I hate gratuitous encryption

Things that don't belong anywhere else. (Check first).

Moderators: Moderators General, Prelates, Magistrates

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

I hate gratuitous encryption

Postby ManaUser » Tue Sep 05, 2017 8:15 pm UTC

Back story: I'm using an old version of Firefox, because the new versions suck and I haven't got around to moving everything over to Pale Moon or whatever.

Well more and more lately, I've been getting locked out of websites with "ssl_error_no_cypher_overlap" messages. But the funny thing is I never have this problem with Amazon, my web host, my Bank, shady Russian bitcoin exchanges or anything else where security would be important. No, it's always on sites that are encrypted for no good reason.

Most recently, xkcd.

User avatar
Zohar
COMMANDER PORN
Posts: 7497
Joined: Fri Apr 27, 2007 8:45 pm UTC
Location: Denver

Re: I hate gratuitous encryption

Postby Zohar » Tue Sep 05, 2017 8:18 pm UTC

So you're concerned about security... but you're using an old browser?
Mighty Jalapeno: "See, Zohar agrees, and he's nice to people."
SecondTalon: "Still better looking than Jesus."

Not how I say my name

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: I hate gratuitous encryption

Postby ManaUser » Tue Sep 05, 2017 9:13 pm UTC

Zohar wrote:So you're concerned about security... but you're using an old browser?


No. That's my point. I have am completely unconcerned about the possibility of my xkcd viewing habits being spied on. Mainly because they wouldn't be.

Perhaps this will illustrate better: This forum, the only part of xkcd.com aside from the store which has any use for encryption at all, is not encrypted. I mean, I wouldn't really care if someone stole my account here, but maybe some people would. So at least there would be a vague justification. But Randal apparently decided the main page, where there is absolutely no personal information is too sensitive to risk letting someone view it without encryption, or even with outdated encryption. Because obviously the NSA is going to work really hard to find out what I've been downloading from xkcd every couple days. Only the best will do.

User avatar
Zohar
COMMANDER PORN
Posts: 7497
Joined: Fri Apr 27, 2007 8:45 pm UTC
Location: Denver

Re: I hate gratuitous encryption

Postby Zohar » Tue Sep 05, 2017 9:41 pm UTC

I'm not a website admin, but I find it much more likely that it's best practice to use modern encryption, and since the main website is regularly updated, someone bothered to do so, as opposed to the forums, which get a lot less traffic and are somewhat-forgotten and don't get updated often at all.

Still, you should consider updating your browser. Using outdated software is how people get their data hijacked.
Mighty Jalapeno: "See, Zohar agrees, and he's nice to people."
SecondTalon: "Still better looking than Jesus."

Not how I say my name

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 5497
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: I hate gratuitous encryption

Postby Thesh » Tue Sep 05, 2017 9:46 pm UTC

Major sites tend to be the most lax on security, generally because of the number of visitors leads to a noticeable tech support cost. You should upgrade your browser (or at the very least disable insecure cipher suites) for that reason alone.
Honesty replaced by greed, they gave us the reason to fight and bleed
They try to torch our faith and hope, spit at our presence and detest our goals

User avatar
Flumble
Yes Man
Posts: 1943
Joined: Sun Aug 05, 2012 9:35 pm UTC

Re: I hate gratuitous encryption

Postby Flumble » Tue Sep 05, 2017 9:51 pm UTC

Randall hates botnets so he doesn't allow people with insecure systems to enjoy his comics. :wink:

Just how old is your version of Firefox that it doesn't accept TLS 1.2 with the allowed cipher suites? Even bloody FF31 is able to visit xkcd and that's browsing with a live grenade (see all the red stuff since FF31, including multiple code execution bugs)

Also what Thesh says.

