

Re: Maybe...?

1) Buy a domain name for a few dollars

2) Ask Letsencrypt to give you free certificates

3) Set up an Nginx reverse proxy on your internal network

4) Profit (aka, don't ever worry about Chrome complaining that your development site is deployed differently from a production site)

Re:Maybe...?

[spire3661]

Thats why you use VPN when accessing the internet over a 'hostile' connection...If you are using random wifi without VPN, you kind of deserve what you get.

Re: Maybe...?

[tepples]

So what should a developer who doesn't already own a counterpart to mydomain.net do for his internal test servers, such as someone whose web presence is through a github.io subdomain? Or why is it fair to impose a $15/year recurring fee on every household with a home LAN?

Re: Maybe...?

[KingMotley]

Make your own cert then. Nothing is stopping you from self-signing a cert and then telling your browsers to trust it -- for free.

Re: Maybe...?

[tepples]

Nothing is stopping you from self-signing a cert and then telling your browsers to trust it

Not even a change to how Android handles certificates?

Re:Maybe...?

[cfalcon]

I find your summary to be correct, but I don't personally agree with your conclusion. Moonchild's early post made it sound like it was malware and he was confused, and later he clarified that he was leading a crusade against other crusaders he disagreed with, but was careful to point out that the workaround was setting a value in about:config that disallows actual malware but allows stuff like this (of which ad nauseam is the only entry). It's a bad position for him to take, and he's wrong to do so, but it's certainly not enough to make me stop using Pale Moon. If I were an ad nauseam user, I'd *probably* be making that setting change to unset the "block my addon" byte.

It really seems like Moonchild just doesn't want to be seen in any universe as giving his stamp of approval for anti-advertising activism.

Re:Maybe...?

Why did I think it was only for Mac... https://www.waterfoxproject.org/downloads

Re:Maybe...?

[Luthair]

I think you missed a key point - Google bought the .dev TLD and their intended usage is only their own projects. So what they're doing here is asserting that all their dev domains will be encrypted.

The issue here is iCANN shouldn't have been dumb enough to grant a TLD that has been widely used internally, but unfortunately they have a financial incentive to hawk as many TLDs as possible.

Re:Maybe...?

[GuB-42]

Maybe use browser other than Chrome??

Firefox follows the same path (forcing https). If fact it tends to follow Chrome's every move...
AFAIK Safari does it too.
I'm not sure about IE/Edge and all the small players (Opera, ...).

Re: Maybe...?

[KingMotley]

Must suck to be an android user.

Re:Maybe...?

[Ignorant+Aardvark]

FYI, the HSTS preload list is used by all major browsers (Chrome, Firefox, IE, Edge, Safari, Opera, etc.). This is a good thing, of course; online security shouldn't be enforced conditionally depending on which browser you're using.

The linked article got it wrong. This isn't about Chrome adding TLDs to the HSTS list, it's about the TLDs' owner (which also happens to be Google) adding them to the global HSTS list.

Re:Maybe...?

https is an illusion, the easiest way to realize it is to look at the trusted root certificate list that all browsers and OSs are holding.

If totalitarian regimes have a trusted root certificate, then secure it is not.

Re:Maybe...?

[Altrag]

Most houses don't get robbed much so there's no point in buying locks, correct?

Assuming that users are stupid makes the users stupid.

It only appears that way if you don't pay attention. Its not because it makes a previously not-stupid user magically become stupid, but because widening the audience to allow for stupider users brings down the average. If you want to appeal to a larger market, its the way to go. If you want to stick to communities that shun non-technical people out of hand well.. there's plenty of those around the internet also.

Or to put in terms of a quippy rebuttal: Assuming there are no stupid users makes you stupid.

Re:Maybe...?

[thegarbz]

Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

What someone finds offensive about someone else's browsing habits is not for the content producer to decide.

Re:Maybe...?

[LightningBolt!]

"Grandma, don't forget to set up a VPN before you use the WiFi at the coffee shop. Otherwise you deserve to get malware on your machine."

"What's WiFi?"

Re:Maybe...?

Most houses don't get robbed much so there's no point in buying locks, correct?

Not correct.
Always buy lock, stock and barrel. And keep your powder dry.
Shooting robbers is community service.

Re:Maybe...?

[Mashiki]

If my 86 year old grandmother who had terminal stage 4 cancer could remember it, yours should be able to, too. It works if you use a mouse in a pantry analogy for example Something that a lot of nursing homes have found out that if you relate something to someone who's older, that fits the stuff they grew up with their brain seems to "get it" even if they don't understand it.

Re: Maybe...?

[Entrope]

Now that's what I call ignorance.

Man-in-the-middle attacks require an attacker to be in the middle. Only third parties with access to the network links (or routing tables), not "any" third party.

And IPsec is still a thing.

Re: Maybe...?

Of course all the browsers do. This is no longer the Dark Ages (aka as IE6).

Browsers actually comply with standards. Not surprisingly that means their technical features are all very similar. Differences are only in performance, security, extensibility, OS integration, and user interface details

Re: Maybe...?

Get a free DNS service such as freedns.afraid.org? You don't need to own a domain for Let's encrypt; controlling a subdomain is enough.

Re:Maybe...?

[spire3661]

We call this 'all the power, none of the responsibility'. If she cant handle setting up a private connection then perhaps computing is too much for her. You cant magically hand-wave away proper security procedures. If fricking salesmen can figure out how to VPN, grandma can. (When i worked in I.T. I had many heated arguments with salesmen who didnt want to learn how to do things right either.)

Re: Maybe...?

[sound+vision]

I don't care if they mitm my porn, music stream, or cat video. And if the ISP is acting maliciously you are fucked anyway. The right place to address that is in a courtroom or legislative body.

Re:Maybe...?

Next up: Chrome automaticly detects all other browsers and updates Software execution restrictions to block their execution. For the user's safety of course..... They might be tricked by a sysadmin into running an "insecure" web browser to make the site they want to go to accessible!!!!! /sarcasm

Seriously, why does Chrome get to get away with this? And don't give me the "browser monopoly" dodge. This breaks real world expectations. Would we allow this on the .com / .net / .gov gTLDs? Never mind that HSTS forbids user override, which can render entire sites useless. Now we're taking away the choice of the webmaster? At this point, HSTS is no longer about "trust" or "safety". It's about control. If a third party gets in between you and the server that's the real issue. Now rather than it be some hacker attempting to downgrade the connection, it's some company dictating to you what is and isn't "trustworthy".

Worse, there are some network appliances that require renewed certificates to be uploaded via their web interface. If the cert isn't valid, Chrome won't connect via HTTPS, you have to use HTTP. This just makes it worse now. (Thinking about internal intranets on a domain.) Sure it's limited to .dev and .foo, but if you can't recognize the testing attempt that the chromium devs are doing with those particular names, let me spell it out for you: They want to extend this to other TLDs. They are using .dev and .foo as a beta test. A test that won't pick up internal servers on private networks, but will definitely impact them in the long term.

Also, Chrome changes it's definition of "secure" almost daily. Requiring HSTS on everything, would just mean that a lot of sites would just stay broken & inaccessible due to the constantly changing requirements. (I can also see this being abused by CAs promoting "Guaranteed Chrome Ready" certificates at a premium.)

This system needs to be scrapped. It had good intentions, but we can't allow this to become a method for abuse.

Re: Maybe...?

[JohnFen]

What in Nougat is stopping you from using a cert signed by your own CA? I'm not seeing that in the page you linked to. On the contrary, I see specific instructions on how to allow exactly that.

Re: Maybe...?

[tepples]

In addition to the user allowing that, the app developer also has to allow that.

Re: Maybe...?

[JohnFen]

Hmmm...

