| 03:17 | <cabanier> | TabAtkins: with bikeshed, if the IDL syntax contains an unknown class it throws an error. Is there a way to import classes or define them? |
| 03:20 | <cabanier> | TabAtkins: never mind. figured it out :-) |
| 03:35 | <terinjokes> | :( IE9's console makes me sad |
| 03:37 | <caitp-> | :( |
| 07:58 | <annevk_> | So https://readable-email.org/ looks pretty cool, but what's the expected lifetime of the URLs? |
| 08:03 | <annevk> | Hixie_: so the way we make TLS work is that you forward hostmaster⊙wo email to me. Then when I'm class 2 verified I'll add whatwg.org to domains I'm responsible for and issue a certificate that we can use |
| 09:52 | <smaug____> | specs need blame/annotations |
| 09:52 | <smaug____> | and commit messages would then hopefully have links to the relevant spec bugs or email threads |
| 09:53 | <TabAtkins> | smaug____: ANything on w3c has blame. |
| 09:54 | <darobin> | or rather, EVERYTHING on the w3c has blame! |
| 09:54 | smaug____ | would require blame for XHR spec |
| 09:55 | <smaug____> | I guess it was in w3c at that time |
| 09:56 | <Ms2ger> | The W3C is to blame for everything? |
| 09:56 | <Ms2ger> | But all whatwg specs have blame, yes |
| 09:56 | <tripu> | W3C eat babies for breakfast |
| 09:57 | <annevk> | smaug____: what change are you thinking about? |
| 10:01 | <smaug____> | 50ms |
| 10:01 | <smaug____> | I can't recall where that number came from |
| 10:02 | <smaug____> | was it something in dnd? |
| 10:05 | <TabAtkins> | What's the context? |
| 10:07 | <smaug____> | Ah, Takeshi found the links, https://www.w3.org/Bugs/Public/show_bug.cgi?id=26759 |
| 10:09 | <smaug____> | and if was <video>, which then didn't quite work out, so lower number was used |
| 10:17 | <smaug____> | s/if/it/ |
| 10:41 | <annevk> | hsivonen: so you read https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ |
| 10:42 | <annevk> | hsivonen: I guess I could give it a go; I read https://www.crypto101.io/ on the subject |
| 10:43 | <annevk> | hsivonen: but that was not quite finished and covered a lot of things I was not super interested in |
| 11:27 | <hsivonen> | annevk: I read Bulletproof SSL and TLS, yes |
| 11:28 | <hsivonen> | annevk: it's a must-read for anyone who has a Web server |
| 11:28 | <hsivonen> | annevk: since anyone who has a Web server should be deploying https |
| 11:28 | <annevk> | I don't have a server, but I'm renting some space on one |
| 11:28 | <annevk> | I will be deploying TLS soonish, waiting for a letter from StartSSL |
| 11:29 | <hsivonen> | annevk: the first half of the book is basically a historical retrospective of browser vendors not fixing stuff until there's a proof of concept of an attack. Theoretical attacks always lose to "Don't break the Web" |
| 11:29 | <hsivonen> | (which is entirely unsurprising, but still something to think about) |
| 11:29 | <annevk> | That's interesting, browsers are mostly blaming CAs these days |
| 11:31 | <hsivonen> | another theme: If you work with Apache, if you want stuff to work, compile the httpd yourself with this or that patch |
| 11:31 | <hsivonen> | in other words: just use nginx if you want https |
| 11:33 | <annevk> | Hmm, DreamHost is Apache, but hopefully they are doing the right thing... |
| 11:33 | <hsivonen> | haha |
| 11:33 | <annevk> | I don't really want to start running and maintaining my own server |
| 11:33 | <annevk> | Yeah I know |
| 11:34 | <annevk> | hsivonen: ignoring the mixed content for now, is there anything badly wrong with https://www.whatwg.org/ from a TLS perspective? |
| 11:34 | <annevk> | hsivonen: the mixed content is an easy fix down the road, the TLS configuration is what DreamHost offers and would be hard to change |
| 11:50 | <hsivonen> | annevk: https://www.ssllabs.com/ssltest/analyze.html?d=whatwg.org |
| 11:51 | <hsivonen> | annevk: many problems |
| 11:51 | <hsivonen> | annevk: root cert sent by the server |
| 11:51 | <hsivonen> | annevk: no TLS 1.2 |
| 11:51 | <hsivonen> | annevk: RC4 all over the place |
| 11:51 | <hsivonen> | annevk: no Forward Secrecy |
