Undersea Cables by Rishi Sunak [PDF]
Years before becoming Prime Minister of the UK, Rishi Sunak wrote this report, Undersea Cables: Indispensable, insecure.
Link tags: security
169
Learn Privacy
Stuart has written this fantastic concise practical guide to privacy for developers and designers. A must-read!
Web fingerprinting is worse than I thought - Bitestring’s Blog
How browser fingerprinting works and what you can do about it (if you use Firefox).
Dumb Password Rules
A hall of shame for ludicrously convoluted password rules that actually reduce security.
W3C TAG Ethical Web Principles (slides)
The slides from Tess’s presentation on the W3C’s ethical web principles—there’s a transcript too.
Why your website should work without Javascript. | endtimes.dev
The obvious answer to why you should build a website that doesn’t need
jsis… because some people don’t usejs. But how many?!
Let websites framebust out of native apps | Holovaty.com
Adrian brings an excellent historical perspective to the horrifying behaviour of Facebook’s in-app browsers:
Somewhere along the way, despite a reasonably strong anti-framing culture, framing moved from being a huge no-no to a huge shrug. In a web context, it’s maligned; in a native app context, it’s totally ignored.
Yup, frames are back—but this time they’re in native apps—with all their shocking security implications:
The more I think about it, the more I cannot believe webviews with unfettered JavaScript access to third-party websites ever became a legitimate, accepted technology. It’s bad for users, and it’s bad for websites.
By the way, this also explains that when you try browsing the web in an actual web browser on your mobile device, every second website shoves a banner in your face saying “download our app.” Browsers offer users some protection. In-app webviews offer users nothing but exploitation.
Letter in Support of Responsible Fintech Policy
A well-written evisceration of cryptobollocks signed by Bruce Scheier, Tim Bray, Molly White, Cory Doctorow, and more.
If you’re a concerned US computer scientist, technologist or developer, you’ve got till June 10th to add your signature before this is submitted to congress.
Using Google Fonts Breaches GDPR – Interdependent Thoughts
Remember when I said you should avoid third-party dependencies?
Ban embed codes
Prompted by my article on third-party code, here’s a recommendation to ditch any embeds on your website.
Remove Trackers - CSS-Tricks
Laura and I are on the same page here.
Ain’t No Party Like a Third Party - CSS-Tricks
Chris is doing another end-of-year roundup. This time the prompt is “What is one thing people can do to make their website bettter?”
This is my response.
I’d like to tell you something not to do to make your website better. Don’t add any third-party scripts to your site.
Spear phishing with Slackbot for fun and profit – Eric Bailey
Sneaky social engineering in Slack.
Stay alert - DEV Community 👩💻👨💻
It’s not just a story about unloved APIs, it’s a story about power, standards design, and who owns the platform — and it makes me afraid for the future of the web.
A thoughtful, considered post by Rich Harris on the whole ballyhoo with alert and its ilk:
For all its flaws, the web is generally agreed to be a stable platform, where investments made today will stand the test of time. A world in which websites are treated as inherently transient objects, where APIs we commonly rely on today could be cast aside as unwanted baggage by tomorrow’s spec wranglers, is a world in which the web has already lost.
Choice Words about the Upcoming Deprecation of JavaScript Dialogs | CSS-Tricks
Believe it or not, I generally am a fan of Google and think they do a good job of pushing the web forward. I also think it’s appropriate to waggle fingers when I see problems and request they do better. “Better” here means way more developer and user outreach to spell out the situation, way more conversation about the potential implications and transition ideas, and way more openness to bending the course ahead.
Google vs. the web | Go Make Things
With any changes to the platform, but especially breaking ones, communication and feedback on how this will impact people who actually build things with the web is super important, and that was not done here.
Chris has written a thoughtful reflection on last week’s brouhaha around confirm, prompt, and alert being deprecated in Chrome. The way that the “developer relations” folks at Google handled feedback was less than ideal.
I reached out to one of the Google Chrome developer advocates I know to see if I could learn more. It did not go well.
Chromium Blog: Increasing HTTPS adoption
At some point, you won’t be able to visit the first web page ever published without first clicking through a full-page warning injected by your web browser:
Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t support it. Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future.
National Security Agency (NSA) security/motivational posters from the 1950s and 1960s [PDF]
This responds to your Freedom of Information Act (FOIA) request, which was received by this office on 5 February 2016 for “A digital/electronic copy of the NSA old security posters from the 1950s and 1960s.”
The graphic design is …um, mixed.
Chromium Blog: A safer default for navigation: HTTPS
Just over a year ago, I pondered some default browser behaviours and how they might be updated.
The first one is happening: Chrome is going to assume https before checking for http.
Now what about the other default behaviour that’s almost 15 years old now? When might a viewport width value of device-width become the default?
Introducing State Partitioning - Mozilla Hacks - the Web developer blog
This is a terrific approach to tackling cross-site surveillance. I’d love it to be implemented in all browsers. I can imagine Safari implementing this. Chrome …we’ll see.