Slashdot Mirror
Wondering Why Your Internal .dev Web App Has Stopped Working? (theregister.co.uk)
Kieren McCarthy, writing for The Register: Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection." How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems. Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
So I will just become a republican so I can fuck anyone anytime!
It's old news, it's been planned for some time. What I was wondering is that way back when Google first snatched the .dev TLD our developers started using another unregistered TLD and ran the risk of screwing up again. Can anyone explain that?
This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
I think you mean "unwelcome" and "for greater tracking accuracy".
There is little reason for HTTPS to be used for much if not most of the content on the internet. There are reasons to use caching and defeat endpoint trackers, though.
We got hit by this, and promptly rolled back our browser versions. They're internal fucking development systems for fuck's sake, they're allowed to be insecure if **WE** want them to be.
I'm so sick and tired of dealing with this fucking nanny state of modern day technology where some dipshit developer thinks they know best, and they're just going to outright disable a feature that worked perfectly fine before.
So on behalf of all the developers at my company, fuck you Google. Keep it up, and we'll actually be inclined to go out of our way to strip out your shit and replace it with something else (which I'm told we're probably doing, given the lack of options to override this behaviour).
Don't use spyware posing as a web browser.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If I want to set up a development system on an air-gapped network, I don't really want to deal with the bullshit and the fragility of having certificates up to date. Especially if set air-gapped network is used for controlling machinery or other specialized equipment. Repeat after me: the computer shall do what it's told by its owner, not what some desk jockey in California thinks it should do.
Because you didn't use a reserved TLD you numpty. The same people probably use non-private subnets for their internal networks and then wonder why some websites that had the audacity to use that IP don't work...
As a web developer, this really isn't an issue, always use HTTPS even internally. The only way you'd really be locked out is if you didn't follow smart practices.
I prefer to use .local for my internal network. Problem solved.
we just live in it.
Can't wait for these dicks to fall. Of course then another dick will take their place, but a period of a few years respite between monopolists is nice.
I've always used a reserved TLD; I probably should have put more thought into the why, but way back when that's what I was told starting my first job and it became habit so I hadn't thought about it again until now...
Okay... I understand using
Is using .test a drop in replacement? Basically I'd like something that can't accidentally leak requests on the Internet. And I *DO NOT* want to use HTTPS/certs internally for development because it's a pain in situations where I'd currently resort to Wireshark to diagnose a problem. Plus, really, I don't need it.
I could go with using my own domain name, but I'd prefer not to because, frankly, I really like having a shorter domain name for testing with! (zaiffurgulbungerenterprisesinternational.com is a bit too long!!)
Don't call it a web app, call it what it is - a web server.
A better headline/summary would be that chrome is going to require any web server domain name that ends in .dev to use https, which means it won't work unless there is a valid certificate on the web server that is trusted by the browser.
We have a product that embeds MapQuest. But MapQuest doesn't allow HTTPS so when the customer connects to our product using HTTPS the stupid fucking browser goes fucking nuts. For a while the user could override this stupidity, recognizing that the map data doesn't need to be secure, and go about his business. Now the stupid fucking browsers won't even allow you to override this.
This is why we can't have nice things, stupid fucking people and the companies that have gotten rich off of them.
Comment removed based on user account deletion
Because you didn't use a reserved TLD you numpty. The same people probably use non-private subnets for their internal networks and then wonder why some websites that had the audacity to use that IP don't work...
While there are times where I would tend to agree this is not one of them. Responsibility is bidirectional.
Opening the TLD floodgates was a predictable, preventable disaster done entirely for selfish reasons at the expense of the network and all its users.
Allowing TLDs like ".dev" to be handed out in the first place was much worse. They knew or should have known how this was being widely used at the time and what the global implications would be yet like TLD floodgates $$$ wins the day.
Then Google was like...hey we own this TLD and we own a web browser so we'll just leverage our verticals to enforce arbitrary rules over what we own anyway that suits our specific needs.