| 11:52 | <hsivonen> | annevk: unpatched OpenSSL |
| 11:53 | <hsivonen> | annevk: also, SSL3 enabled despite requiring SNI |
| 11:53 | <hsivonen> | all in all, pretty embarrassing |
| 11:54 | <hsivonen> | annevk: oh, and the server doesn't even support non-RC4 suites |
| 11:54 | <hsivonen> | annevk: being one of the servers that's holding the Web back from browsers being able to remove RC4 support is not cool |
| 11:55 | <hsivonen> | annevk: is this what you get automatically from Dreamhost's shared hosting, or is this Hixie's VM? |
| 11:55 | <annevk> | hsivonen: I suspect this is what you get by default |
| 11:55 | <hsivonen> | annevk: :-( |
| 11:55 | <annevk> | but I'm not sure |
| 11:56 | <hsivonen> | annevk: note that IE11 on Windows 8.1 will fail to connect on the first handshake |
| 11:57 | <hsivonen> | annevk: I'm not sure, but I *think* it takes multiple downgrades before IE11 on Windows 8.1 tries something broken enough to connect to www.whatwg.org. |
| 11:57 | <hsivonen> | or maybe it's just one downgrade here |
| 11:57 | <hsivonen> | anyway, not cool |
| 11:58 | <zcorpan> | hsivonen: annevk: it would be good to nag on dreamhost on fixing their defaults (or whoever has the wrong defaults) |
| 11:58 | <annevk> | hsivonen: https://www.ssllabs.com/ssltest/analyze.html?d=panel.dreamhost.com |
| 11:58 | <annevk> | :-( |
| 11:59 | <annevk> | Yes, I will file a support ticket. Leaving DreamHost would be a ton of effort. |
| 11:59 | <hsivonen> | annevk: on a more positive note, if a provider as big as dreamhost is guilty of perpetuating RC4-only hosting, maybe the RC4-only numbers for the Web drop noticeably once someone manages to evangelize dreamhost to fix their ciphersuite spec |
| 12:00 | <annevk> | hsivonen: I guess I need to read that book. I don't even know what RC4 means, only that it's bad |
| 12:01 | <hsivonen> | annevk: it's an old stream cipher that's been considered "broken" by the experts for a long time |
| 12:01 | <hsivonen> | annevk: from time to time, someone shows results of it being even worse than previously thought |
| 12:01 | <hsivonen> | annevk: Microsoft thinks it's so bad that IE11 on Windows 8.1 does not offer RC4 on the first connection attempt |
| 12:02 | <hsivonen> | but in order not to break the Web, IE11 on Windows 8.1 will try reconnect with RC4 enabled |
| 12:03 | <hsivonen> | annevk: sadly, RC4 saw a resurcence when people used it to mitigate BEAST, which is an attack that RC4 is not vulnerable to |
| 12:05 | <hsivonen> | annevk: if you don't care about IE on XP (which you implicitly don't if you require SNI), ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA goes a long way |
| 12:06 | <hsivonen> | ECDHE-RSA-AES128-SHA256 is slower than ECDHE-RSA-AES128-SHA and the book says ECDHE-RSA-AES128-SHA256 doesn't have a security benefit over ECDHE-RSA-AES128-SHA, but it doesn't explain why, so I haven't taken ECDHE-RSA-AES128-SHA256 out of my config yet |
| 12:08 | <hsivonen> | annevk: also, if you don't care about IE*6* on XP, you can turn off SSL3. |
| 12:09 | <hsivonen> | oh. Dreamhost runs its own intermediate CA |
| 12:10 | <annevk> | hsivonen: I think all DreamHost allows is configuring the certificate |
| 12:10 | <annevk> | hsivonen: which you can either get through DreamHost for USD 15 per domain (plus USD 60 if you want an IPv4 address), or somewhere else |
| 12:11 | <annevk> | hsivonen: perhaps Hixie_ can configure more though since he has root |
| 12:11 | <annevk> | hsivonen: at least I think he does |
| 12:11 | <jgraham> | It seems surprising if you can configure all this stuff in a shared host, but maybe I'm wrong |
| 12:12 | <jgraham> | (it also seems surprising that whatwg.org is sunning on a shared host) |
| 12:12 | <jgraham> | *running |
| 12:12 | <hsivonen> | if you assume a shared host that cares about IE on XP, ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA would be a lot better than the single RC4 suite that Dreamhost has |
| 12:13 | <hsivonen> | scoring A+ on slllabs.com is not really rocket science. My site was there before I even read the book. :-) |