I haven't put any effort at all into learning the details of the Nougat way yet (I don't target apps that far up the version ladder), so I am likely to be wrong in my first impressions -- but on the surface it doesn't look like this change is that big of a deal for most apps. There are probably edge cases where it is, though.

Re:Maybe...?

[farble1670]

Assuming that users are stupid makes the users stupid.

So true. That's why I advocate not wearing your seat belt. What's better than the threat of death / dismemberment to improve your driving skills?

Re: Maybe...?

(original Anon here)
You are correct. You should also be aware that most networks are easy to MITM. Go to any local starbucks, supermarket, to your neighbour's house, to your job, to most college campuses, etc. I always take for granted that there's a third party in the way without much difficulty. Assuming otherwise is being a pedantic arrogant prick.
 
MITM happens all the time. It's your fucking ignorant choice to ignore it. Cunt.

Re:Maybe...?

[ArhcAngel]

Chrome on iOS is just a wrapper on top of webkit. Apple still doesn't allow native rendering engines so Google can't use Blink on iOS.

Re:Maybe...?

[Captain+Splendid]

How the fuck is it faster and less crash prone than safari on iOS then? Christ, Apple, get your shit together.

Yeah

And yet another reason not to use communist-Chrome.

Re:Yeah

We use .dev and .test domains in our intranet all the freakin time.

Re: Yeah

That's pretty stupid of you.

Re:Yeah

[scdeimos]

You should be using .test domains - that's recommended practice by W3C https://tools.ietf.org/id/draf....

The .dev domains, on the other hand, are valid gTLD and are owned by Google. It's not surprising that Google wants to force HTTPS on a gTLD that they own.

Re:Yeah

[driblio]

Thank you, for the only bit of info about WHY they are doing this!

Host: request header

I propose that *.localhost resolve to 127.0.0.1, AND that the Host: header exclude the .localhost portion so I can have identically configured test/production systems, without having to dick around with toggling /etc/hosts, or dick around with ServerName configuration changes when pushing from dev to prod.

Will Firefox do this too?

Will Firefox be doing this too? Do web designers and devs even use Firefox these days?

Re:Will Firefox do this too?

it will be one very easy way to see if firefox copies EVERYTHING google does or if they're just selective in the bullshit stuff they do swipe.

Switch to .test

.test is an IETF standard for this purpose. .dev never was. Google own .dev, and they own Chrome, so they are perfectly welcome to do this. We could argue as to whether a browser that enforces per-domain protocols is truly adhering to browser standards (and the larger ramifications if every browser coder started doing the same), but accept that you have zero right to use .dev as your personal fiefdom and move on to something that will remain easier for you to maintain.

Re:Switch to .test

dev != test != prod

Re: Switch to .test

You should just use .autist instead. It suits your personality much better than .dev or .test do.

Re:Switch to .test

[grub]

NEEDS MOAR AGILE!!!11````

Re:Switch to .test

[Zero__Kelvin]

devel != dev

Problem solved.

Re:Switch to .test

[cfalcon]

> devel != dev

Until Google buys "devel" and changes that too...

Re:Switch to .test

[LightningBolt!]

FFS. Do you seriously deploy to the .prod TLD, which is also owned by google? You should write a book called "DNS Worst Practices". This stuff is spelled out quite clearly in RFCs.

Use dev.test, test.test, etc for your 2LDs. So myservice.dev.test, etc.

Better yet, just allocate domains for internal use on top of the one you certainly already own (e.g. dev.mydumbbusiness.com) so you can have myhost.dev.mydumbbusiness.com, etc. Or register a tld specifically for internal domains. In any case, you just manage the zone file in your internal DNS. You're already doing that if you're overriding the .dev and .prod TLDs internally.

Re:Switch to .test

[Zero__Kelvin]

I agree. It will never be a problem, as you say.

Please see RFC6761

[mysidia]

.invalid and .localhost are already reserved for private usage.

Re:Please see RFC6761

[Gavagai80]

Until .invalid gets auctioned to a bidder who wants to sell disability-related domains on it, and .localhost gets auctioned for use by local tour guide sites.

Re: Please see RFC6761

IANA and ICANN have agreed that these are reserved top level domains. They will never be allocated to anybody. That's the whole point of RFC 6761

Re:Please see RFC6761

[mysidia]

Until .invalid gets auctioned to a bidder

They cannot be; RFC6761 is a compulsory standard to the DNS and specifies these names as permanently reserved.

Re:Please see RFC6761

[Luthair]

The article points it out .localhost only maps to 127.0.0.1 on Chrome & Safari, so if its an internal test server that doesn't help.

Re:Please see RFC6761

[LightningBolt!]

No.

.localhost TLD?

[TheRealMindChild]

And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds

Cmon, we aren't talking some crazy complicated configuration here. DNSMasq: add "address=/localhost/127.0.0.1" to your config file. Boom. Done.

Re:.localhost TLD?

[grub]

I showed my 11 year old daughter your sig. She smiled and said "That's awesome! I'm going to get my engineers to make a combustible lemon that burns your house down!"

Re:.localhost TLD?

She might enjoy the game Portal 2.

Re:.localhost TLD?

[grub]

She played it, that's where the quote is from. Or am I whooshed?

Re:.localhost TLD?

dnsmasq is an overly-complicated and over-engineered piece of software. It also violates the UNIX principle. unbound FTW!

Re:.localhost TLD?

She played it, that's where the quote is from. Or am I whooshed?

That was the sound of a combustible lemon whizzing past your ear.

Curious about .local on local network...

[cdreimer]

I use the .local domain on my home network. Those IP addresses are definitely not 127.0.0.1. I have no interest in changing to .localhost and/or setting up certificates for my intranet websites.

Re:Curious about .local on local network...

I use the .local domain on my home network. Those IP addresses are definitely not 127.0.0.1. I have no interest in changing to .localhost and/or setting up certificates for my intranet websites.

I hope they do change it, and prevent you from accessing the internet. Nothing of value would be lost.

Re:Curious about .local on local network...

Since 2013, .local is a reserved TLD for the mDNS system (Avahi, Bonjour, ...). This clashes with previous recommendations by Microsoft and of course wide informal use of the .local domain (me too). The label localhost must not be used as a TLD in the root zone, so you could use that for a LAN, but of course that clashes with its usual "127.0.0.1" resolution.

Re:Curious about .local on local network...

I hope they do change it, and prevent you from accessing the internet. Nothing of value would be lost.

And for shitposting ACs who add nothing to the discussion with their creimer fixation.

Re:Curious about .local on local network...

I do that too for both home and work. I have no issues with it, other than being mistreated by Chrome already by labelling all my .local as searches instead of URLs. (requires adding a / suffix)

Re:Curious about .local on local network...

*.localhost, *.test, and *.invalid are much safer than using an invented TLD such as *.local. The former are explicitly set aside and won't ever be allocated to any one entity. They do have special properties though, and it is conceivable that browsers could handle them differently at some point. So, by using these domains you are explicitly taking the risk that your network could at some point stop working as intended. But the risk is still smaller than when using *.local which was never supposed to work.

The better solution would be for you to buy yourself a cheap domain, even if you only ever use it internally. Make it your default domain, and you'll never have to explicitly enter it anywhere. The computer automatically appends it where needed. This is something you can most likely set up on your DHCP server.

If you can figure out how to make the domain resolve on the internet though, you could then authenticate to Letsencrypt and get free SSL certificates. For hostnames on internal networks, the best option is DNS instead of HTTP authentication when using Letsencrypt. That way, you can use private non-routable IP addresses, but still authenticate with Letsencrypt. This is easier, if you have at least one static IP address for your public DNS server (could be a Amazon Lightsail instance); but with some extra scripting, this can also be done with dynamic IP addresses.

