Goodbye, EdgeHTML

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

( )

Microsoft is officially giving up on an independent shared platform for the internet. By adopting Chromium, Microsoft hands over control of even more of online life to Google.

This may sound melodramatic, but it’s not. The “browser engines” — Chromium from Google and Gecko Quantum from Mozilla — are “inside baseball” pieces of software that actually determine a great deal of what each of us can do online. They determine core capabilities such as which content we as consumers can see, how secure we are when we watch content, and how much control we have over what websites and services can do to us. Microsoft’s decision gives Google more ability to single-handedly decide what possibilities are available to each one of us.

From a business point of view Microsoft’s decision may well make sense. Google is so close to almost complete control of the infrastructure of our online lives that it may not be profitable to continue to fight this. The interests of Microsoft’s shareholders may well be served by giving up on the freedom and choice that the internet once offered us. Google is a fierce competitor with highly talented employees and a monopolistic hold on unique assets. Google’s dominance across search, advertising, smartphones, and data capture creates a vastly tilted playing field that works against the rest of us.

From a social, civic and individual empowerment perspective ceding control of fundamental online infrastructure to a single company is terrible. This is why Mozilla exists. We compete with Google not because it’s a good business opportunity. We compete with Google because the health of the internet and online life depend on competition and choice. They depend on consumers being able to decide we want something better and to take action.

Will Microsoft’s decision make it harder for Firefox to prosper? It could. Making Google more powerful is risky on many fronts. And a big part of the answer depends on what the web developers and businesses who create services and websites do. If one product like Chromium has enough market share, then it becomes easier for web developers and businesses to decide not to worry if their services and sites work with anything other than Chromium. That’s what happened when Microsoft had a monopoly on browsers in the early 2000s before Firefox was released. And it could happen again.

If you care about what’s happening with online life today, take another look at Firefox. It’s radically better than it was 18 months ago — Firefox once again holds its own when it comes to speed and performance. Try Firefox as your default browser for a week and then decide. Making Firefox stronger won’t solve all the problems of online life — browsers are only one part of the equation. But if you find Firefox is a good product for you, then your use makes Firefox stronger. Your use helps web developers and businesses think beyond Chrome. And this helps Firefox and Mozilla make overall life on the internet better — more choice, more security options, more competition.

Scathing but well-deserved dig at Microsoft by Mozilla, following on from the Edge-switch-to-Chromium I’ve been going on about. Chris is right: more people should try Firefox (it’s been my general-purpose browser on desktop and mobile ever since Opera threw in the towel and joined the Chromium hivemind in 2013, and on-and-off plenty before then) – not just because it’s a great browser (and it is!) but also now because it’s important for the diversity and health of the Web.

(Reprinted in full under a creative commons license.)

While we Blink, we loose [sic] the Web

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

( )

We used to have much more diversity in terms of browser engines years ago than we do today. This is easy to understand as the Web in 2018 is far more complex than it was in the early noughties. It is very costly to develop and maintain a Web engine and few companies have the necessary talent and cash to do it. Microsoft is one of those companies but the fact that it might be throwing in the towel on its engine signals a bad development for all of us.

Further evaluation of the dangers of the disappearing diversity on the Web, following in the theme of my thoughts the other day about Microsoft’s adoption of Chromium instead of EdgeHTML in its browser.

Andre raises a real point: how will we fight for a private and decentralised Web when it becomes “the Google Web”?

Risking a Homogeneous Web

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

( )

I don’t think Microsoft using Chromium is the end of the world, but it is another step down a slippery slope. It’s one more way of bolstering the influence Google currently has on the web.

We need Google to keep pushing the web forward. But it’s critical that we have other voices, with different viewpoints, to maintain some sense of balance. Monocultures don’t benefit anyone.

This essay follows-up nicely on my concerns about Microsoft’s move from EdgeHTML to Chromium in Edge, but goes further to discuss some of the bigger problems of a homogeneous web, especially one under Google’s influence.

Edge may be becoming Chromium-powered, and that’s terrible

Microsoft engineers have been spotted committing code to Chromium, the backend of Google Chrome and many other web browsers. This, among other things, has lead to speculation that Microsoft’s browser, Edge, might be planned to switch from its current rendering engine (EdgeHTML) to Blink (Chromium’s). This is bad news.

This page in Microsoft Edge
This post, as it would appear if you were looking at it in Edge. Which you might be, I suppose.