| 12:14 | <jgraham> | hsivonen: You are not a typical end user |
| 12:15 | <jgraham> | Or even a typical server admin |
| 12:15 | <hsivonen> | I'm really bad at server admining |
| 12:15 | <jgraham> | (critic.hoppipolla.co.uk gets an A- now I installed the latest security updates) |
| 12:15 | <jgraham> | hsivonen: SSL Labs disagrees with your self assessment there |
| 12:16 | <hsivonen> | jgraham: there's more to sysadmining than configuring TLS |
| 12:16 | <hsivonen> | for a single nginx instance |
| 12:16 | <hsivonen> | jgraham: anyway, a shared host should have more reasonable defaults than dreamhost has |
| 12:17 | <annevk> | hsivonen: you didn't want to get 100 x4? |
| 12:17 | <hsivonen> | jgraham: with SNI, there's no reason arising from TLS why this stuff couldn't be configured per-tenant, but Apache .htaccess probably doesn't support it |
| 12:18 | <hsivonen> | annevk: I don't understand the question |
| 12:18 | <hsivonen> | annevk: I don't understand what 100 x4 means here |
| 12:18 | <annevk> | hsivonen: https://www.ssllabs.com/ssltest/analyze.html?d=hsivonen.fi you don't score a 100 points for the four categories |
| 12:18 | <jgraham> | hsivonen: "not a typical" doesn't necessarily mean "better along all axes". I just meant that you are more interested in this stuff, and willing to invest time in understanding it and getting it right. Not that you would necessarily also be better at rolling out upgrades to 10,000 users, or whatever. |
| 12:18 | <hsivonen> | annevk: oh, I don't see a point burning CPU over AES-256 |
| 12:19 | <hsivonen> | jgraham: sure |
| 12:19 | <hsivonen> | annevk: I'm not sure why I don't get 100 on key exchange |
| 12:20 | <jgraham> | hsivonen: I agree that Dreamhost's defaults suck and that it makes sense to push them to fix the defaults. But I wouldn't expect it to be possible to fix whatwg.org independent of that, necessarily. |
| 12:22 | <annevk> | I have asked DreamHost about this |
| 12:22 | <hsivonen> | annevk: my non-expert reasoning is: 1) there's an academic paper showing that AES-256 isn't as strong as it's supposed to be (but the attack doesn't apply to AES-128), 2) running more rounds give more opportunity for timing differences and 3) the cert is 2048-bit RSA, so if you assume all the primitives are as strong as they are supposed to be, RSA 2048 should fall before any flavor of AES |
| 12:22 | <annevk> | I also asked them about encrypted connections to the MySQL backend |
| 12:25 | <hsivonen> | oh, and it seems ssllabs takes away points for disabling SSL3, which is backwards |
| 12:36 | <hsivonen> | jgraham: did critic.hoppipolla config come from linode defaults? |
| 12:40 | <annevk> | There's no wiki page documenting confusion caused by TR/? |
| 12:40 | <annevk> | I thought we had one |
| 12:40 | <jgraham> | hsivonen: Well it's a VPS not shared hosting. But I don't remember changing too much compared to the stock packages |
| 12:41 | <jgraham> | annevk: Me too. Checked the history for sabotage? ;) |
| 12:41 | <hsivonen> | jgraham: maybe the stock packages have sad defaults |
| 12:41 | <hsivonen> | jgraham: I'm guessing you are running Red Hat / CentOS / Fedora and not the latest |
| 12:44 | <annevk> | jgraham: can't find anything |
| 12:45 | <hsivonen> | jgraham: oh, the server signature says Ubuntu |
| 12:46 | <hsivonen> | jgraham: weird |
| 12:46 | <hsivonen> | I thought it was something Red Hat-flavored because of the lack of ECDHE |
| 12:46 | <jgraham> | hsivonen: what's weird? It sounds like there's something you expect to be working that isn't |
| 12:48 | <hsivonen> | jgraham: your server config seems to be of the sort "enable everything that's not obviously weak or export crypto and don't make the server enforce an order of preference" |
| 12:49 | <hsivonen> | jgraham: yet, there are no ECDHE suites, which exist on Ubuntu but not on old Red Hat-lawyered distros |
| 12:51 | <jgraham> | hsivonen: I see. |
| 12:55 | <ondras> | so, my customelements-related issue persists |
| 12:55 | <ondras> | noone on #polymer seems to interact |
| 12:55 | <ondras> | let me re-paste here. |
