Google Meet, Allo, YouTube TV, Google Earth, and YouTube Studio Beta all block Windows 10's default browser, Microsoft Edge, from accessing them and they all point users to download Chrome instead.
I imagine this is an attempt to provide an easily understandable alternative for non-technical users should detection of necessary video codecs or JavaScript APIs fail. Though not as far behind standards as IE was during the IE 6-8 era, Edge is also perceived as lagging, as is Firefox ESR at times. What is a web application supposed to do when a necessary component of the web platform is missing? Is it recommended, for example, to implement an entire video codec in JavaScript as a polyfill?
Would the following changes have improved the perception of Google's result?
A. In addition to Google Chrome, also suggest latest stable Firefox if practical, as a means of avoiding the perception of a conflict of interest.
B. Offer a link to "Technical info" stating exactly which features the running browser is missing, and linking to each feature's spec on W3C or WHATWG and support page on caniuse.com.
C. Offer to download a copy of Google Chrome hardcoded to visit one website. Each web application would keep its own copy of Chrome updated. This is, for example, how Skype, Discord, and Slack build the desktop version of their client applications. You might know it as "Electron".
A sufficiently funded developer of a web application can rewrite it in Swift or Objective-C++ as a native iOS application and offer it through the App Store.
Chromecast doesn't have any apps on it (besides the wallpaper). You have to use some other device to cast to it. While that is a nearly useless difference to many people, it's huge to someone that doesn't have a smartphone nor ipad nor android tablet (but does have a computer in another room, and a Fire tablet).
Then install Google Chrome on the computer and cast from that. Why else would it be called a Chromecast?
Why is too complicated to fit a Linux's LiveDVD to 4.7GB DVD instead of 2 GB?
Because the wire protocol used by Secure Digital (SD) flash memory cards changed between 2 GB cards and Secure Digital High Capacity (SDHC) cards, which are 4 GB or larger. I imagine that the implementation of BIOS or UEFI on some PCs can boot from a 2 GB card but not from an SDHC card.
No admin worth their salt repeatedly boots their systems for maintenance.
Like Windows, linux-image in many distributions has its own monthly security update schedule. And unless you subscribe to Oracle Ksplice, these updates require a reboot.
If you really understand [service dependencies], then handling them in startup scripts is trivial. If you can't handle them at that level, then you shouldn't have the root password.
Then who should have the root password for a home desktop PC? Or how does it benefit the public to require non-technical users to use locked-down, touch-controlled appliances?
There's the rub. If the particular titles that your friends desire to play with you are unsupported, then Linux has no important games. Unlike non-game applications, most* games don't implement a common protocol to interoperate with other games by other publishers.
* The exception is computer ports of pre-1923 tabletop games, such as GNU XBoard that interoperates with other Chess software that speaks CECP 2.
Edge, the best browser for downloading other browser in Win 10
For now. In the long term, that depends on how long Microsoft continues to offer Windows 10 Home to OEMs. If Microsoft were to replace Windows 10 Home with Windows 10 S, that would put other browsers behind a $50 paywall to upgrade to Windows 10 Pro.
I'd try it, but Google Play Store won't let me. It lists Microsoft Edge as incompatible with my Samsung Galaxy Tab A 8" (SM-T350) running Android 7 "Nougat".
The problem here is that the application includes a kext (kernel module) for some purpose, and applications that include a kext cannot be distributed through Mac App Store.
Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.
I was not attempting to imply that the public got a fair deal, only refuting a claim that "the public got nothing". Consideration, an analogous concept in contract law, doesn't require that the exchange of value be proportionate.
If the people valued the public domain, the people would choose to purchase products and services from organizations that promote the public domain. But because they instead have chosen to view works of authorship published by copyright maximalists, the people on the whole have voted with their dollars for copyright maximalism.
In general, the author of a musical work (that is, a songwriter, composer, or lyricist) has the exclusive right under copyright to perform it publicly. This includes the exclusive right to perform it publicly through transmission to a restaurant. After the Copyright Term Extension Act of 1998, the exclusive right no longer applied to restaurants below a specific size in square feet.
Anyone who knows anything about TLS also knows about digital signatures and checkhashes.
What browsers will accept a cipher suite containing only key exchange and HMAC (the "digital signatures and checkhashes") without bulk encryption?
There's even a year-old W3C spec called Subresource Integrity that addresses this problem.
