| 00:00 | <MikeSmith> | hmm, word selection of Japanse text also works as expected in Firefox and Safari on macOS, so maybe macOS has this built in from ICU too (as Windows does) |
| 00:01 | <devsnek> | it is a reasonable thing to have |
| 00:01 | <devsnek> | i wish polm23 didn't mention v8BreakIterator |
| 07:10 | <annevk> | What's h2c? |
| 09:11 | <MikeSmith> | annevk: abbreviation for cleartext HTTP/2 |
| 09:11 | <MikeSmith> | right? |
| 09:12 | <annevk> | I see, I guess there's nothing prohibiting that at the moment |
| 09:14 | <MikeSmith> | given that browsers support it, I guess it’s sort of moot anyway |
| 09:14 | <MikeSmith> | as far as fetch goes |
| 09:14 | <MikeSmith> | or anything else in frontend JavaScript code in browsers |
| 09:15 | <MikeSmith> | though I guess it could maybe be used in Node, with fetch |
| 09:16 | <MikeSmith> | if Node has support |
| 09:16 | <MikeSmith> | I think for server-server communication or backend stuff in general, cleartext HTTP2 has some use cases |
| 09:17 | <MikeSmith> | I enabled it in the (Jetty) backend for the HTML checker web service |
| 09:19 | <MikeSmith> | in the W3C deployment of the HTML checker, the TLS termination happens at another level anyway, so there’s no point in TLS-enabling the checker itself anyway |
| 11:06 | <annevk> | MikeSmith: pretty sure server-server also needs TLS to be secure |
| 11:07 | <MikeSmith> | really |
| 11:07 | <MikeSmith> | seems like in some situations that could just be overkill |
| 11:08 | <MikeSmith> | I mean in the case of the HTML checker, it is getting the requests from a load balancer, inside the W3C intranet |
| 11:10 | <MikeSmith> | to MITM that traffice, the attacker would need to already have breached the firewall and have access to internal network |
| 11:13 | <MikeSmith> | well and then there’s the fact that the cert name is for validator.w3.org, and the host name for both the load balancer and the individual checker instance is the same, so I don’t even know how I could have a separate cert for the checker |
| 11:14 | <MikeSmith> | I guess the load balancer just calls the checker instances by IP address |
| 11:16 | <MikeSmith> | anyway I suppose there’s still some way to deploy TLS on the checker instances too, in that network architecture. But if so I don’t know how |
| 11:20 | <annevk> | I’m pretty sure you should not rely on the network being secure, but you could prolly get by with self-signed certificates |
| 11:50 | <MikeSmith> | I can imagine that being the ideal thing to do in theory, but I wonder whether in practice most network admins ever seriously estimate that to be worth the added overhead enough to justify really doing it |
| 11:56 | <MikeSmith> | at that level to me it seems similar to trying to secure IPC communication between applications on your laptop, so that in case somebody ever steals your laptop, at least they won’t be able to eavesdrop on how any applications are your laptop are communicating with each other |
| 12:16 | <annevk> | MikeSmith: it might depend a bit on the scale of your network, but there were some high profile incidents around this |
| 12:18 | <MikeSmith> | OK |
| 12:19 | <MikeSmith> | well I basically have zero domain knowledge about this area anyway, so I’t just talking out of my hat |
| 17:59 | <Domenic> | I'm pretty sure a major part of the government hacks that Snowden leaked were using the fact that server-server was not secure. |
| 17:59 | <Domenic> | "SSL added and removed here" pointing to an intranet |
| 18:00 | <Domenic> | https://cdn57.androidauthority.net/wp-content/uploads/2014/06/SSL-Added-and-Removed-Here.jpg |
| 18:01 | <Domenic> | https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-here-nsa-smiley/ |
| 19:43 | <annevk> | Thanks for digging that up, that’s what I meant |
