Gopher talk 

Gopher talk 

Show thread
Follow

Gopher talk (goals) 

Gopher talk (goals) 

Show thread

Gopher talk (goals) 

Show thread

Gopher talk (Stuff other people have mentioned) 

Show thread

Gopher talk (Stuff other people have mentioned) 

Show thread

Gopher talk (why?) 

Show thread

Gopher talk (why?) 

Show thread

Gopher talk (wrapping up) 

Show thread

Gopher talk (w3c) 

Show thread

Gopher talk (DRM and stuff) 

Show thread

Gopher talk (tldr) 

Show thread

Gopher talk (goals) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

@RussSharek @tomasino

The most recent article on my blog ajroach42.guthub.io should be enough to get you started. If not, the tedium article I link to is wonderful.

@ajroach42 @tomasino

Okay, I get it now. I can see where a client that supported markdown would be amazing, and fail gracefully where it wasn't available.

@remotenemesis :-D That's my hope.

I'm still a few days/weeks away from being able to contribute, but yeah. That's what I want.

I want to see some folks building new libre gopher clients.

Gopher talk (tldr) 

@Sci most of the bad choices have been recent.

The web was a good platform until it wasn’t anymore.

Recent bad decisions: EME (rendering browsers essentially permanently inesecure to make Netflix happy), allowing css to be, essentially, a complete programming language, stuffing JavaScript in to the browser.

There have been other questionable or shortsighted choices (the use of the anchor tag for links, the competing image tags in early html—the worst one won)

@Sci I fully expect EME to be the worst of these choices, though. It’s going to be bad.

Beyond that, a lot of the bad web decisions were made by browser vendors and web developers, but many of those were pretty horrible too. Cross-site tracking cookies, flash, JavaScript.

The web shouldn’t have ever become an application layer. It should have remained a content delivery platform. Apps should be native, and hook in to the net via apis.

@ajroach42 It's been a long time since I was into the deep technicalities, so I'm playing catch-up a bit.

If I understand correctly, EME renders browsers insecure because it allows a remote vendor to install a decryption module into your browser, which could contain anything including malicious code or security vulnerabilities, yes?

And both CSS and Java because they push browsers beyond just displaying static documents, but allow code execution within them?

@Sci EME is a form of DRM that is/will be/is bundled in to web browsers.

Technically it's sandboxed and tested and should be "safe", but because it is a form of DRM it is protected by the DMCA making the disclosure of security vulnerabilities in the webbrowser that *might* be related to EME a felony.

The w3c was given the opportunity to stop this, and make members provide an exception for security research and/or accessibility. They refused.

@Sci So now every major web browser has a thing in it that it's illegal for anyone to look at, and we don't have even the most basic assurances that someone who discovers a flaw in EME (and there will be flaws) won't go to jail for disclosing it.

CSS and Javascript I'll address separately.

CSS is supposed to define how a browser displays elements on a page. It's now a programming language. Current CSS takes lots of computing power (which is bad) and can be used to hide/do malicious things.

@Sci

Some things are easier and more secure because of CSS3. A lot of things are harder, and more complex (and less secure because they are more complex, if not because they are directly less secure.) This means that you've got to update your hardware more often. Modern CSS techniques also frequently wreak havoc with accessibility, because everyone is trying to reinvent the wheel.

@Sci Javascript.

Javascript is complicated. I am of the opinion that netscape made a mistake including it in browsers to begin with, but that's just me.

All the stuff I said about accessibility and hardware/performance issues goes double for JS.

Except that JS is a full programming language from the ground up. You can run modern applications in it. You can use it to emulate old computers.

IT's neat!

It's also a huge performance and security hole. Malicious JS can cause many problems.

@Sci That is not to say that I think Javascript in general is bad!

I think it's great. Having this almost universal platform for application delivery is really neat!

I don't think it should be required to view a news article, or to log in to mastodon, or send an email.

I think js should be downloaded from your web browser and then rendered in a separate application.

Browsers shouldn't assume Javascript is available. Browsers shouldn't know about JS.

@Sci You want AJAX features in your web page? Great! What you want is no longer a web page, it's now an application. We'll run it in a separate environment.

You want to mandate AJAX features so that I can read your news article or watch your video? That's probably actually sketchy!

And then you've got shit like: eff.org/deeplinks/2009/09/onli which illustrates the tracking problem back in 2009. (it's worse now.)

Show more
@ajroach42 From my understanding the way firefox implements it, with a heavily sandboxed blob is safe.
Even though it sucks that it promotes drm.

@ayy

Everyone is trying to implement it as safely as possible, but we'll *never* know if it's actually safe, because disclosing vulnerabilities in the EME is a felony.

I'm not trying to fearmonger here. Firefox is probably reasonably safe for most users.

But, so long as EME is in the browser, I will trust my browser even less.

@ajroach42 Well as long as the sandbox is safe everything should be safe? Same as running untrusted javascript in a trusted browser?

@ayy Right.

But untrusted javascript crashes browsers or does malicious stuff all the time.

And then we fix it, because we can do security research on sanboxed javascript.

@ayy Like, you're not going to convince me that any sandbox is safe.

Malicious code can already break out of sandboxes in browsers to OSs in virtual machines, and then break out of those virtual machine OSs in to the host machine OS.

en.wikipedia.org/wiki/Virtual_

Have a recent example: vmware.com/security/advisories

But we only know about these things, so that we can patch them, because it's not illegal to do security research on these platforms.

EME is unsafe. Full stop.

@a_breakin_glass we'll have that or something like it quick.

Alternately browsers still have an analog hole.

Gopher talk (why?) 

Gopher talk (why?) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Gopher talk (Stuff other people have mentioned) 

Sign in to participate in the conversation
R E T R O  S O C I A L

A social network for the 19A0s.