The younger generation of web developers are likely to hail this as good news: one fewer engine to develop for and test in, they’re all already using Chrome or something similar (and certainly not Edge) for development and debugging anyway, etc. The problem comes perhaps because they’re too young to remember the First Browser War and its aftermath. Let me summarise:

  1. Once upon a time – let’s call it the mid-1990s – there were several web browsers: Netscape Navigator, Internet Explorer, Opera, etc. They all used different rendering engines and so development was sometimes a bit of a pain, but only if you wanted to use the latest most cutting-edge features: if you were happy with the standard, established features of the Web then your site would work anywhere, as has always been the case.
    Best viewed with... any damn browser
  2. Then, everybody starting using just one browser: following some shady dealings and monopoly abuse, 90%+ of Web users started using just one web browser, Internet Explorer. By the time anybody took notice, their rivals had been economically crippled beyond any reasonable chance of recovery, but the worst had yet to come…
    Best viewed with Internet Explorer
  3. Developers started targeting only that one browser: instead of making websites, developers started making “Internet Explorer sites” which were only tested in that one browser or, worse yet, only worked at all in that browser, actively undermining the Web’s position as an open platform. As the grip of the monopoly grew tighter, technological innovation was centred around this single platform, leading to decade-long knock-on effects.
  4. The Web ceased to grow new features: from the release of Internet Explorer 6 there were no significant developments in the technology of the Web for many years. The lack of competition pushed us into a period of stagnation. A decade and a half later, we’re only just (finally) finishing shaking off this unpleasant bit of our history.
    "Netscape sux"

History looks set to repeat itself. Substitute Chrome in place of Internet Explorer and update the references to other web browsers and the steps above could be our future history, too. Right now, we’re somewhere in or around step #2 – Chrome is the dominant browser – and we’re starting to see the beginnings of step #3: more and more “Chrome only” sites. More-alarmingly this time around, Google’s position in providing many major Web services allows them to “push” even harder for this kind of change, even just subtly: if you make the switch from Chrome to e.g. Firefox (and you absolutely should) you might find that YouTube runs slower for you because YouTube’s (Google) engineers favour Google’s web browser.

Chrome is becoming the new Internet Explorer 6, and that’s a huge problem. Rachel Nabors wrote in her excellent article The Ecological Impact of Browser Diversity:

So these are the three browser engines we have: WebKit/Blink, Gecko, and EdgeHTML. We are unlikely to get any brand new bloodlines in the foreseeable future. This is it.

If we lose one of those browser engines, we lose its lineage, every permutation of that engine that would follow, and the unique takes on the Web it could allow for.

And it’s not likely to be replaced.

The Circle of Browsers, by Rachel Nabors

Imagine a planet populated only by hummingbirds, dolphins, and horses. Say all the dolphins died out. In the far, far future, hummingbirds or horses could evolve into something that could swim in the ocean like a dolphin. Indeed, ichthyosaurs in the era of dinosaurs looked much like dolphins. But that creature would be very different from a true dolphin: even ichthyosaurs never developed echolocation. We would wait a very long time (possibly forever) for a bloodline to evolve the traits we already have present in other bloodlines today. So, why is it ok to stand by or even encourage the extinction of one of these valuable, unique lineages?

We have already lost one.

We used to have four major rendering engines, but Opera halted development of its own rendering engine Presto before adopting Blink.

Three left. Spend them wisely.

As much as I don’t like having to work-around the quirks in all of the different browsers I test in, daily, it’s way preferable to a return to the dark days of the Web circa most of the first decade of this century. Please help keep browsers diverse: nobody wants to start seeing this shit –

Best viewed with Google Chrome

Update: this is now confirmed. A sad day for the Web.

How Edge Follows In IE’s Security Failings

I’ve generally been pretty defensive of Microsoft Edge, the default web browser in Windows 10. Unlike its much-mocked predecessor Internet Explorer, Edge is fast, clean, modern, and boasts good standards-compliance: all of the things that Internet Explorer infamously failed at! I was genuinely surprised to see Edge fail to gain a significant market share in its first few years: it seemed to me that everyday Windows users installed other browsers (mostly Chrome, which is causing its own problems) specifically because Internet Explorer was so terrible, and that once their default browser was replaced with something moderately-good this would no longer be the case. But that’s not what’s happened. Maybe it’s because Edge’s branding is too-remiscient of its terrible predecessor or maybe just because Windows users have grown culturally-used to the idea that the first thing they should do on a new PC is download a different browser, but whatever the reason, Edge is neglected. And for the most part, I’ve argued, that’s a shame.

Edge's minimalistic Certificate View.
I ranted at an Edge developer I met at a conference, once, about Edge’s weak TLS debugging tools that couldn’t identify an OCSP stapling issue that only affected Edge, but I thought that was the worse of its bugs… until now…

But I’ve changed my tune this week after doing some research that demonstrates that a long-standing security issue of Internet Explorer is alive and well in Edge. This particular issue, billed as a “feature” by Microsoft, is deliberately absent from virtually every other web browser.