| 12:55 | <ondras> | I am having an issue with createdCallback not called when the custom element in question is created inside a shadow root of another element |
| 12:58 | <ondras> | ah, perhaps the issue lies elsewhere: the createdCallback is not called when the element in question is cloned from within a <template>.content |
| 13:07 | <annevk> | hsivonen: thanks for the information on TLS. I doubt we'll move away from DreamHost as it has a ton of implications. I guess we should just advocate them to better themselves over time and hopefully uplift a ton of other sites in the process |
| 15:17 | <anarchist> | can anybody here say why Web Notifications might work in all cases except when you're in Full Screen mode (including if you F11 the same browser tab but also netflix, VLC player, etc.)? |
| 15:18 | <anarchist> | i do have a javascript intensive application with a thick client but not sure how that might factor in (meteor.js, large-ish code base) |
| 15:18 | <hober> | anarchist: which browser? |
| 15:18 | <anarchist> | chrome and firefox both |
| 15:19 | <anarchist> | been digging in with chrome but i think it's all the same in firefo |
| 15:20 | <anarchist> | it must be my application somehow but i don't even have the window object |
| 15:20 | <anarchist> | so it must not be my application? |
| 15:21 | <anarchist> | one interesting behavior is that the notification is saved/queued up when i get back out of full screen and refocus on the tab |
| 15:21 | <anarchist> | so i'll get a double behavior |
| 15:22 | <anarchist> | i can minimize the browser, put windows over the browser, etc. but if i'm in full screen the moment the Notification fires, i'll have to wait, come back, refocus, repeat the action and i get two notifications |
| 15:30 | <anarchist> | it's not working at all in firefox now, but still working in chrome, don't see how that just happened |
| 15:57 | <annevk> | anarchist: what OS is this? |
| 15:57 | <annevk> | anarchist: the browser typically dispatches the notifications through the OS |
| 15:57 | <annevk> | anarchist: so it might depend on the implementation of the OS and whether or not it wants to show notifications when you're fullscreen |
| 15:57 | <annevk> | anarchist: we can't really define any of this in the standard as this is mostly up to implementations to decide what would be best UI-wise |
| 16:05 | <anarchist> | i see, okay well it's windows 8 |
| 16:05 | <anarchist> | i'll look around and see if that's my lead, thanks |
| 16:05 | <anarchist> | i'm thinking now it's gotta be OS specific because why should it matter if i've got the file system full screened? |
| 16:08 | <annevk> | Windows might have decided that you don't want to be distracted if you have something fullscreen |
| 16:09 | <annevk> | Does not seem entirely unreasonable to me |
| 16:13 | <annevk> | hsivonen: I got word from DreamHost. They are upgrading their OS from Debian to Ubuntu. They plan on hardening further. And noted panels from registrars.pir.org and idp.godaddy.com had similar issues and that it was hard to find many A-rated TLS. |
| 16:14 | <annevk> | hsivonen: Not very committal, but I guess it means we should check again once everything is on Ubuntu. I also just suggested to Ryan that Google could use push its partners (of which DreamHost is one) to improve on TLS |
| 16:16 | <annevk> | hsivonen: Also, connection to MySQL databases is without encryption. They claim such connections are all within the same controlled network though. |
| 16:16 | <annevk> | I should probably post about this |
| 16:18 | <jgraham> | annevk: Their response was "we suck, but so does everyone else, so please don't think about migrating"? |
| 16:20 | <annevk> | jgraham: well, he will tell the security team, but he believes they're looking into it already. They are making some general improvements. And yes, that he concluded with others not doing so well was not great. |
| 16:23 | <anarchist> | annevk: apparently there was something called Chrome Rich Notifications which could bypass Full Screen mode |