As far as I know there's currently no real reason to stop TLS 1.1 support on a server, so the admin of the xkcd domain could enable it for compatibility. But there's less reason not to support TLS 1.2 in a browser these days.

commodorejohn
Posts: 957
Joined: Thu Dec 10, 2009 6:21 pm UTC
Location: Placerville, CA
Contact:

Re: I hate gratuitous encryption

Postby commodorejohn » Tue Sep 05, 2017 10:50 pm UTC

Encryption is basically just a way for browser vendors to strong-arm people into upgrading, when you get right down to it.
"'Legacy code' often differs from its suggested alternative by actually working and scaling."
- Bjarne Stroustrup
www.commodorejohn.com - in case you were wondering, which you probably weren't.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2467
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: I hate gratuitous encryption

Postby Soupspoon » Wed Sep 06, 2017 1:43 am UTC

(I remember when Netscape was actually a paid-for thing. But a lot of datagrams have passed across OSI layer 3 since those days, and a supplier of an entirely non-inventorial good, gratis, sort of precludes being a 'vendor'. But I digress. I've lost track of the business model used by browsers, these days, but can only imagine lies somewhere between Big Data and For The Geeky Love Of It, depending upon the brand.)

There are some times when a server should enforce best practice, and there are times when the right to have an overly lax client (for any one of a number of reasons, with varying degrees of actual necessity and legitimacy) should not be infringed.

My instinct is that it was a back-end upgrade that even Randall (or his back-end team) didn't realise was going to exclude any old stuff, but came along with everything else the actual back-back-end maintainer never considered testing against minority browsers. And look at some of the monstrous User-Agent strings, used to maintain full backwards/sideways compatibilities. I wouldn't be surprised if someone didn't want to burn it all down to the ground and 'nudge' the technoluddites.

As a technoluddite myself, in many ways, I feel the pain. As an occasional security professional, it would be nice for the lowest common denominator to be at least recently elevated...

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: I hate gratuitous encryption

Postby ManaUser » Wed Sep 06, 2017 4:36 am UTC

Yes I know I should upgrade. I will sooner or later. And as much as it irks me it's probably going to be this (not xkcd, but this problem in general) that forces my hand. And yes I'm using a really old version... Firefox has sucked for a long time.

I can understand drooping support obsolete encryption. But all of that is really kind of secondary. It's only a specific example of how gratuitous encryption became a problem for me. What I don't understand is why it became popular to make encryption mandatory on non-sensitive websites. Clear text is not obsolete. I mean if you want to make https available for people who just think it's cool, want to add to the encrypted background noise for political reasons or whatever, that's fine. But why not leave http available too?

Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

commodorejohn
Posts: 957
Joined: Thu Dec 10, 2009 6:21 pm UTC
Location: Placerville, CA
Contact:

Re: I hate gratuitous encryption

Postby commodorejohn » Wed Sep 06, 2017 5:57 am UTC

ManaUser wrote:Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

Hahaha, if web designers did that, who would they look down their noses at while sipping their gluten-free mocha chai soy milk lattes over their Macbooks/Chromebooks?
"'Legacy code' often differs from its suggested alternative by actually working and scaling."
- Bjarne Stroustrup
www.commodorejohn.com - in case you were wondering, which you probably weren't.

User avatar
Flumble
Yes Man
Posts: 1943
Joined: Sun Aug 05, 2012 9:35 pm UTC

Re: I hate gratuitous encryption

Postby Flumble » Wed Sep 06, 2017 12:09 pm UTC

commodorejohn wrote:
ManaUser wrote:Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

Hahaha, if web designers did that, who would they look down their noses at while sipping their gluten-free mocha chai soy milk lattes over their Macbooks/Chromebooks?

What have you been smoking? :shock: Most 'web designers' use tons of frameworks to make a site look the same in a large variety of browsers and versions, including shitty, broken, insecure browsers like Internet Explorer 8. If everyone would just use an up-to-date browser, website developers would only have to use standardized features and could use all of the currently standardized features, which makes sites so much cleaner, smaller, more readable, more efficient and everything would be sunshine and lollipops (until ads come into play).

commodorejohn wrote:Encryption is basically just a way for browser vendors to strong-arm people into upgrading, when you get right down to it.

When you get right down to it, browser vendors can't (I guess for google and apple it's "won't") waste time to update ancient versions of their browser with new cryptography methods. Also what's the point when the people using those versions don't bother updating anyway?

commodorejohn
Posts: 957
Joined: Thu Dec 10, 2009 6:21 pm UTC
Location: Placerville, CA
Contact:

Re: I hate gratuitous encryption

Postby commodorejohn » Wed Sep 06, 2017 2:00 pm UTC

Flumble wrote:What have you been smoking? :shock: Most 'web designers' use tons of frameworks to make a site look the same in a large variety of browsers and versions, including shitty, broken, insecure browsers like Internet Explorer 8.