The reason why you want SSL certificates for internal servers is that browsers only give access to modern Javascript features, if your site is served over HTTPS. For a basic home network, that doesn't matter one way or another. But if you want to experiment with advanced features or develop software, this could very well matter to you.

Re:Curious about .local on local network...

[TheRealMindChild]

But the risk is still smaller than when using *.local which was never supposed to work.

The better solution would be for you to buy yourself a cheap domain, even if you only ever use it internally. Make it your default domain, and you'll never have to explicitly enter it anywhere. The computer automatically appends it where needed. This is something you can most likely set up on your DHCP server.

What exactly is the risk? This is how DNS should work. Not every network is globally accessible, and neither should their namesake

Re:Curious about .local on local network...

That isn't mistreatment by Chrome, that's standard and default DNS resolver behavior.

Since .local is a valid top level domain which is signed, any hosts you add that break the DNSSEC chain are supposed to return NX-Domain results.

Chrome is simply taking the completely valid "This is not a registered host and it seems someone is trying to hijack it" response and correctly not sending you there.

Re: Curious about .local on local network...

If Creimer stopped shit posting, then so would the ACs. Now do you see the problem that HE created. This is entirely his doing. He brung this wrath upon himself. Now deal with it Creimer fanboy.

Why so bitter, sweet tits? You must be a 47 year old virgin like Creimer. Go figure.

Re:Curious about .local on local network...

Nah; just hijack .dev completely and make the owner regret buying it.

Re: Curious about .local on local network...

[cdreimer]

If Creimer stopped shit posting, then so would the ACs.

Funny how that didn't pan out over the last few weeks. I guess you don't speak for all the ACs then?

Re: Curious about .local on local network...

Funny how you didn't stop shit posting in the last few weeks either.
Hint: Next time, try using a WILDLY different user name and don't link to that digital cancer you call your blog.

Re:Curious about .local on local network...

[The+MAZZTer]

.localhost not .local. IIRC .local is reserved for local network usage so you are using it properly.

Re: Curious about .local on local network...

You post constantly, and it's all either internet drama or incredibly stupid.

If you're sincere, choose a username like "lovescashews," stop spamming Amazon, and stop telling the same irrelevant personal stories over and over.

Re:Curious about .local on local network...

[tepples]

.localhost is for 127.0.0.1 only. What would you use to test, say, the client side of a web application on an Android phone, iPhone, Android tablet, or iPad?

Re: Curious about .local on local network...

Nothing of value would be lost if I couldn't give you shit for shitposting, it's true. But you could accomplish that easily by:

- fucking right off
- posting useful, relevant information that doesn't include all the irrelevant dross you sprinkle in

Either one would suit me just fine and eliminate any posts from me here except my very highly rated non-anonymous posts that I regularly make here.

Re: Curious about .local on local network...

[ILoveFatCashews]

You post constantly, and it's all either internet drama or incredibly stupid.

If you're sincere, choose a username like "lovescashews," stop spamming Amazon, and stop telling the same irrelevant personal stories over and over.

Do you want some spam-flavored macadamia nuts with your whine?

Re: Curious about .local on local network...

Dear Chritopher Dale Reimer,

I am the chief representative AC and I would like to explain something to you:
It is like pesticide usage; one shot might not be enough and you have to keep fighting even when things seem calm to avoid production of siblings like shown here:
https://www.youtube.com/watch?...

So, no, your 2 day slow down at shit posting did not quite cut it. Go figure:
https://school.discoveryeducat...

Re:Curious about .local on local network...

I hear your siblings use the .egg domain for their home network and that they have to by law so are you sure you are legit in doing so?
https://www.youtube.com/watch?...

You must admit there are striking similarities with your head contents:
https://school.discoveryeducat...

Re:Curious about .local on local network...

[LightningBolt!]

Based on recommendations that claimed .local can conflict with various UDP multicast LAN protocols, I recently changed my home DNS to be a subdomain of a domain I pay $10 a month for. I was skeptical doing this initially, but now that it's implemented, I like it better. With search domains set up, you don't even have to care that you now have a longish domain name for internal hosts.

Alternatively, .test is meant for local use even if it doesn't seem like the best name for the job.

Re:Curious about .local on local network...

Not anymore. Apple decided to use .local for their mDNS stuff, so if you have any Apple devices on your LAN (or anything that has features to communicate with Apple devices), you may run into conflicts.

better of dead

" we're most likely better OF changing our preferred local development suffix..."

I just don't understand the hatred for devs...

that Google has. They already broke the "-ignore-certificate-errors" flag which was driven by their hate. I often have to change my clock for testing, and Google made the decision that I should not be allowed to use the web. We use Let's Encrypt certs that area also pretty hatefully limited to 90 days so they waste so much of our time having to maintain them, so you can't move your clock that far forward or backward before Google decides you shouldn't be able to work.

Re:I just don't understand the hatred for devs...

They also decided to break --disable-web-security which they had previously supported for years. They even broke it in Content Shell which is used only for headless testing, which makes no sense unless they just don't want us to use Chrome for development.

Re:I just don't understand the hatred for devs...

We use Let's Encrypt certs that area also pretty hatefully limited to 90 days so they waste so much of our time having to maintain them

you realize you can just have a cron job auto renew your certs right...

Re:I just don't understand the hatred for devs...

It's arrogance. THEY are not personally affected, so they don't care; and they have it set up to work with THEIR network.

(See the Google devs only care about TWO networks - people accessing www.google.com publically and their own internal network. They simply don't care about the variety of other network configurations out there.)

Re:I just don't understand the hatred for devs...

[OverlordQ]

> also pretty hatefully limited to 90 days so they waste so much of our time having to maintain them

It's a one line cron entry, if that takes too much time, maybe you should hire somebody to do your job.

Re:I just don't understand the hatred for devs...

If they do DNS authentication, then it is a bit harder than just one line. I have our updates automated, but it took some work to write scripts to update Route 53 (Amazon's DNS), run nonstandard scripts from https://github.com/lukas2511/letsencrypt.sh.git then massage the files saved by that so Nginx can read it, then copy them to our load balancer. Still working on automating our certs that are used on F5 load balancers.

Re:I just don't understand the hatred for devs...

[tepples]

you realize you can just have a cron job auto renew your certs right...

How so? Let's Encrypt rejects hostnames in reserved domains, such as .local, .internal, and .test. It works only with actual registered domains. This means you'd need to make another cron job renew the domain, and another cron job pay the credit card bill for the domain renewal, etc. I must be missing something; what is it?

Re:I just don't understand the hatred for devs...

Oh looks, it's another hopeless waste of carbon who thinks it's oh-so-clever to begin their comment with a sentence fragment in the subject line and a sentence fragment in the comment box.

Why don't you go suck on a tailpipe?

Re:I just don't understand the hatred for devs...

[thogard]

CNAMEs are your friend if your using DNS authentication for lets encrypt.

What scares me is that millions of people fully trust what the default scripts are doing to their computers. Every 90 days certs and the scripts get updated which means someone in the chain of trust has the ability to completely p0wn a machine. How many black-hats are going through those scripts hunting for a way to exploit any bugs? The certbot-auto does enough scary things and it only needs to be run once.

Re:I just don't understand the hatred for devs...

It works only with actual registered domains.

Sure, for now..... as long as they allow you their certificates then it works for registered domains. This whole forced https thing looks more like a noose to hang people with that don't play along.
I don't trust them.

Re:I just don't understand the hatred for devs...

If Let's Encrypt is "wasting your time" then you are definitely doing it wrong.

Re:I just don't understand the hatred for devs...