This is a shining example of what happens when $$$ is allowed to trump reason and why allowing monopolies to get too powerful and start exerting ownership over more and more of the stack is a bad idea. They can and will do whatever they want simply because they can. They can't help themselves nor can they even understand that their needs and goals are not representative of the rest of the world.
Today it is HSTS tomorrow it is waking up to find browsers doing UDP with user land congestion algorithms configured to be twice as aggressive as TCP...oh wait.. that already happened...
It was bad, but it was a known bad and there are still deployments out there. Windows XP still has 5% market share because people don't want breaking updates. With Chrome stuck at 49 and Firefox 52 on XP we can write web apps and not worry about having to update them. It is the 2010s COBOL. Chrome is for Drones, XP IE 6 is for developers with long term job security.
Yeah, right.
Fuck Google, Fuck Chrome, Fuck Walled Garden nonsense.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Because you're doing it wrong. .dev is a gTLD, it's idiotic to use it for an internal service.
Use a domain you own.
OK, I'll bite. What in the name of Gordon H. Bennett is a sodding code wrangler?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I love that people now have so little control over their software that they are referring to them selves as wrangles and not programmers. Cut, paste and pray.
This is ridiculous and a huge overstep to actually force non-existent tlds to use https. It makes debugging more difficult because all the traffic is now encrypted. I havenâ(TM)t used Chrome in years and Iâ(TM)m gonna keep it that way.
Fuck off, Google. Fuck off.
Okay folkx, so lets get to the grit and get this issue fixed shall we?
Now I don't know about apache servers because I live in the age of cars not buggy whips so I'll just skip past the jurassic period of web development and concentrate on modern day nodejs servers.
First off, get your SSL certificate
1) Open your console (linux, if your doing web anything on microsoft or mac well I can't fix stupid)
2) sudo add-apt-repository ppa:certbot/certbot;sudo apt-get update;sudo apt-get install certbot
3) certbot certonly --standalone -d example.com (note this will not work for localhost addresses, but we will get to that)
Next set up your server /var/www/node /* I tried to just paste the code but slashdots comment system said it was junk, apparently this was because of ascii penii art being pasted too often */
Create your index.js file under
index.js contents -> https://codeshare.io/5NZEyV
Now start up your server /var/www/node;sudo forever start -o log.txt -e err.txt index.js
cd
Next set up your browser
1)If you visit the site normally you will find that it will respond perfectly from example.com, so nothing need be done for this
2)When visiting on localhost or local_ip you will find that the cert doesn't cover these addresses so you must set your browser to 'REMEMBER HISTORY'
goto your site, accept the certificate even though it doesn't quite fit, after this you can reset your browser to properly never remember history but it will remember this entry so long as you do not clear your history
DONE!
P.S. For a site devoted to nerds you guys bitch a lot but don't code a lot, wtf people?
Let me state my understanding of Z__K's answer: Don't directly address the switch. Instead of directly addressing the switch, indirectly address the switch. Set up a server that addresses the switch's management interface and identifies itself correctly via https when the server is directly addressed, and address that server instead of the switch.
Comment removed based on user account deletion
that tld was registered in 2014 https://icannwiki.org/.dev my guess is well over 95% of developers posting gripes in here have infrastructure dating back far further thant 2014.... I personally have been using a .dev locahost enviornment on my dev box for a long ass time.
This is a shining example of why, if we disagree, we should participate in the RFC process rather than go off on our own. And if we don't get our wishes in the RFC process, we shouldn't stage a rebellion. We need a functioning network. Four TLDs are reserved for this. .test, .example, .invalid, and .localhost. If .dev should have been a reserved TLD, there were 15 years to get it added from the time RFC2606 was published until .dev became a TLD.
And you were warned in 1999 not to use .dev, but to use one of the TLDs reserved for this purpose.
There are four of them, FWIW:
.example, .invalid, .localhost, and .test
Only one isn't a mouthful...
