
Chrome 56 Beta: “Not Secure” Warning, Web Bluetooth, and CSS Position: Sticky - iddan
https://blog.chromium.org/2016/12/chrome-56-beta-not-secure-warning-web.html
======
benjaminjackman
So their example use case for `position: sticky` is putting a distracting
header onto a space constrained mobile device __where the browsers own address
bar has the good sense to disappear__ when scrolling down. Not rise from the
page like some pixel craving zombie element.

And let's keep in mind in the real world, it's going to be at least 3 times
bigger than that because it's not a sticky bar for ants after all. And it'll
be rocking its best friend Mr Hamburger Menu, some social-tracking-sharing-
buttons, and a banner ad for whatever was mis-classified from the background
of the weighted average of the last 10 Facebook pictures you appeared in.

Just the text please! Viva le reader mode!

~~~
lucaspiller
> distracting header onto a space constrained mobile device

This is my pet hate with Google's AMP mode which most sites seem to be
switching to.

On my iPhone 5S it breaks hiding the browser's address bar when you scroll,
then you have the AMP 'address bar' of the same size, then you finally get to
the site's sticky header and footer. On Huffington Post the content is around
50% the size of my screen. Oh and it breaks Safari's Reader mode, which I
assume also means accessibility features.

[http://i.imgur.com/PNOQ4Hk.jpg](http://i.imgur.com/PNOQ4Hk.jpg)

If anyone from Google is here, please do something about this as it is
ridiculous.

~~~
tdkl
Google fix = buy a bigger phone, so you'll see same amount of content then 4
years ago.

And in case if someone from Google is listening, give the option to opt out of
this AMP crap, I'll gladly pay for extra bandwidth.

~~~
m45t3r
Well, I do not because I am in a limited connection (~1.5GB per month). I
gladly appreciate that sites loads faster when I am using a mobile connection
too.

While I understand the pain of (sometimes) having broken sites when AMP is on,
this really helps when someone is on a country where mobile internet is
expensive.

~~~
therealidiot
Which is why an option was suggested

------
darinf
One of the coolest features in this release:

""" When content changes above the viewport, Chrome now automatically adjusts
the scroll position to keep content in the viewport fixed unless the CSS
overflow-anchor property is set. """

~~~
modeless
Not only that, but "Showing and hiding the URL bar on mobile no longer resizes
the initial containing block or elements sized with viewport units such as
vh." Thank God! I thought they were never going to reverse this horrible
decision. These two changes should substantially reduce scroll jumping on
Android which is one of my biggest annoyances on the web these days.

------
no_protocol
So if I just redirect all http requests to https, what unexpected consequences
might I run into?

Not-for-profit hobby site/community with a couple hundred regular users. Have
been running https with Let's Encrypt certs for a year but not advertising or
defaulting to it. No legacy systems or other entanglements.

There is a forum that allows users to post inline images and media from other
domains.

~~~
regecks
If you have absolute URLs ([http://..../foo.jpg](http://..../foo.jpg)) saved
in documents or a database or something like that, you would need to rewrite
them to be protocol-relative or just [https://](https://) .

~~~
ReverseCold
Hmm, but they said SSL is already enabled if you visit the site with https.
Shouldn't redirecting http > https be completely risk free then or am I
missing something?

~~~
chipperyman573
If you visit a secure site (https), embedding insecure items (http) will fail
because they could do just as much damage as loading the entire page over
http.

~~~
Buge
It depends on what the insecure item is. If it's just an image, it won't fail,
it will just grey out the https and not display a lock icon.

[https://mixed.badssl.com/](https://mixed.badssl.com/)

~~~
nailer
That's current behavior, but I wouldn't guarantee it will remain that way, an
http image compromises the integrity of the site: it could be manipulated to
change the meaning. Imagine reading a news site using an unencrypted CDN and
whoever runs the WiFi (or the country you're in) is replacing the images with
similar yet different ones, giving a different impression that what the
creator intended.

You could do this quite subtly as a way to influence people by making certain
figures appear more sinister.

These warnings tend to get tougher over time, so what's grey now may be red
next year.

------
outsidetheparty
>the Web Bluetooth API [...] enables web developers to connect to bluetooth
devices such as printers

Feeling nostalgic for FAX spam? Let's update it for the modern era!

(Kidding. A little bit. The Web Bluetooth spec addresses these concerns at
length -- [https://webbluetoothcg.github.io/web-bluetooth/#security-
and...](https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy)
\-- but mostly as a "here are the many, many ways this could be used
maliciously", with not nearly enough "and here's how we plan to prevent that"
for my taste.