Even if it works for images, style sheets, and scripts, it won't work for the HTML document itself because it's subresource integrity, not mainresource integrity. In addition, Mozilla's page about SRI doesn't mention the ability for an HTTPS document to use SRI to verify cleartext subresources in order to avoid restrictions imposed by browsers' Mixed Content and Secure Contexts policies. Nor does W3C's spec, though section 5.1 "Non-secure contexts remain non-secure" thereof (wisely) suggests not trusting SRI when the main document is cleartext.
If abortionhelp.example is the only host on that IP, then none of this matters
Yes it does. Every modern browser sends the hostname as part of the TLS ClientHello in order to support name-based virtual hosting. The last notable browsers that didn't support Server Name Indication (SNI) were Internet Explorer for Windows XP and Android Browser for Android 2.x, and security updates for IE/XP ended nearly four years ago.
The original deal was reneged upon and the public got nothing in return on each extension.
Not exactly "nothing". The 1978 extension codified the fair use factors from case law into statute. The 1998 extension gave the owners of restaurants the right to play the radio or unmute the TV.
Null cypher means the man in the middle can decrypt, tweak the http and then re-encrypt the web page.
This would cause the signature not to match the signature provided by the origin server.
company firewall systems
...are MITM proxies. Using one requires each client to install the root certificate of the firewall's private CA. Your own device that you bring will not have this root certificate and will thus detect the signature mismatch.
If they _want_ the printer or videos, they'll do it.
If not, too bad, they clearly didn't want it enough.
How is that different, from the perspective of a beginner in information security, from "if they _want_ the dancing pigs/bunnies/penguins, they'll install the malware"? (See "Dancing pigs" on Wikipedia.)
Which raises the question of how to transmit cacheably signed documents to a web browser in a way that the browser understands. If there were a way to deliver signed static cleartext to a browser, there wouldn't be quite as much need for a "corporate MITM" feature.
Have you _used_ the modern internet in the past five years? A _ton_ of content is dynamically generated.
And a lot is not, especially things like images, style sheets, and scripts, the kind of things for which sites use an Expires: date in the far future. Sometimes, the front page is dynamic, but the article pages need not be. But often, the only reason that a dynamically generated document can't be cached for days at a time is a desire to stalk viewers in order to deliver behaviorally targeted advertisements.
On-site caches are far less useful than they were at the turn of the century.
I agree with you with respect to urban areas of developed countries, but not so much in remote, rural areas and/or less-developed countries.
CDNs and big content providers are _more_ than happy to install content caches on site if your site is large enough.
A single school produces classroom quantities (20-30) of views for an article within an hour, but it's probably not large enough.
It was some "HSTS" (Hyper Sensitive Trust bullShit) thing
Did you send mail to the site's administrator?
Please explain to me how you would encode Korean or Japanese in an 8-bit encoding.
Codepage! Like in the old days. You use yours, I use mine.
All the characters of Chinese or Japanese do not fit in one codepage. (Shift-JIS is not 8-bit.) Nor do all Korean syllables; would you instead decompose each character into its jamo?
You use yours, I use mine.
If they mismatch, there is garbage. If instead you standardize a way to switch codepages within a document, you have reinvented Standard Compression Scheme for Unicode (SCSU). The web abandoned SCSU because cross-site scripting is easier in SCSU than in UTF-8.
But I have no idea what the benefit [of HTTPS with a null cipher] would be over just sending the content over HTTPs [with a nontrivial cipher].
In theory, a protocol guaranteeing integrity and authentication but not confidentiality would allow intermediate caching on the client's private network but allow devices to detect malicious intermediate modification. This at least would prevent having to send 25 copies of an article over a slow, metered link to a sub-Saharan classroom, one to each of 25 students.
If affordability was the goal [of the misleadingly named US Affordable Care Act,] there would've been price caps.
The medical loss ratio (MLR) regulation in the ACA places a cap on costs related to administrative cost and shareholder profit at 20% of the premium. A hard price cap would imply a coverage cap.
The ACA also imposes a price cap of 8 percent of gross income. If no qualified plan for a particular person has a premium below that after applicable subsidy, he is exempt from the individual shared responsibility payment.
So what do you do when you hit one of those warnings? Do you trust the MITM CA, or do you ask for a raise so you can afford more cellular data (or any cellular data at all) every month?