About 5 years ago, Steve Gibson observed a special feature of EV (Extended Validation) SSL certificates used on HTTPS websites: that their extra-special “green bar”/company name feature only appears if the root CA (certificate authority) is among the browser’s default trust store for EV certificate signing. That’s a pretty-cool feature! It means that if you’re on a website where you’d expect to see a “green bar”, like Three Rings, PayPal, or HSBC, then if you don’t see the green bar one day it most-likely means that your connection is being intercepted in the kind of way I described earlier this year, and everything you see or send including passwords and credit card numbers could be at risk. This could be malicious software (or nonmalicious software: some antivirus software breaks EV certificates!) or it could be your friendly local network admin’s middlebox (you trust your IT team, right?), but either way: at least you have a chance of noticing, right?

Firefox address bars showing EV certificates of Three Rings CIC (GB), PayPal, Inc. (US), and HSBC Holdings plc (GB)
Firefox, like most browsers, shows the company name in the address bar when valid EV certificates are presented, and hides it when the validity of that certificate is put into question by e.g. network sniffing tools set up by your IT department.

Browsers requiring that the EV certificate be signed by a one of a trusted list of CAs and not allowing that list to be manipulated (short of recompiling the browser from scratch) is a great feature that – were it properly publicised and supported by good user interface design, which it isn’t – would go a long way to protecting web users from unwanted surveillance by network administrators working for their employers, Internet service providers, and governments. Great! Except Internet Explorer went and fucked it up. As Gibson reported, not only does Internet Explorer ignore the rule of not allowing administrators to override the contents of the trusted list but Microsoft even provides a tool to help them do it!

Address bars from major browsers connecting to a spoofed site, with EV certificate "green bars" showing only in Internet Explorer and Edge.
From top to bottom: Internet Explorer 11, Edge 17, Firefox 61, Chrome 68. Only Internet Explorer and Edge show the (illegitimate) certificate for “Barclays PLC”. Sorry, Barclays; I had to spoof somebody.

I decided to replicate Gibson’s experiment to confirm his results with today’s browsers: I was also interested to see whether Edge had resolved this problem in Internet Explorer. My full code and configuration can be found here. As is doubtless clear from the title of this post and the screenshot above, Edge failed the test: it exhibits exactly the same troubling behaviour as Internet Explorer.

Thanks, Microsoft.

Safari doesn't fall for it, either.
I also tried Safari (both on MacOS, above, and iOS, below) and it behaved as the other non-Microsoft browsers do (i.e. arguably more-correctly than IE or Edge).

I shan’t for a moment pretend that our current certification model isn’t without it’s problems – it’s deeply flawed; more on that in a future post – but that doesn’t give anybody an excuse to get away with making it worse. When it became apparent that Internet Explorer was affected by the “feature” described above, we all collectively rolled our eyes because we didn’t expect better of everybody’s least-favourite web browser. But for Edge to inherit this deliberate-fault, despite every other browser (even those that share its certificate store) going in the opposite direction, is just insulting.

Things you probably didn’t know you could do with Chrome’s Developer Console

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

( )

Chrome comes with built-in developer tools. This comes with a wide variety of features, such as Elements, Network, and Security. Today, we’ll focus 100% on its JavaScript console.

When I started coding, I only used the JavaScript console for logging values like responses from the server, or the value of variables. But over time, and with the help of tutorials, I discovered that the console can do way more than I ever imagined…

Something like HTTPS Everywhere for new Opera?

This self-post was originally posted to /r/operabrowser. See more things from Dan's Reddit account.

( )

I’m looking for an extension that will automatically redirect-to-HTTPS for particular domains, e.g. to ensure that I’m using the secure version of Wikipedia, etc., whenever I go there. The HTTPS Everywhere plugin from the EFF does this for Firefox and Chrome; what can I do to make this work in Opera?

Firefox Finally Appeals

As you may all know, I’m a die-hard supporter of the Opera web browser, despite many of my friends now claiming that Firefox is superior. I’ve been following the Mozilla project for a long while (haven’t we all), and on the many occasions I’ve tried Firefox (and it’s grandparents) I’ve always been unimpressed. It’s always been the little things that Opera did that kept me coming back to it, time and time again.

With the full release of Firefox 1.0 (download Firefox here), there’s been an explosion in the number of Firefox extensions that have become available, so I decided to try to find a combination of extensions that would at long last give Firefox the capabilities that always kept me coming back to Opera. The theory is – if I can find enough extensions to give me the functionality I need in a web browser (which Opera very-nearly perfectly provides) in Firefox, it’ll make a convert out of me. Here goes –

    • Mouse Gestures 1.0 – One of the great things about Opera is that it really pioneered mouse gestures (waving your cursor in strange patterns in order to facilitate shortcuts), and led the way for years thereafter. Mouse gestures are infectious – once you’ve used them and you get the hang of “doing things faster” (particularly mouse-intensive activities like web browsing), you end up trying to do it elsewhere – I’ve frequently used friends computers (with Internet Exploder, or similar) and tried to do a gesture before remembering that I can’t.The Mouse Gestures extension for Firefox is fully-featured and highly-configurable. I found the original settings a little unresponsive, and had to increase the “diagonal tolerance” (slippage permitted in a non-cardinal direction) to bring it back in line with the speed at which I execute gestures, and of course I’ve customised some of my own gestures. Apart from that, it’s wonderful.