I gotta say this is an attack surface I'd prefer we'd left buried deep
underground; I can't think of any device I'd feel safe allowing a website to
pair with. Keyboard? Keylogger. Printer? Physical spam. Headphones? Audio
spam. Who wants this?)

~~~
pageld
I can think of a couple of things at least in the prehospitalmedial field.
Bluetooth ekg machines are used to do documentation and needed to have their
data sent to the hospital as fast as possible. Also Bluetooth scanners are
used to scan drivers licenses and triage tags.

The less manual input a provider has to do, the better. Then they can spend
their time making sure the patient is being taken care of.

Most ems documentation is done on web applications instead of desktop apps so
it can work on anything from an iPad to a surface to a tough book.

You don't want to know how these things are hooked up today.

~~~
outsidetheparty
Those are... pretty darn good examples, actually. Thanks!

------
r721
FLAC support seems to be merged to M-56 too:

[https://bugs.chromium.org/p/chromium/issues/detail?id=93887](https://bugs.chromium.org/p/chromium/issues/detail?id=93887)

~~~
cpeterso
Mozilla is shipping FLAC support in Firefox 51, which is currently the Firefox
Beta channel and will be released to everyone on January 24.

[https://bugzilla.mozilla.org/show_bug.cgi?id=1195723](https://bugzilla.mozilla.org/show_bug.cgi?id=1195723)

------
Sephr
This is too soon if Google goes forward with the red exclamation point
"insecure" flag before there is a free solution for wildcard certificates.

What are free sites that give every user a subdomain for their
profile/site/etc supposed to do? There are many open source multi-user site
platforms that follow this pattern, and all of these platforms now effectively
have a huge monetary subscription fee associated with them due to the fact
that you now need to purchase a wildcard certificate in order to not scare
away users.

There is no free wildcard SSL certificate service, so Google is essentially
forcing you to pay money to not scare users away from your site.

I am all for this change eventually happening, but not until _all_ DV SSL use
cases are covered by free services. Until then, this change is inappropriate.

If Google wants to punish sites that can't afford or won't pay for expensive
wildcard certificates, then they should offer a solution of their own (like
their own ACME CA that supports provisioning wildcard certs).

~~~
rogerdpack
The only problem is if those subdomains have a password input field
"somewhere" on their sites, AFAICT. Or are you referring to google's "later"
plans to add a red exclamation point "insecure" flag to the url bar for all
HTTP pages?

I'll admit when I first heard of them flagging HTTP password fields, my
instinct was to write a little javascript to "mimic" password input field
behavior (and store the real password away somewhere else, then at submit
time, it sends in the correct data). But if it's just a tiny warning on the
url bar, meh, not sure if I care...

Also note that [https://letsencrypt.org](https://letsencrypt.org) appears to
offer free CA certs.

~~~
byuu
I doubt most will even go that far. You can pretty much expect those that
won't go HTTPS (for whatever reason, and there are many) to change their input
type="password" fields to input type="text" fields.

That is probably what I am going to do for the internal site I maintain at
work, since I can't get an SSL certificate for such a thing.

All this change is going to do is make password eavesdropping in person
easier.

~~~
niij
If it's hosted in local IP space and therefore you can't get a certificate,
you can setup a CA and push that CA certificate through Group Policy. I had to
do it myself and it took 3-4 hours (mostly because I'm bad at Group Policy)

~~~
byuu
The problem is that I'm a developer on a team of six. And my site is used by
another five or six teams. It's a little tools site that does various SQL
queries and such against databases other teams don't have access to. They're
not going to allow me to push my signing certificate onto everyone's
computers. I'm very low on the org chart.

~~~
niij
Well I assume in a companywith that many teams they would have already came
across a need to manage their own simple, internal CA. Maybe you can be the
person to set it up, trust me it's scarier than it looks

------
kuschku
So, how do I manage a website where I allow users to embed arbitrary URLs as
image, so I don’t even know which protocol they’ll use, but where I want HTTPS
for the page itself?

Will I just have to deal with the yellow "mixed content! insecure!" warning?
Will I have to proxy requests?

There’s many forums like that in the web.

~~~
tantalor
Who cares about warnings? Do your users browse with devtools open?

At worst the users see the grey "i" in circle icon:
[https://googlesamples.github.io/web-
fundamentals/fundamental...](https://googlesamples.github.io/web-
fundamentals/fundamentals/security/prevent-mixed-content/passive-mixed-
content.html)

~~~
bjacobel
A single HTTP request in an otherwise HTTPS page can compromise the privacy
and integrity of a user's connection. SSL/TLS isn't just about checking all
the boxes so Chrome will give you the prettier icon, there are real stakes for
users.

~~~
andrewmunsell
To expand on this--

Imagine you have a website with a payment form on an HTTPS page, but you embed
some external analytics script over HTTP. If your visitor's request is MITMed
(e.g. they're in a coffee shop or some other insecure WiFi access point, etc),
then an attacker can modify the script (that's over HTTP) to send these credit
card details to the attacker's server. Once there's a single HTTP resource on
the page, HTTPS means a whole lot less, hence the scary warnings.