It's a one line cron entry

Only if you download random software from untrustworthy[1] websites. But then you have to include the time you spend updating your antivirus software, and reinstalling whenever your antivirus software fails to prevent you from running random software from untrustworthy websites.

[1] Trust is built over time, and the default is untrustworthy. Recommending installing random software from untrustworthy websites is an automatic negative score while attempting to build up trust.

What should we [developers] do? - Uhh... use TLS?

Seriously, how is this even an issue? You can get free certs and there's so countless walkthroughs on how to setup TLS for almost any server (with Mozilla's being the best imo). With ISP's consistently showing they have no respect for your content or anyone else's it's hard to justify NOT running TLS on a web server.

Both the "problem" and the solution have been know

Both the problem and the solution have been known for a long time, now. Google hasn't exactly been shy about telling people to stop using *.dev

If you are big enough that this matters to you, then you can afford the minimal cost to register a proper domain. A quick search suggests that you can get a *.top domain for less than $6/year. And it's not as if *.com costs all that much more. If you already have a domain, then you could even continue using "dev", by making it a subdomain for your primary domain name. If your business depends on it, then it would be foolish to not spend this tiny amount of money and to instead rely on a hack. Incidentally, having a proper domain means you can also get free SSL certificates from Letsencrypt. That's important, as a lot of advanced Javascript features are only available for HTTPS protected sites.

On the other hand, if you are 1) a hobbyist, 2) don't need modern browser features and, 3) can afford occasional downtime, then yes, by all means, "invent" some domain name and hope for the best. Usually, the recommendation would be to use something in the *.test TLD which has explicitly been set aside for testing purposes. But there is no guarantee this will continue working. So, you could try experimenting with *.localhost instead and hope for the best.

What should you do?

[viperidaenz]

How about: Don't use a gTLD for your local DNS?

Also, why are you doing web development without HTTPS unless you're planning on never using it? It's not like certificates cost anything. There's also nothing stopping you loading your own CA cert and signing your own certificates too.
Browsers behave differently based on the protocol. Building against one set of rules and deploying against another is just asking for problems.

Re:What should you do?

[Zero__Kelvin]

This is exactly right. IOW, don't do it wrong and everything will be alright. :-)

Re:What should you do?

"I just can't understand programming even after trying. Am I doing something wrong?" Author Unknown

Re:What should you do?

[ElizabethGreene]

>> How about: Don't use a gTLD for your local DNS?

Lest someone take that advice the wrong way, let's be very clear.

You DO NOT want to use fake/bogus TLDs in the internal network of an enterprise. It creates serious pain points, not the least of which is that you can't get public SSL certificates against your internal names. That means you have to push your private CA cert into a bunch of applications and it's a huge PITA.

Examples: On Windows you can distribute your Enterprise CA cert via Group Policy. That doesn't help you with apps that don't use the OS certificate trust lists. I.e. Java cacerts (yes, the password really is "changeit"), Firefox, Safari, non-windows clients, and other random one-offs. When you do an M&A or partnership you have to ask your peers to go through the same song and dance and hit show-stopping issues if the partners user PCs can't hit your CRL DP or OSCP endpoints.

Re:What should you do?

[viperidaenz]

big companies love having their own CA though, it lets them decrypt and snoop on HTTPS traffic and resign it without browser security warnings

Re:What should you do?

Also, why are you doing web development without HTTPS unless you're planning on never using it?

In my experience, the most effective last resort debugging tool is Wireshark.

Do you have a guide to getting Wireshark to work with HTTPS?

Re:What should you do?

[houghi]

How about: Don't use a gTLD for your local DNS?

Reminds me at when I used to work at a provide and a person had hard coded 193.168.x.y in all the companies hosts file. As they now where not seeing the local server, but some website somewhere.
He asked us if we could change the standard from 192.168.x.y to 193.168.x.y. I am happy I knew where the mute button was.

Re:What should you do?

[viperidaenz]

I've always thought the 192.168.0.0/16 and 172.16.0.0/12 blocks were a bad idea.
They account for a little over 6% of the entire private address space. I don't see why it can't just be 10.0.0.0/8 for private.

Re:What should you do?

[houghi]

At the time they decided they thought it was a good idea to have a set of A, B, C and D addresses as private.
They had no idea that every button on a toaster needed its own IP.
Hindsight is 20/20.

When you think about it, there would be a better way to do DNS as well. Instead of going protocol://www.domain.tld it would have been better to go protocol://tld.domain.www That way we could have had something like:

www://us/slashdot/it/....
www://uk/co/bbc/index.php
file://home/user/....
7331://us/domain/SomeServerOnPort7331

But we have learn to love with what was decided then and make the best of it.

Re:What should you do?

[viperidaenz]

There is no private class D address space.

Reversing a domain name makes no sense. The most significant part of a domain name is the name itself, not the TLD or what registrar happens to have been used.

Sounds good to me

[JohnFen]

I've been using ".local" for years. I'd have no problem with ".localhost".

Re:Sounds good to me

[Freultwah]

According to RFC 6762, this has been a bad idea for years, because .local is an official special-use multicast DNS domain name and should not be used like that or it'll break your Zeroconf (should that find its way into your network, and it will) six ways from Sunday.

Re:Sounds good to me

[JohnFen]

Yeah, I know -- but old habits die hard, and I don't use anything zeroconf. This has been on my "to fix" list for a while now, though.

RFCs

RFCs exist for a reason. .dev and .foo are not intended for use as private TLDs. Consult http://www.faqs.org/rfcs/rfc2606.html

.dev and .foo are private gTLDs owned by Google

Google has the exclusive rights to two gTLDs, .dev and .foo. Why?! The names are quite generic and have nothing to do with Google explicitly, and they abused their status to claim that they should be able to keep this stake for their own. And now they're tired of other people using these gTLDs internally and are forcing everyone to change with this Chrome update.

They can have .goog and .google and .googleplay and .shitfuck and whatever else, just let us register domains under .dev and .foo.

If Chrome causes problems .... ditch it.

The .dev tld is widely used for development and should never have been assigned to Google.
If Chrome causes problems .... ditch it.

Re:If Chrome causes problems .... ditch it.

[KiloByte]

The .dev tld is widely used for development and should never have been assigned to Google.

Talk to ICANN. It's them who destroyed the well-working system of TLDs for a quick buck.

If Chrome causes problems .... ditch it.

For 99% of usage, yeah, that's a good idea -- no one wants spyware (ok, other than 99% users, but I don't care about normies). But broken sites which work only on Chrome are too frequent to not have it installed.

Re:If Chrome causes problems .... ditch it.

The .dev tld is widely used for development and should never have been assigned to Google.
If Chrome causes problems .... ditch it.

Is it? I've never seen that practice anywhere, so news to me.

between this and their imagined authority on TLS

google's getting a bit too controlling for my tastes

Re: What should we [developers] do? - Uhh... use T

How the fuck are you supposed to use Let's Encrypt for internal/fake domains you haven't registered and don't control, and that aren't running a publicly accessible web server?

What you should do...

[neurovish]

Start creating sites that don't break as soon as you start using TLS 1.2.

Hopefully the other browser makers will follow

[edtice1559]

Seriously are people really using .dev URLs to point to local resources where there could be a name collision with a real TLD? So you have a bunch of links to [].dev that people have stored. And then they switch networks where .dev resolves correctly and they start erroneously sending data to third parties. And we don't all see why that is an awful problem? /. is starting to sound like its the new hangout for Equifax CSO candidates.

Re:Hopefully the other browser makers will follow

[WaffleMonster]

Seriously are people really using .dev URLs to point to local resources where there could be a name collision with a real TLD? So you have a bunch of links to [].dev that people have stored. And then they switch networks where .dev resolves correctly and they start erroneously sending data to third parties. And we don't all see why that is an awful problem?