Slashdot Mirror
Google Meet, Allo, YouTube TV, Google Earth, and YouTube Studio Beta all block Windows 10's default browser, Microsoft Edge, from accessing them and they all point users to download Chrome instead.
I imagine this is an attempt to provide an easily understandable alternative for non-technical users should detection of necessary video codecs or JavaScript APIs fail. Though not as far behind standards as IE was during the IE 6-8 era, Edge is also perceived as lagging, as is Firefox ESR at times. What is a web application supposed to do when a necessary component of the web platform is missing? Is it recommended, for example, to implement an entire video codec in JavaScript as a polyfill?
Would the following changes have improved the perception of Google's result?
A sufficiently funded developer of a web application can rewrite it in Swift or Objective-C++ as a native iOS application and offer it through the App Store.
Chromecast doesn't have any apps on it (besides the wallpaper). You have to use some other device to cast to it. While that is a nearly useless difference to many people, it's huge to someone that doesn't have a smartphone nor ipad nor android tablet (but does have a computer in another room, and a Fire tablet).
Then install Google Chrome on the computer and cast from that. Why else would it be called a Chromecast?
Did World Wildlife Fund sue Zynga over Words With Friends or something?
Why is too complicated to fit a Linux's LiveDVD to 4.7GB DVD instead of 2 GB?
Because the wire protocol used by Secure Digital (SD) flash memory cards changed between 2 GB cards and Secure Digital High Capacity (SDHC) cards, which are 4 GB or larger. I imagine that the implementation of BIOS or UEFI on some PCs can boot from a 2 GB card but not from an SDHC card.
No admin worth their salt repeatedly boots their systems for maintenance.
Like Windows, linux-image in many distributions has its own monthly security update schedule. And unless you subscribe to Oracle Ksplice, these updates require a reboot.
If you really understand [service dependencies], then handling them in startup scripts is trivial. If you can't handle them at that level, then you shouldn't have the root password.
Then who should have the root password for a home desktop PC? Or how does it benefit the public to require non-technical users to use locked-down, touch-controlled appliances?
Granted, not as many
There's the rub. If the particular titles that your friends desire to play with you are unsupported, then Linux has no important games. Unlike non-game applications, most* games don't implement a common protocol to interoperate with other games by other publishers.
* The exception is computer ports of pre-1923 tabletop games, such as GNU XBoard that interoperates with other Chess software that speaks CECP 2.
Edge, the best browser for downloading other browser in Win 10
For now. In the long term, that depends on how long Microsoft continues to offer Windows 10 Home to OEMs. If Microsoft were to replace Windows 10 Home with Windows 10 S, that would put other browsers behind a $50 paywall to upgrade to Windows 10 Pro.
I'd try it, but Google Play Store won't let me. It lists Microsoft Edge as incompatible with my Samsung Galaxy Tab A 8" (SM-T350) running Android 7 "Nougat".
The problem here is that the application includes a kext (kernel module) for some purpose, and applications that include a kext cannot be distributed through Mac App Store.
Aside: When did links stop working?
Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.
The extreme WTF here isn't about the right to perform, but the right to listen to an already approved performance.
Under previous law, the performance was approved for receivers in private spaces, not for receivers in public spaces.
I was not attempting to imply that the public got a fair deal, only refuting a claim that "the public got nothing". Consideration, an analogous concept in contract law, doesn't require that the exchange of value be proportionate.
If the people valued the public domain, the people would choose to purchase products and services from organizations that promote the public domain. But because they instead have chosen to view works of authorship published by copyright maximalists, the people on the whole have voted with their dollars for copyright maximalism.
In general, the author of a musical work (that is, a songwriter, composer, or lyricist) has the exclusive right under copyright to perform it publicly. This includes the exclusive right to perform it publicly through transmission to a restaurant. After the Copyright Term Extension Act of 1998, the exclusive right no longer applied to restaurants below a specific size in square feet.
Anyone who knows anything about TLS also knows about digital signatures and checkhashes.
What browsers will accept a cipher suite containing only key exchange and HMAC (the "digital signatures and checkhashes") without bulk encryption?
There's even a year-old W3C spec called Subresource Integrity that addresses this problem.