~~~
baybal2
>Once there's a single HTTP resource on the page, HTTPS means a whole lot
less, hence the scary warnings.

More like if there is a single line of 3rd party code.

------
rawnlq
Hmm I don't understand bluetooth protocol well. What are some security issues
I should be aware of if a rando site ask for bluetooth permissions(assuming
this feature is gated) and I accidentally click yes?

Will it be able to take over bluetooth speakers or robot toys? They must be in
discovery mode for it to connect so I am safe right? Then it will just be
privacy issues which I can live with.

Otherwise it looks pretty cool. E.g, controlling a drone from a webpage:
[https://www.youtube.com/watch?v=gXu3G3cg52k&feature=youtu.be](https://www.youtube.com/watch?v=gXu3G3cg52k&feature=youtu.be)

~~~
woodruffw
At a glance, here are some issues:

Every bluetooth device has a unique MAC-like address, which could be used to
track you (or your device, at least).

There are also obvious privacy/security issues with the fact that device-
stored information (full name, location, biostatistics, etc) can be accessed
by any JS loaded onto the same page (read: analytics companies).

The whole Web Bluetooth spec is online[0], if you'd like to read it for
yourself.

[0]: [https://webbluetoothcg.github.io/web-
bluetooth/](https://webbluetoothcg.github.io/web-bluetooth/)

------
otto_ortega
Web Bluetooth?! Am I the only one who just learned this was a thing?

Recently I have grow interest in progressive web apps, I wonder if there is a
list of the sensors/interfaces that can now be accessed from a web browser, it
will certainly be helpful

~~~
askvictor
WebUSB and webserial are things too ( not necessarily implemented yet)

~~~
Ajedi32
Not to mention WebVR, Web Payments, the Presentation API, the Gamepad API, and
the Web Speech API.

------
sengork
I wish they implemented text reflow on mobile devices, it'd make the web so
much more readable for end-users and websites which are not mobile optimised.

~~~
anc84
And usually having control over the zoom level and get reflowed text makes a
vastly superior reading experience than TEN LINES IN HUGE LETTERS PER SCREEN
like many mobile-optimised sites sadly do.

------
baybal2
>Chrome no longer allows opening of pop-ups during inputs which represent a
touch scroll, such as touchstart and touchmove.

Wow. I remember, people were complaining that Google were the only major ad
network company that did not forbid onthouch* code in ads, and on that has
picked a principled stance on allowing them.

------
makecheck
There’s too much potential for abuse in web technologies; it’s past time for
web browsers to clearly divide their capabilities into higher-level buckets
that have restrictions.

Two buckets that come to mind: maybe you should have to specify that either
you are developing an “app” or you are developing a “page”. And no _page_
should be able to do things like create sticky-elements (not to mention a
zillion other capabilities) because we all know some Obnoxious Clueless Ad
Company will take about 13 seconds to start ruining your browsing with it.
Anything identified as an “app” should be impossible to load in a normal
browser, accessible only under a dedicated home-screen icon with a special
sandbox, etc.

~~~
Kadin
I agree, and it seemed like Chrome was aiming for something like that model
for a while. But then Google seems to have backed away from it. Except on
ChromeOS, Chrome apps are supposed to be phased out by 2018.

Personally, I am really unhappy with the direction of the web right now. Ads
have gotten more and more intrusive (particularly on mobile), and it seems
like every site is doing some sort of shitty "sign up for our newsletter!" or
"but wait there's more!" overlay. Blocking and display-control mechanisms have
seemingly fallen behind (again, especially on mobile, where for the typical
user there's basically no viable ad blocking solution).

I've heard web developers defend all of this from a business perspective (we
need the ad revenue), but it seems really shortsighted. All it's going to do
is drive users to walled-garden apps, probably dominated by one or two big
players in each market category, and the friction to get your content or
product in front of customers will increase tremendously.

~~~
HappyTypist
On iOS, you can just download a content blocker in the App Store and it'll
just work in safari.

------
mtgx
"Web Bluetooth", as well as the "Physical Web" sound very scary.

Who's going to ensure all of these devices that are accessed this way don't
get hacked? Google?