Myself and others saw why it was a bad idea many years ago. Unfortunately all ICANN saw was dollar signs when they opened the floodgates at expense of the network.

Re:Hopefully the other browser makers will follow

[edtice1559]

That's a very fair point. The expansion of TLDs was a huge problem. But we also have *reserved* TLDs that can safely be used for testing. Any other TLD may get sold in the future. So, as has been pointed out other places, if you just use either the reserved TLD or a domain that you own for your servers, you are future proof against future TLD expansion. The fact that people are pretending that the new TLDs don't exist and haven't reconfigured their servers is quite shocking given how long ago this happened.

Re:Hopefully the other browser makers will follow

[Ash-Fox]

Seriously are people really using .dev URLs to point to local resources where there could be a name collision with a real TLD?

Yes.

And we don't all see why that is an awful problem?

I don't, because it complies fine with RFCs. We even have RFCs to declare which TLDs to use, which are .test,.example, invalid and .localhost.

Additionally, they could have registered an actual domain to reserve for such purposes too. The issue lies in the IT professionals not following standards.

Re:Hopefully the other browser makers will follow

[edtice1559]

Using .example, .invalid, and .localhost complies with the RFCs. Using .dev (when it's an in-use TLD) most certainly does *not* comply with the RFC. But, even if it did, it would be foolish. If I have a bunch of URLs like myserver.dev that work on my corporate network and then I leave the office, I could accidentally load those URLs and leak data to a third-party. So even if the RFCs allowed this it would be foolish. The issue here is that people aren't using the TLDs in the RFCs. They are using the wrong ones. Google is making a change to Chrome to push them in the right direction. I have no idea why this wouldn't be universally celebrated.

Re:Hopefully the other browser makers will follow

[Ash-Fox]

If I have a bunch of URLs like myserver.dev that work on my corporate network and then I leave the office, I could accidentally load those URLs and leak data to a third-party.

If your setup is that insecure, you could do MITM-capture anyway for any 3rd party network.

So even if the RFCs allowed this it would be foolish.

Honestly, it depends on whether you do your setup right.

The issue here is that people aren't using the TLDs in the RFCs.

That is the issue, because if they had done so, then there wouldn't be an issue right now.

Google is making a change to Chrome to push them in the right direction. I have no idea why this wouldn't be universally celebrated.

Because changing anything is effort and people don't want to put effort into something that was "fine" before.

Re:Hopefully the other browser makers will follow

[edtice1559]

If your setup is that insecure, you could do MITM-capture anyway for any 3rd party network.

This makes no sense. Most of your comments seem pretty reasonable but then parts of the comments always seem to misunderstand the problem. As an example, let's say that I configure a server on my network to respond to requests to http://www.slashdot.org./ If I'm not going to visit the real slashdot, I wouldn't see any problem with this as long as I'm on the local network. But lets say the network configuration changes (either because I physically relocate, somebody fat fingers a local DNS entry, et cetera). Now I go to load those URLs. I'm suddenly sending data to the real slashdot.org. Data that I probably don't wan to be sending to a third-party because it may be confidential. And data that the third-party doesn't want to receive since it's junk traffic to them. This doesn't expose me to MiTM at all other than the general MiTM problem when sending http over untrusted networks. But this neither increases nor decreases my exposure to MiTM. It just means that I'm sending data where it shouldn't go. Not that MITM isn't something to worry about;it's just not the problem that occurs when misusing TLDs.

Re:Hopefully the other browser makers will follow

[Ash-Fox]

As an example, let's say that I configure a server on my network to respond to requests to http://www.slashdot.org./

There is your problem. You didn't use TLS and pin the certificate. And you have broken my understanding of doing "your setup right".

But lets say the network configuration changes (either because I physically relocate, somebody fat fingers a local DNS entry, et cetera). Now I go to load those URLs. I'm suddenly sending data to the real slashdot.org. Data that I probably don't wan to be sending to a third-party because it may be confidential.

But if you used TLS and pinned the certificate that wouldn't have happened.

This doesn't expose me to MiTM at all other than the general MiTM problem when sending http over untrusted networks.

Well, again, if it was setup correctly, there wouldn't be a problem. No, MitM issues, no insecure network issues etc.

Re:Hopefully the other browser makers will follow

[edtice1559]

What you describe still isn't "right." You shouldn't use .dev for anything since you don't own the TLD. Google can't actually *stop* you from doing this on their local network. But the browser will refuse to do http with anything that ends in .dev and require https. So now if you have an incorrect setup, you can either (a) stop using the .dev TLD incorrectly or (b) generate a bunch of bogus self-signed certificates and updated your browsers to accept the CA. Since both of these require effort, the hope is that people will do the right thing and stop using .dev at all since they don't own any subdomains within .dev (Google doesn't sell them) Maybe you are missing the point that there is no correct way to use .dev.

Re:Hopefully the other browser makers will follow

[Ash-Fox]

You shouldn't use .dev for anything since you don't own the TLD.

I didn't say anyone should use .dev? In fact I pointed to the RFCs and what they declared to use in this thread?

Maybe you are missing the point that there is no correct way to use .dev.

I never argued for the use of .dev?

Re:Hopefully the other browser makers will follow

[edtice1559]

Then I really have no idea what you are trying to say!

Re:Hopefully the other browser makers will follow

[Ash-Fox]

Then I really have no idea what you are trying to say!

You were talking about data from internal networks being leaked on to untrusted networks. I was thinking of captive portal networks, where all webservice traffic gets intercepted and modified an example based on your particular proposed scenario.

Re:Hopefully the other browser makers will follow

[edtice1559]

I was talking about the same problem as the article. Google is changing the behavior of Chrome to discourage people from using .dev for their local-only resources that ought to be .example, .invalid, or .localhost and the tone of most of the comments seems to be outrage. I can't fathom why anybody would be upset about the change as I don't see how one could seriously advocate for misusing TLDs and I pointed out the danger of doing so.

Re: Both the "problem" and the solution have been

Advanced JavaScript features, lul.

Re: between this and their imagined authority on T

You are just realizing this? They've been this way.

Internal TLD best practice

We registered a domain name that we use for all internal URLs (i.e. [ou].local.[domain].[tld]). I was under the impression that doing this has been considered a best practice for several years, since it avoids the problem the summary describes.

Re: What should we [developers] do? - Uhh... use T

[guruevi]

You don't, you use self-signed certificates and put the CA into /etc/ssl/certs

Why are you *not* using https?

[ilsaloving]

We're at the point now where using https is so easy, that there's very little reason to not use it. The biggest stumbling blocks had always been obtaining the certificate and vhost/IP limitations on certificates. But those are now taken care of with Lets Encrypt and recent changes to how certificates are handled.

Given the current technical and political climate, HTTPS should be the default for *everything*, barring very special circumstances.

Re:Why are you *not* using https?

[watermark]

These are dev environments we're talking about. They are often only accessible on local networks, sometimes even only on a localhost. Deploying https in a dev environment isn't really necessary for most development.

People are getting upset because you wouldn't be able to obtain a cert signed by any reputable authority for a domain you didn't actually own. After this change, you have to deploy https on those gTLDs which would mean going through self signed cert shenanigans. As others have mentioned, people probably shouldn't have ever been using the dev gTld and should have used an IETF blessed gTLD for testing.

Re:Why are you *not* using https?

We're at the point now where using https is so easy, that there's very little reason to not use it. The biggest stumbling blocks had always been obtaining the certificate and vhost/IP limitations on certificates. But those are now taken care of with Lets Encrypt and recent changes to how certificates are handled.