That used to be the case. Now the trend (as far as I'm observing) is towards redirecting every page on the site to a single "fuck you for not using our preferred browser" page if you're on anything less than the second-to-latest version of (pick any three) IE, Firefox, Safari, Opera, or Chrome (and actually it really only works properly on Chrome anyway.)
"'Legacy code' often differs from its suggested alternative by actually working and scaling."
- Bjarne Stroustrup
www.commodorejohn.com - in case you were wondering, which you probably weren't.

User avatar
doogly
Dr. The Juggernaut of Touching Himself
Posts: 5212
Joined: Mon Oct 23, 2006 2:31 am UTC
Location: Somerville, MA
Contact:

Re: I hate gratuitous encryption

Postby doogly » Wed Sep 06, 2017 2:35 pm UTC

Why on earth should a web developer support a browser longer than people who publish the browser themselves?
LE4dGOLEM: What's a Doug?
Noc: A larval Doogly. They grow the tail and stinger upon reaching adulthood.

Keep waggling your butt brows Brothers.
Or; Is that your eye butthairs?

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: I hate gratuitous encryption

Postby ManaUser » Wed Sep 06, 2017 4:33 pm UTC

doogly wrote:Why on earth should a web developer support a browser longer than people who publish the browser themselves?

Depends on what you mean by "support". If you mean extensive testing to verify every page renders correctly in a specific old browser, then no that's probably not worth it. If you mean taking a few basic steps to ensure minimal functionality for old browsers in general, then a better question is "why not?".

Leaving http available when there's no good reason why a page needs encryption would definitely come in latter category.

User avatar
doogly
Dr. The Juggernaut of Touching Himself
Posts: 5212
Joined: Mon Oct 23, 2006 2:31 am UTC
Location: Somerville, MA
Contact:

Re: I hate gratuitous encryption

Postby doogly » Wed Sep 06, 2017 5:24 pm UTC

ManaUser wrote:
doogly wrote:Why on earth should a web developer support a browser longer than people who publish the browser themselves?

Depends on what you mean by "support". If you mean extensive testing to verify every page renders correctly in a specific old browser, then no that's probably not worth it. If you mean taking a few basic steps to ensure minimal functionality for old browsers in general, then a better question is "why not?".

Everyone is going to die, and our time is our most precious resource. "Why not?" is the easiest question to answer - there is something else you'd rather do. An unsupported browser is not "still kind of minimally supported if I don't do anything fancy." It means you go into the wild world without support. Maybe it "just works," which is always great, but if things require any basic steps at all, those steps would constitute "support."
LE4dGOLEM: What's a Doug?
Noc: A larval Doogly. They grow the tail and stinger upon reaching adulthood.

Keep waggling your butt brows Brothers.
Or; Is that your eye butthairs?

commodorejohn
Posts: 957
Joined: Thu Dec 10, 2009 6:21 pm UTC
Location: Placerville, CA
Contact:

Re: I hate gratuitous encryption

Postby commodorejohn » Wed Sep 06, 2017 6:19 pm UTC

Man, I don't even care if developers don't want to bother putting time and effort into supporting my choice of browser - I'd just appreciate it if they didn't go out of their way to screw me over for it.
"'Legacy code' often differs from its suggested alternative by actually working and scaling."
- Bjarne Stroustrup
www.commodorejohn.com - in case you were wondering, which you probably weren't.

Mike Rosoft
Posts: 63
Joined: Mon Jun 15, 2009 9:56 pm UTC
Location: Prague, Czech Republic

Re: I hate gratuitous encryption

Postby Mike Rosoft » Sat Sep 09, 2017 6:30 pm UTC

Well, I have asked Randall, and he told me that he has been investigating which browser you personally have been using and intentionally installed a certificate which your browser doesn't support.

Seriously: Sometimes old things stop working. Deal with it - time to upgrade. A new version of Firefox is free, and so is Pale Moon if you don't like the changes that Firefox has been making.

User avatar
LaserGuy
Posts: 4382
Joined: Thu Jan 15, 2009 5:33 pm UTC

Re: I hate gratuitous encryption

Postby LaserGuy » Sun Sep 10, 2017 6:56 am UTC

Also mass encryption makes everyone safer. It creates a kind of herd immunity against phishing sites and malware.


Return to “General”

Who is online

Users browsing this forum: No registered users and 35 guests