Even if it works for images, style sheets, and scripts, it won't work for the HTML document itself because it's subresource integrity, not mainresource integrity. In addition, Mozilla's page about SRI doesn't mention the ability for an HTTPS document to use SRI to verify cleartext subresources in order to avoid restrictions imposed by browsers' Mixed Content and Secure Contexts policies. Nor does W3C's spec, though section 5.1 "Non-secure contexts remain non-secure" thereof (wisely) suggests not trusting SRI when the main document is cleartext.
If abortionhelp.example is the only host on that IP, then none of this matters
Yes it does. Every modern browser sends the hostname as part of the TLS ClientHello in order to support name-based virtual hosting. The last notable browsers that didn't support Server Name Indication (SNI) were Internet Explorer for Windows XP and Android Browser for Android 2.x, and security updates for IE/XP ended nearly four years ago.
The original deal was reneged upon and the public got nothing in return on each extension.
Not exactly "nothing". The 1978 extension codified the fair use factors from case law into statute. The 1998 extension gave the owners of restaurants the right to play the radio or unmute the TV.
Null cypher means the man in the middle can decrypt, tweak the http and then re-encrypt the web page.
This would cause the signature not to match the signature provided by the origin server.
company firewall systems
...are MITM proxies. Using one requires each client to install the root certificate of the firewall's private CA. Your own device that you bring will not have this root certificate and will thus detect the signature mismatch.
If they _want_ the printer or videos, they'll do it.
If not, too bad, they clearly didn't want it enough.
How is that different, from the perspective of a beginner in information security, from "if they _want_ the dancing pigs/bunnies/penguins, they'll install the malware"? (See "Dancing pigs" on Wikipedia.)
That's a softball. Digital signatures.
Which raises the question of how to transmit cacheably signed documents to a web browser in a way that the browser understands. If there were a way to deliver signed static cleartext to a browser, there wouldn't be quite as much need for a "corporate MITM" feature.
Have you _used_ the modern internet in the past five years? A _ton_ of content is dynamically generated.
And a lot is not, especially things like images, style sheets, and scripts, the kind of things for which sites use an Expires: date in the far future. Sometimes, the front page is dynamic, but the article pages need not be. But often, the only reason that a dynamically generated document can't be cached for days at a time is a desire to stalk viewers in order to deliver behaviorally targeted advertisements.
On-site caches are far less useful than they were at the turn of the century.
I agree with you with respect to urban areas of developed countries, but not so much in remote, rural areas and/or less-developed countries.
CDNs and big content providers are _more_ than happy to install content caches on site if your site is large enough.
A single school produces classroom quantities (20-30) of views for an article within an hour, but it's probably not large enough.
It was some "HSTS" (Hyper Sensitive Trust bullShit) thing
Did you send mail to the site's administrator?
Please explain to me how you would encode Korean or Japanese in an 8-bit encoding.
Codepage! Like in the old days. You use yours, I use mine.
All the characters of Chinese or Japanese do not fit in one codepage. (Shift-JIS is not 8-bit.) Nor do all Korean syllables; would you instead decompose each character into its jamo?
You use yours, I use mine.
If they mismatch, there is garbage. If instead you standardize a way to switch codepages within a document, you have reinvented Standard Compression Scheme for Unicode (SCSU). The web abandoned SCSU because cross-site scripting is easier in SCSU than in UTF-8.
But I have no idea what the benefit [of HTTPS with a null cipher] would be over just sending the content over HTTPs [with a nontrivial cipher].
In theory, a protocol guaranteeing integrity and authentication but not confidentiality would allow intermediate caching on the client's private network but allow devices to detect malicious intermediate modification. This at least would prevent having to send 25 copies of an article over a slow, metered link to a sub-Saharan classroom, one to each of 25 students.
So if you want security don't buy shitty devices that don't allow you to install certs from your own CA.
Good luck walking friends and family visiting your home through trusting your private CA in order to access your printer and videos on your NAS.
If affordability was the goal [of the misleadingly named US Affordable Care Act,] there would've been price caps.
The medical loss ratio (MLR) regulation in the ACA places a cap on costs related to administrative cost and shareholder profit at 20% of the premium. A hard price cap would imply a coverage cap.
The ACA also imposes a price cap of 8 percent of gross income. If no qualified plan for a particular person has a premium below that after applicable subsidy, he is exempt from the individual shared responsibility payment.
So what do you do when you hit one of those warnings? Do you trust the MITM CA, or do you ask for a raise so you can afford more cellular data (or any cellular data at all) every month?