------
notadoc
While this is obviously useful for anything with a login, there are many
content and consumption sites that simply don't need HTTPS.

~~~
tdkl
Yeah, can't wait till my CV and project descriptions (not hosted there) static
Jekyll site is somehow insecure and dangerous.

[edit] I'll guess I'll have to find a new host then, since Github pages
doesn't support https on custom domains. Perhaps Netlify, seems to support
Github hooks.

~~~
Buge
Well China intercepts http traffic and inserts javascript malware joining
users into a botnet that DDOSes github pages of human rights organizations. It
depends on what you mean by insecure and dangerous.

~~~
niij
Link?

~~~
Buge
[https://citizenlab.org/2015/04/chinas-great-
cannon/](https://citizenlab.org/2015/04/chinas-great-cannon/)

[https://en.wikipedia.org/wiki/Great_Cannon](https://en.wikipedia.org/wiki/Great_Cannon)

------
k4321
Opening up a secure HTTPS iframe (for example from another domain) on a non-
secure HTTP website labels the entire site as "Not Secure". This will generate
an unnecessary warning to the user when the login form or the payment form is
really secured by HTTPS.

If the Chrome development team implements this new security feature they need
to check that the window where the form exists is secure by HTTPS or not, and
not only check if the top window is secured with HTTPS or not.

~~~
detaro
A warning which is completely applicable if someone modifies the HTTP
transmitted site and replaces the secure iframe with a phishing version of it.
And since the browser can't tell when that happens, it displays the warning
always.

~~~
k4321
You are correct about that.

I think that the main problem with iframes (and frames in general) is that
it's impossible for the user to check in an easy way where they originates
from. If the URL bar would automatically change to the iframes URL when the
user hovers the iframe it would at least give the user a possibility to check
where the iframe originates from and there would be no need to label the
entire site as "Not Secure".

~~~
askmike
> I think that the main problem with iframes (and frames in general) is that
> it's impossible for the user to check in an easy way where they originates
> from.

Exactly, just like all other resources (assets, media).

> If the URL bar would automatically change to the iframes URL when the user
> hovers the iframe

Not only is this extremely confusing for anyone who isn't an expert it also
breaks when you don't use a mouse. It can also be circumvented really easy by
simply hiding an iframe.

\-----

Why exactly don't you like the current behaviour? If you load a page over
HTTPS that loads a bunch on insecure pages inside iframes, the page _is_
insecure.

~~~
k4321
I'm my example it was the other way around. You load an insecure page over
HTTP without triggering any visible warning. And then you load a secure iframe
over HTTPS with a login form and this triggers the "Not secure" warning. The
only reason to do this that I can think of is because of MiM attacks like
detaro wrote about.

------
ramenmeal
Curious, will position:sticky work for a thead tag? or a tr? All the
workaround for this have their faults.

~~~
iso-8859-1
Probably, since position:fixed works:
[http://jsfiddle.net/brettadamsga/yeAhU/](http://jsfiddle.net/brettadamsga/yeAhU/)

------
taf2
I'm excited for the Web Bluetooth feature. Also position:sticky is very
welcome...

~~~
freshyill
position:sticky first appeared in Chrome Canary in 2012, somewhere around
Chrome 30, but then they pulled it because of the issues.

A coworker was looking for a JavaScript sticky solution for an internal tool,
and since that team could dictate what browsers the users should use, she
started building it around position:sticky. Soon enough the property
disappeared and she had to go with JS anyway.

The company got bought by their largest competitor a few months ago. I never
would have guessed that the company would be gone before this finally got
released.

------
twism
it’s a shame Apple keeps castrating iOS safari by not adopting open web
standards to keep the app store relevant

------
Sir_Cmpwn
>"Not Secure" Warning

Nice!

>Web Bluetooth

What the fuck?

>Position: Sticky

Nice!

------
johndoe4589
EDIT4:

Bah, it's not free on HostGator even with a free certificate:

_Do you authorize the $2 / month or $24 / year dedicated IP charge? (Dedicated
IP required for SSL) *_

_Do you authorize the $10.00 SSL Installation fee?_

EDIT3:

Re: having to buy a SSL on a hobby site / forum ...

Ok I see HostGator allows third party SSL it's not super straightforward but
at least it seems possible to use a free SSL from Let's Encrypt and then get
it installed...

I have shell access too, but it's not "administrative" access so afaik, the
Let's Encrypt "Certbot" would not work?

Would [https://gethttpsforfree.com/](https://gethttpsforfree.com/) work on
HostGator with a shared shell access (not administrative), anybody knows?