What has HTTP/HTTPS to do with HTML?
The Secure Contexts spec, currently a W3C Candidate Recommendation, deprecates use of some web platform features over cleartext HTTP. Attempting to use certain methods in a document served over cleartext HTTP will instead produce a SecurityException.
With http I all I need is an IP address or at least a TCP port on a shared address. With HTTPs I need a DNS name and a certificate.
If you have administrative access on all machines on a private network, you can mint your own DNS names and your own certificates because you are the root zone and you are the root certificate authority. What you say is true of bring your own device (BYOD) scenarios however.
for fuck's sake let me trust a certificate I myself made.
Which version of Google Chrome doesn't allow certificates that chain to a user-defined root certificate that has been installed into the repository of TLS CA certificates on each client machine?
If you think for one moment that HTTPS protects you from government spying, you might just be an imbecile. When your operating systems, servers and browsers are tailored by government agencies and businesses catering to those agencies[like Firefox, Chrome, Edge, Microsoft, Amazon, Google, App.. et al], you have only the reasonable expectation of the fallacy of privacy. In such a case, keep your DAMN hands off what I choose to do on my development networks.
This is a shining example of why, if we disagree, we should participate in the RFC process rather than go off on our own. And if we don't get our wishes in the RFC process, we shouldn't stage a rebellion.
I've participated in IETF lists and made it to a few meetings when in country. ICANN is not the IETF. ICANN is driven by money not consensus. A rebellion is exactly what I advocate and very much hope to see happen.
Either "throw the bums out" or raise pain felt by entry of new TLDs by having more operators not blindly delegating everything to root servers.
We need a functioning network.
Which is why it is not ok for bags of slime to intentionally break shit in order to enrich themselves.
Four TLDs are reserved for this. .test, .example, .invalid, and .localhost. If .dev should have been a reserved TLD, there were 15 years to get it added from the time RFC2606 was published until .dev became a TLD.
Half the RFCs worth implementing don't even work in the real world out the gate. There is a bunch of tribal knowledge one must have to account for the difference between RFC and what is actually implemented in real world. It isn't ok to simply cite chapter and verse of text and blindly ignore reality. What is or is not written down in some document isn't an excuse. As I said before responsibility is bidirectional. The lack of ".dev" appearing in an RFCs that results in IANA reservations in the GTLD space does not excuse irresponsibility demonstrated in the act of assigning it.
Nor does Google have an excuse for mistaking the ".dev" Internet namespace they own with all namespaces everywhere.
Both instances of irresponsibility exist independent of judgments against individuals for using .dev.
Which TLD was reserved for that purpose?
localhost? no.
example? nope.
invalid? hell no.
test? maybe... but no... not really, if you actually read the RFC.
And "dev" isn't "test" anyway... hell many of us have BOTH.
Obviously we can't trust Google. This is Google interfering with OUR networks, and so, our data. We should never, ever use their browser. Don't let them dictate how you run your own internal network! This is just another instance of a company trying to interfere with our lives. They are getting away with it because the weak-minded and foolish think it is ok for big corporations to dictate to the people in general. It isn't. Even when they get away with it, as here.
If I want to use HTTPS on a website, I'll bloody well do it. If I don't, I won't. The web does not belong to Google. The web belongs to everyone. HTTP is a perfectly good protocol for many purposes.
Today I removed Chrome from my computer. I already have a mother. I don't need another one.
How's life in the hypocrite lane?
You can have .dev.test and .test.test! Or you can use a TLD that you own!
Just more proof that we are "monkeys with a machine gun" idiots!
Technology is being allowed to be given to entities that do not the proper use.
And, this is further proof that this internet thing needs to be regulated as a PUBLIC UTILITY which, ultimately, means that NET NEUTRALITY is a MUST.
Self-importance and self-indulgence is the root of ALL evil.
Witness BitZtream getting pwned!... twice.....three times!