Given the current technical and political climate, HTTPS should be the default for *everything*, barring very special circumstances.

Because you're now at the mercy of Lets Encrypt. This is an attack on freedom.

Re:Why are you *not* using https?

[ilsaloving]

It may not be necessary, but just because they're development system that doesn't mean security should be ignored.

For one thing, you may run into problems in production if it applied security that you didn't check for in dev.
For another thing, if your development efforts touch sensitive client data, then it *still* needs to be protected even if it's internal only. It's bad enough if your company is breached by an attack. It's even worse if your client data is threatened in the process.

Proper security needs to be baked into *everything*. Every layer of your infrastructure. Every component. There is no such thing as perfect security. *Everything* can be exploited. That's why you need a layered approach, because if you leave gaps, that's where the attacker will find and exploit.

Finally, maintaining a security mindset during development will make it significantly more likely that you will create a more secure product. So many people think that security is just some feature you can tick the checkbox on at some point during the development cycle, and those people are flat out wrong. That's why compromises are happening on a constant basis, and the problem is getting worse instead of better. And the easiest way to do that is to make sure you configure the dev environment for security right off the bat.

HTTPS everywhere is all well and good...

[brantondaveperson]

But it's a real pain for anything that you ship with a web interface, and expect to work unmodified for a long period of time.

Sure, that's a niche use-case, I get that, but not everything that's accessed by a web browser is something easily updated, and why should it be? If I build some device that's intended to be put on my local network, and give it a web interface, - like, say, a home router - will I be required to implement HTTPS on the device, and have it ship with a cert? A cert that expires after a relatively short period of time?

I happen to have an old computer lying around the house, and it can't run anything more modern than Chrome from about eight years ago. This browser is able to access anything on the web, other than newer HTTPS sites, because it doesn't understand their certificate. By building these mechanisms of trust, and then constantly changing them (for instance, change from Common Name to Subject Alternate Name - and whatever it is that old Chrome hates about modern certs), we are locking ourselves out of notions of backwards compatibility, and increasing the rate at which we have to throw away our devices, because we can't afford to release OS updates for old hardware, and can't afford to release browser updates for old OSs.

I get that we're talking about security here, and trust, but I personally see a high cost. Plain HTTP is great. HTTPS is a moving target, and seems like it will remain so.

Re:HTTPS everywhere is all well and good...

[swillden]

I get that we're talking about security here, and trust, but I personally see a high cost. Plain HTTP is great. HTTPS is a moving target, and seems like it will remain so.

Web security is a moving target, and will remain so, and that applies to plain HTTP as much as to HTTPS. Your computer with eight year-old chrome is a security breach waiting to happen. You could browse some site with malware that compromises your browser, compromises the machine, then attacks everything else in your home network that is accessible from that machine.

Using unpatched (and unpatchable!) software is just a bad idea. If HTTPS changes forces you to keep things closer to current, that's a feature, not a bug.

Re:HTTPS everywhere is all well and good...

Allowing continued use of broken security protocols in the world's most popular browser does a lot more damage than breaking compatibility with 8-year-old browser versions does; I don't have knowledge of every change to HTTPS and TLS and such, but several I do know of happened because the old standards were broken - the mechanism of trust was no longer trustworthy and therefore could not do its job anymore.

What's wrong with using a different browser in what you acknowledge are niche use-cases? Chrome isn't the be-all and end-all for HTTP and HTTPS technology, it's a general-purpose browser with such a massive non-expert user base that it would be extremely irresponsible to continue supporting insecure configurations and standards indefinitely.

Re:HTTPS everywhere is all well and good...

I get that we're talking about security here, and trust, but I personally see a high cost.

Compared to what, your current situation of being a spam relay, ddos source, and kiddie porn repository?
It's only because you haven't had the cost of your crimes put on your own shoulders that you think it has no cost.

Why do I accuse you of the above crimes?

I happen to have an old computer lying around the house, and it can't run anything more modern than Chrome from about eight years ago. This browser is able to access anything on the web,

So that one unpatched computer has been infected for roughly 7.5 years now, as you've admitted to using an insecure browser on insecure sites that have been shown to have their advertising streams hijacked with malware and trojans.

This computer, on your LAN behind your firewall, has direct access to all your other computers which all of those multiple infections have now spread to, at least two years ago but possibly longer.

Every system in your home is infected and has been for some time, pushing out spam, DDoS attacks, relaying and hosting god knows what content.

Your entire LAN has been attacking the Internet as a whole, potentially me included.
You only see this as having no cost simply because practically nobody is ever held responsible for their reckless endangerment of other peoples property.

Are you unable to put yourself in another persons shoes for a moment and realize the harm and costs you are putting on everyone around you?
I too could save a bunch of money by taking your resources without permission instead of buying those resources myself, and if I could redirect all the damaging events in my life to you and your property such that I could be oblivious to it even happening, I might be able to fool myself into thinking my life is great and I am a great person for it.

But that wouldn't make it so, and similarly doesn't make it so for you either.

Re:HTTPS everywhere is all well and good...

[brantondaveperson]

I know, and I totally understand all that. But on the other hand, my handy home router isn't likely to be patched anytime soon, and the web interface on the product I happen to be working on is likely to be used for ten years or more, without necessarily being updated. The system may not be internet connected, but it will need to be configured by a laptop, running a browser.

If Google take this HTTPS-only approach all the way, as some people suggest that they will, what shall I do? I can't put a 10-year cert on the device, I don't think you can even get ten-year certs, can you? I can't generate my own, and have people install my CA, because that's too much of a hoop to jump through, and Android (for instance) gets upset at you when you do.

HTTPS everywhere has the side effect of locking us all into an upgrade cycle that I thought slashdotters in general, were against.

Re:HTTPS everywhere is all well and good...

[swillden]

HTTPS everywhere has the side effect of locking us all into an upgrade cycle that I thought slashdotters in general, were against.

Not security-focused slashdotters.

Re:HTTPS everywhere is all well and good...

HTTPS everywhere has the side effect of locking us all into an upgrade cycle that I thought slashdotters in general, were against.

Not job security-focused slashdotters.

FTFY

Re:HTTPS everywhere is all well and good...

[Altrag]

Get something like stunnel and wrap/unwrap the security in-stream. Problem solved. Or install an older version of the browser and then you don't even have the problem in the first place.

The world needs to be secure by default -- not just the web but email and cars and IoT pacemakers and basically everything else. Devices are too connected and hackers willing to abuse those devices too prevalent for us to continue leaving things insecure in order to avoid the odd edge case here and there.

In your case, sure they system "may" not be internet connected.. But what if it is? What if someone decides to connect it up 4 years from now having completely forgotten all about the security holes you've intentionally left in place in order to avoid updating your product? Is that really a worthwhile risk? Maybe to you personally but is it a worthwhile risk across the entire population of users?

Now of course a single browser enforcing security on two domains that typically aren't used for public-facing servers anyway is a far cry from "secure by default," but its at least a step in the right direction, even if its only slightly beyond symbolic.

Re:HTTPS everywhere is all well and good...

[DNS-and-BIND]

Google wants you to constantly update your pages. Static pages that are finished, that sit around unchanged for years, are not attractive to Google. They want churn, they want you doing the latest greatest, they want you spending money. Because that's good for them.

Re:HTTPS everywhere is all well and good...

[dyfet]

Related to this is ethernet connected "devices" and specialized embedded hardware which may not even have spare processing power for https, and have no need to it since they never are remotely reachable. A perfect example might be arduino web servers on a local lan. Pure http is a nice simple protocol that is easy to implement even on very low end devices, https is not. There are different ways to solve this, but banishing http to .localhost/127.0.0.1 is NOT one of them. I think even a new http header entry you can set stating no https support would be fine.