| 16:24 | <Hixie_> | hsivonen: validator.nu does even more poorly :-) |
| 16:33 | <anarchist> | okay so this is a known chrome bug, well that answers that |
| 16:34 | <anarchist> | and then there's a known firefox bug that closes notifications without the user doing anything. damnit |
| 16:41 | <smaug____> | (I believe that is a feature) |
| 17:18 | <annevk> | jwalden: everything okay with URLSearchParams now? |
| 17:21 | <jwalden> | annevk: yeah, think so |
| 17:21 | <jwalden> | annevk: well, modulo it being screwball :-) |
| 17:22 | <jwalden> | annevk: https://bugzilla.mozilla.org/show_bug.cgi?id=1064481 was the initial triggering thing, but it is in hand |
| 17:22 | <jgraham> | Oh look. HTML5 is going to ask to transition to PR at W3C. It seems that 0 implementors expressed any interest one way or another in this development. |
| 17:28 | <jwalden> | is PR a thing now, or just a CR typo? |
| 17:33 | <annevk> | jwalden: Proposed Recommendation |
| 17:33 | <annevk> | jwalden: has always been a thing |
| 17:33 | <jwalden> | huh |
| 17:33 | <jwalden> | guess I haven't paid enough attention |
| 17:33 | <jwalden> | or exactly enough :-) |
| 17:33 | <annevk> | CR -> PR -> REC |
| 17:34 | <jwalden> | huh, I thought it was CR -> REC |
| 17:34 | <annevk> | Well this happens on TR/ so it's of no use to implementers |
| 17:34 | <jwalden> | :-D |
| 17:35 | <annevk> | jwalden: but if you're curious, http://www.w3.org/Consortium/Process/ |
| 17:35 | <jwalden> | about process? haha, good joke |
| 17:36 | jwalden | should have known this from the days when ->CR(?) was when we unprefixed stuff |
| 17:36 | <jgraham> | Now *that* is a good joke |
| 17:37 | <annevk> | I have to admit I'm somewhat disappointed the new iPhone thingy only went up to 401ppi |
| 17:38 | <annevk> | Apparently there's some Chinese phone that has 538ppi on a 5.5'' screen |
| 17:39 | <annevk> | Given http://www.pcmag.com/article2/0,2817,2364871,00.asp we still need a bit more before we have actual retina quality |
| 20:17 | <Hixie_> | Domenic: so, i don't know what to do about this ImageBitmap constructor promise thing. IMHO returning a rejected promise for the case of bad arguments (type checking errors) is really bad language design. |
| 20:17 | <Hixie_> | ( https://www.w3.org/Bugs/Public/show_bug.cgi?id=25662 https://www.w3.org/Bugs/Public/show_bug.cgi?id=26517 ) |
| 21:15 | <jwalden> | annevk: nsEscape is this totally just-so thing that may or may not happen, in certain modes of calling, to match some sorts of URL escaping algorithms, but it's nothing that claims to implement any particular spec algorithm |
| 21:15 | <annevk> | jwalden: I understand that |
| 21:15 | jwalden | would not assume any particular code that uses nsEscape, actually matches the spec algorithms that are actually supposed to be used |
| 21:17 | <jwalden> | Swiss army knife utility methods that are used to implement spec methods are pretty much never trustworthy, faithful implementations, in my book |
| 21:25 | <annevk> | Yeah... Everything URL in any implementation is suspect, really. |
| 21:25 | <annevk> | Bit unfortunate that is still the case in 2014 |
| 21:27 | <caitp-> | well they are kind of ridiculously complicated for such a basic thing |
| 21:28 | <jwalden> | URL stuff is screwball, but nsEscape is merely one instance of a pattern that generalizes beyond URLs :-) |
| 21:41 | <TabAtkins> | Hixie_: At this point, doing anything else would be gratuitously different from every other promise-returning API, not to mention requiring dirty hacks in IDL to make it work. Don't do it. |
| 21:51 | <caitp-> | it doesn't make a lot of sense for a constructor to return a promise at all |
| 21:51 | <caitp-> | other than a Promise constructor |
| 21:56 | <Hixie_> | TabAtkins: i'm utterly baffled by this approach |
| 22:25 | <jmrenner> | Hey everyone, I have question about CrossOriginRequest stuff. Is there any work being done on a way to make requests without maintaining cookies (or with a private set of cookies) to allow safe communication without needing modification to the server? |