Firefox Downloads Window In Sidebar

    • Download Manager Tweak 0.6.3 – One thing I loved about my customised Opera configuration was that pretty much everything not directly related to browsing – my RSS-feed subscriptions (that let me keep an eye on all my friends’ weblogs in realtime), my downloads, etc. – were set up to all appear in the wonderful “sidebar”: a non-invasive way of keeping information “to hand”. Firefox’s download windows are chunky and ugly, only a little better than the hideous ones provided by Internet Exploder. This plugin allows you to move the download window to the sidebar – a far more sensible place for it – and manage all your transfers from there.
    • Web Developer 0.8 and Nuke Anything 0.2 – As a web developer, I love the web developer tools in Opera. The ability to switch stylesheets, emulate other browsers, change and test content on the fly, and manipulate cookies is invaluable when debugging large, complex web projects. Combining these two excellent extensions gives me all of this, and more. The Web Developer tools can do things like manipulate form data on the fly, edit offline HTML and CSS on-the-fly, simulate different screen resolutions, and validate source code – it’s fantastic. Nuke Anything allows content to be ‘removed’ from the page: a great way of digging through complicated source code to find how a particular trick is being achieved.

Sage Extension For Firefox

  • Sage 1.3 – Now here’s a stunning piece of software. Thanks to Jon for suggesting this one.A great feature of Opera is it’s use as an RSS reader. RSS is a wonderful way to “subscribe” to news sources, weblogs, and the like, and be notified when they’re updated or even have the new content delivered directly to your desktop. It’s so good, that I rarely use Abnib or my friends page any more. Opera makes it easy to set up and manage your subscriptions, and delivers them in the way that suits you best.

    Now Firefox does natively support syndication, but it doesn’t do a very good job of it. It’s system – “Active Bookmarks”, relies on use of it’s bookmarks list, lots of scrolling, etc. Plus – and here’s the big problem – it doesn’t pass your browser cookies when picking up the feeds – this means that you can’t have it, for example, pick up restricted “friends only” feeds from your friends’ weblogs. Without this feature, there was no way I’d be leaving Opera behind.

    But Sage pulls it off. It pulls in the feeds and presents them in a brilliant way. It’s default options are a little weird, and it doesn’t support automatic “timed” feed collection, but it still does a great job of this newsfeed lark. I think everybody with Firefox should install Sage.

  • Session Saver – Simply put, this allows Firefox to remember what tabs you had open when it was last closed (even if it crashed or there was a power cut), and re-open them when you run it again, in a very Opera-esque way.
  • MiniT 0.4 – A pet annoyance, but one that would have really annoyed me, is the inability to re-order the tabs while using Firefox’s tabbed browsing. I mean: why wasn’t this included with the program? Most other programs that use the dynamic “document” tab metaphor allow the user to click-drag-reorder them, including my beloved Opera. But no, you need a plug-in like MiniT to do this. It’s good: not as “fluid” as Opera, but quite satisfactory.
  • TabBrowser Preferences 1.1.1 – It didn’t take long of playing with Firefox, particularly on the EasyNews web site, to find another thing which, to me, is a big problem. When people (very rudely) make hyperlinks that request to be opened in “a new window”, Firefox does exactly that: opens them in a new window, rather than in a new tab in the current window (fitting with the tabbed browsing metaphor). I tried a couple of plug-ins to prevent this from happening, but none of them worked consistently (for example, catching JavaScript pop-up windows and tabbing them, for example), as Opera does, until I found this lovely little extension. TabBrowser Preferences has all kind of options I don’t use, but for this one, which I do, it’s wonderful.
  • LastTab 1.1 – By this point, I had very few quirks left unsatisfied on my “web browser wish list”. One was that, in Opera, pressing CTRL-TAB takes you first to your most-recently used other tab, and then (if you keep pressing tab) through the others you have open. This makes sense to me, because you can then use CTRL-TAB as a two-tab “flicker” (like the “last channel” button on a TV remote): perfect for use as a “boss key” (if you don’t know, you don’t need to know). Satisfied.

This only leave one “big” niggle that still pisses me off – I can’t find a plug-in that will allow me to hold down a particular key (e.g. shift) and click on a tab, to close it (really useful for closing multiple tabs at once, after running and completing a multi-tab information seek). If anybody can suggest an extension that does this, let me know!

So; I guess I’m a Firefox convert. I knew it would happen someday, but I’m just surprised it happened so soon.