Re:HTTPS everywhere is all well and good...

Stop using a web interface?

We used to be able to program, create, change routers before they had web interfaces.

Once a week

[JohnFen]

It seems like once a week I'm given a new reason to be happy that I don't use Chrome.

The requirement to own and renew a domain

[tepples]

Web browsers require HTTPS server operators to obtain a fully-qualified domain name and a certificate from a certificate authority trusted by the browser publisher. Though Let's Encrypt makes certificates available without charge to domain owners, the domain itself still requires a recurring payment to a third party. The requirement to own a domain and keep it renewed imposes an extra $15 per year (source: Gandi.net) tax on running a server inside a home LAN.

Re:The requirement to own and renew a domain

[swillden]

Web browsers require HTTPS server operators to obtain a fully-qualified domain name and a certificate from a certificate authority trusted by the browser publisher. Though Let's Encrypt makes certificates available without charge to domain owners, the domain itself still requires a recurring payment to a third party. The requirement to own a domain and keep it renewed imposes an extra $15 per year (source: Gandi.net) tax on running a server inside a home LAN.

In a home LAN you can just use a self-signed certificate and add the cert to your browsers' trust stores. Or just use plain HTTP, since you don't have any concern about malware injection. If you want a domain name you can use for free locally, you can use the .invalid or .localhost TLDs, though that's orthogonal to the question of TLS.

But your issue is really unrelated to whatever WaffleMonster was talking about, because the discussion was about a context in which ISPs, et al, could do injection attacks, not a home LAN.

Re:The requirement to own and renew a domain

[JohnFen]

In a home LAN you can just use a self-signed certificate and add the cert to your browsers' trust stores.

Yes, this.

You can even, for complex home environments, run your own CA, install your own CA's cert and then use it to sign individual certs all day long without further hassle.

The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services and don't want to require them to install a special cert to do so.

Re:The requirement to own and renew a domain

[tepples]

The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services

By "strangers" did you intend to include non-technical friends and family visiting your home?

Re:The requirement to own and renew a domain

[Trax3001BBS]

The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services and don't want to require them to install a special cert to do so.

Or you wish to install programs win10 disallows https://stackoverflow.com/ques...

Re: The requirement to own and renew a domain

Jesus god. Really? Wow l. I didn't realize you literally can't run your own 64-bit kernel code on windows without paying for it to be signed. Lol that's fucking ridiculous.

Re: The requirement to own and renew a domain

[ElizabethGreene]

Anti-FUD: Test signing mode will allow you to run code signed with a private cert, even a self-signed one made with MakeCert.exe. It puts a test mode watermark in the corner of the screen, but that's okay for Dev use.

https://docs.microsoft.com/en-...

Answering the obvious "WTF" question, driver signing has been a "should" since before XP. It's now a must because it's a malware/APT vector.

Re: The requirement to own and renew a domain

Recuring payments ? Let me guess: your server has infinite durability, does not require maintenance and powered by an infinitely durable solar panel ?

There such thing as being too cheap to matter.

Re: The requirement to own and renew a domain

[Entrope]

I run my development server on a Raspberry Pi, you insensitive clod!

Re:The requirement to own and renew a domain

[JohnFen]

They aren't strangers, and helping them install a cert is a trivial exercise. Or, if they use a less tightass browser, telling them that the security warning is OK and they should allow a permanent exception is even easier.

If they're unwilling or unable to do either of those things, then they don't have to access my servers. I also run an open WiFi hotspot just for this purpose, which gets them throttled, limited internet access that is more than sufficient for casual use.

Re: The requirement to own and renew a domain

[tepples]

Some specialized peripherals manufactured by hobbyists for hobbyists, such as tools to read and write cartridge storage media for retro 8- and 16-bit computers, are made in volumes is so low that the cost per year of obtaining and renewing an EV code signing certificate as well as the documents that the EV code signing CA requires would make up a substantial portion of the selling price. Is there a practical way to make low-volume peripherals compatible with 64-bit Windows? Would it be advisable for the manufacturer of such a low-volume peripheral to require users of the device in production to enable test mode? Or would it be more advisable to bundle a USB flash drive containing a GNU/Linux live distribution into which users are expected to reboot?

Re: The requirement to own and renew a domain

[tepples]

If your server appliance runs on hardware comparable to a Raspberry Pi or an Allwinner board, the power consumption isn't going to be that high, and a 10-year domain registration for $60 to $150 per unit makes up a substantial fraction of the purchase price.

Re:The requirement to own and renew a domain

[tepples]

helping [visitors] install a cert is a trivial exercise

I guess the truth or falsity of this statement in practice is our core disagreement.

Re:The requirement to own and renew a domain

[JohnFen]

It's never been any trouble for me.

But most of the people visiting my house just use the open wifi anyhow -- no configuration is needed for that at all. The only ones who need certs are the ones who need to interact with my servers, and that's a tiny number of people, all of whom are technically proficient.

Re:The requirement to own and renew a domain

[tepples]

The use case is "I've got some videos on my NAS that I don't want to share with the whole Internet. But if you watch them through cleartext HTTP, the browser will refuse to go full-screen because of Secure Contexts restrictions."

Re: The requirement to own and renew a domain

Would it be advisable for the manufacturer of such a low-volume peripheral to require users of the device in production to enable test mode?

Sure, I run my Win7 in test mode all the time to use older hardware that only works through modified drivers. If you're in the market for niche, low-volume, hobbyist grade hardware you're very likely to know your way around computers and making stuff work for you instead of against you.

To promote domain sales

[tepples]

1) Buy a domain name for a few dollars

And then do what after it has expired?

Re: To promote domain sales

Cheap domains (e.g. *.top) cost $6 per year. Buy a 10 year registration and forget about it.

In the big picture of things, $60 is too little money to get this worked up about. I spend more money buying a high capacity SD card, or taking my SO out for dinner.

And this way, you benefit for the next 10 years. That's a steal!

Chrome-for-iOS is Chrome in name only

[tepples]

Chrome doesn't run on iOS either. Instead of Chrome, Google publishes Chrome-for-iOS. The difference between Chrome and Chrome-for-iOS is that while Chrome uses the Blink engine, Chrome-for-iOS uses the same Apple WebKit engine as Safari, as required by the App Store Review Guidelines. This means that if Apple declines to support a particular web API in Safari, it'll be unsupported in Chrome-for-iOS as well.

What cert for .test?

[tepples]

Then how does one obtain a certificate for a domain in .test and use it on all devices on a home LAN? I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package. Chrome for Android appears to opt in, but Firefox for Android is untested. Using cleartext HTTP is not an option because more sensitive APIs are unavailable outside secure contexts.

Re:What cert for .test?

[scdeimos]

I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package.

You are completely correct. So your two options are:

1. As per your own link, add the CA to your app's config. If you're talking about your own apps then you already control those configuration files. If you're talking about other people's apps...
2. Stop supporting Android Nougat and later devices.

Android apps distrust user-installed certs

[tepples]

As of Android 7 "Nougat", Android apps distrust Android's counterpart to /etc/ssl/certs by default. In addition, I haven't tested all major models of media player appliance that stream from a web server running on one's home NAS, but I imagine some have no user-editable counterpart to /etc/ssl/certs.

Re:Android apps distrust user-installed certs

So they are intentionally breaking the ENTIRE purpose of TLS. If the local admin cannot force the app to trust a given cert, then how does the admin say what to trust and what not to. There's no consistency.

Google's solution is the app gets to decide what's trusted at build time. That's not good enough. The developer may be happy with their settings, but the user of the app (or in the case of Enterprise devices, the admin of the device the app is running on), may not be.

This is just more erosion of control over what our devices actually do and who they actually trust by Google. These people are in no position to be the grand dictator of trust, and should be shown the damn door. It's MY trust that's important not Google's.

Island of Testing Toys

[Tablizer]

Whoever the hell "foobar@example.com" is, they have received a shitload of shit from our team over the years.

Re:Island of Testing Toys

[Ash-Fox]

Whoever the hell "foobar@example.com" is, they have received a shitload of shit from our team over the years.

That would be IANA.

Re:Both the "problem" and the solution have been k

[tepples]

So what should a hobbyist who needs modern browser features do? Or especially a non-technical PC owner who has installed web server software on his home PC and set it up for internal access only, so that visiting friends and family can view videos stored on the home PC that the PC owner has chosen to share?

HTTPS + Zeroconf

[tepples]

Also, why are you doing web development without HTTPS

I am developing software that runs on a PC on a home LAN, and I've never seen anyone get HTTPS working with multicast DNS and DNS-SD.

Re:HTTPS + Zeroconf

[viperidaenz]

You know your comment is moot if you quote the entire sentence, right?

why are you doing web development without HTTPS unless you're planning on never using it?

If you're using multicast dns, why are you using .dev instead of .local, as is part of the mDNS RFC?
https://tools.ietf.org/html/rf...

If you're not using the Google sponsored .dev gTLD, this doesn't impact you at all.
They bought the rights to control who's allowed a .dev domain. Just like you need to abide by certain rules if you want to use .aero or lawyer, etc. Perhaps a condition of using .dev is to only host HTTPS web servers? I haven't looked in to it.

Re:HTTPS + Zeroconf

[viperidaenz]

.... your other option is to install your own CA on the LAN PC's so you can issue your own trusted certificates for .local domains.
Then you've got no problem with HTTPS using mDNS

Public CA's don't issue certificates for local domains for good reason.

That gives me an idea

[watermark]

This gives me an idea. gTLD wide HSTS should be done for some other gTLD as well. I'm thinking like *.bank and the like. It just forces any user of that gTLD to be at least somewhat security conscience and adds some good public reputation to those select gTLD. A private company that owns a gTLD could use this to increase the value of their gTLD because it will have a reputation of being more secure.

NOPE

[cfalcon]

Modded +5, Informative, but both of its statements are inaccurate. .localhost is reserved for 127.0.0.1 and no other thing. .invalid is reserved for NO use, it should never resolve.

https://tools.ietf.org/html/rf...

Localhost:
Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s).

Invalid:
Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses. Name resolution APIs SHOULD NOT send queries for "invalid" names to their configured caching DNS server(s).

Neither of these are meant for use on a local internet. .localhost is meant to resolve to loopback, and .invalid is meant to never resolve but instead give NXDOMAIN.

Maybe there are domains reserved for private usage, but it ain't these two.

Re:NOPE

[mysidia]

but both of its statements are inaccurate. .localhost is reserved for 127.0.0.1 and no other thing. .invalid is reserved for NO use, it should never resolve.

No... these BOTH can be used on your Local host for private development testing, they are perfectly fine for private usage;
that doesn't imply you can or should try to create a DNS server and add these zones to it.

RFC6761 is binding on the registries and DNS' communication protocol only, and only the registry aspects
of this RFC are actually called upon in the DNS standards and implemented.

      ".localhost" goes to 127.0.0.1, which is the whole point, you don't need to map "site.dev to 127.0.0.1" you can map blah.localhost to 127.0.0.1,
and use that, instead.

      For known resolver implementations, you can map .localhost and .invalid however you want in your HOSTS file, and it will just work.

So even 'site.invalid' can be mapped to 127.0.0.1 with a simple HOSTS file entry.

      If you want to use a domain name on multiple hosts and add it to your intranet or public DNS servers for usage
off of a single server, then you should register a domain for that purpose.

Do what you should have done to begin with.

What everyone should have done is register a real domain and use subdomains of it for all of their local needs. This guarantees no collisions or issues ever. Until the end of time. Google isn't to blame for you being shortsighted and lazy.

But all of you were cheap bastards so embrace your karma.

Re: Do what you should have done to begin with.

Yes, comrad Stalin.

Re:Both the "problem" and the solution have been k

[Ash-Fox]

So what should a hobbyist who needs modern browser features do?

If they demand the use of a TLD - They could use RFC compliant TLDs that cannot be reserved, such as .test. .example, .invalid, .localhost or alternatively, register a domain or TLD for themselves.

Re: What should we [developers] do? - Uhh... use T

How about not using fake domains in the first place?

LE rate-limits afraid.org because not in PSL

[tepples]

You don't need to own a domain for Let's encrypt; controlling a subdomain is enough.

Only if the subdomain is a subdomain of a domain in the Public Suffix List. Let's Encrypt limits how many certificates may be issued per domain per 7 days:

The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

Because afraid.org is not in the Public Suffix List, no more than 20 certificates for subdomains of afraid.org will be issued in one week.

Re:Both the "problem" and the solution have been k

[tepples]

They could use RFC compliant TLDs that cannot be reserved

I agree that the operator of a home NAS should drop Google's TLD in favor of something like .test. But I imagine that visitors to the hobbyist's home are unlikely to successfully complete the process of adding the NAS's private CA's root certificate to their devices.

or alternatively, register a domain or TLD for themselves.

Which inflates the price of a home server appliance by that of a domain registration.

Re:Both the "problem" and the solution have been k

[Ash-Fox]

Which inflates the price of a home server appliance by that of a domain registration.

There are really cheap domains, but if that isn't good enough. There are quite a few free subdomain providers out there too, usually offering dyndns options and the like.

Let's Encrypt rate limit

[tepples]

There are quite a few free subdomain providers out there too, usually offering dyndns options and the like.

The problem is that a lot of these free subdomain providers aren't listed on the Public Suffix List. For example, afraid.org is not. And if a domain isn't on the Public Suffix List, Let's Encrypt issues no more than 20 certificates per week for that domain. This means 20 other users of that same domain will probably have already obtained their certificates before you, causing Let's Encrypt to reject your attempt to obtain a certificate with an error message to the effect:

Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: no-ip.biz

So it appears to be either A. use Let's Encrypt for the certificate and pay for the domain or B. use a free subdomain provider for the domain and pay Namecheap for the certificate.

Re:Let's Encrypt rate limit

[Ash-Fox]

Or C. Create your own CA certificate and install the CA into your system certificate store since this is meant for internal usage anyway?

Re:Let's Encrypt rate limit

[tepples]

C. Good luck getting your private CA's root certificate installed on the devices of non-technical friends and family visiting your home who just want to view the videos on your NAS in full screen. I'm not even sure it's possible on Android 7 "Nougat" and later, as each app has to opt into trusting user-installed certificates through the network security configuration in its package. If the user's web browser hasn't, too bad.

Re:Let's Encrypt rate limit

[Ash-Fox]

If it's that terrible of an issue for them, they'll have to pony up the $2/year for a domain. Can't say I'm really distressed about it.

Re:Let's Encrypt rate limit

[tepples]

Which registrar on which TLD offers domains at $2 per year?

Re:Let's Encrypt rate limit

[Ash-Fox]

Which registrar on which TLD offers domains at $2 per year?

I'm usually able to find cheap domain offers on registrars like GoDaddy, for example, I just did a look up:

afmiefaffiae.us: $1.99
afmiefaffiae.online:$0.99
afmiefaffiae.club: $0.99
afmiefaffiae.xyz: $0.99
afmiefaffiae.today: $1.99

I usually pay careful attention to renewal rates. Which, in GoDaddy can be lowered by simply visiting the website around the time of renewal, go through the process and then stop before paying. A day later you'll get a code for lower rates etc.