HTML 的 preconnect

在「Preconnect」這邊看到 Preconnect 這個功能,目前在 Mozilla FirefoxGoogle Chrome 以及 Opera 都有支援,用法也很簡單:

<link rel="preconnect" href="//example.com">
<link rel="preconnect" href="//cdn.example.com" crossorigin>

感覺如果要用的話,可以先送出 head 的部分,打 flush 讓瀏覽器先收到後再送出其他部分?不過對 MVC 架構來說好像變複雜了,不知道有什麼設計比較好...

另外一個是 Prerender,目前是 IE11+、Google Chrome 以及 Opera 有支援,看起來也頗有趣的...

Symantec 的 SSL Certificate 醜聞繼續爆發...

tl;dr:目前的外部稽核還沒有完成,有可能會有更慘烈的情況。如果你最近要買 SSL certificate,不要碰 Symantec 旗下的產品,包括了 VerisignThawteGeoTrust、Equifax (GeoTrust 下)、RapidSSL

在「Symantec 的 Thawte 發出 Google 的 SSL certificate 的後續」這邊有提到先前 Google 抓到 Symantec 發出 Google 憑證的問題,後續稽核時發現更多問題...

Google 在「Sustaining Digital Certificate Security」這篇提到了幾件事情。首先是基於 Symantec 第一版的稽核報告,發現有 23 個 SSL certificate 在 domain owner 沒有被通知的情況下被簽名,這包括了 Google 與 Opera 的五個單位:

Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera.

但 Google 光是透過 Certificate Transparency 認為問題不僅於此 (於是認為 Symantec 的稽核不確實),通報了其他主要的 Root Certificate 管理單位:

However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.

而 Symantec 再次稽核,這次就大爆炸,光是他們查出來的就有 164 個 SSL certificate 橫跨 76 個網域被簽出,並且有 2458 的不存在的 domain 被簽出:

Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.

Symantec 這次提供的報告包括了比較完整的資料,爆發的品牌包括了 Symantec 所有的產品:Verisign、Thawte、GeoTrust、Equifax (GeoTrust 下) 以及 RapidSSL。

要不是 Symantec 的市占率高到爆炸,Google 大概就像 CNNIC 那樣直接拔掉了。(參考「CNNIC 的根憑證 (包括 EV) 從 Google 全系列產品移除」,市占率的部份可以參考「Usage of SSL certificate authorities for websites」這邊的資料,目前看到是 29.9% 第二高,僅次於 Comodo 的 39.1%)

由於沒辦法砍,所以 Google 直接下了幾個通牒,第一個是從 2016 六月開始所有簽出的 SSL certificate 都必須發紀錄到 Certificate Transparency (目前規範中只有 EV SSL certificate 有要求),否則之後的簽出的 SSL certificate 不保證會動:

It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.

After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.

再來是對報告要求補上為什麼稽核機制沒有偵測到,以及「每一次」為什麼沒有按照 Baseline Requirements (一般 SSL certificate 的規範) 以及 EV Guidelines (EV SSL Certificate 的規範) 的詳細資訊:

More immediately, we are requesting of Symantec that they further update their public incident report with:

  • A post-mortem analysis that details why they did not detect the additional certificates that we found.
  • Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.

同時要求第三方稽核確認這次事件,而僅非 Symantec 自己稽核:

Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.

而且也清楚要求第三方稽核確認包括:簽的 public key 沒有任何時間點可以被 Symantec 員工取得 private key、Symantec 員工無法使用該項測試工具簽自己擁有 private key 的 SSL certificate、再次確認 Symantec 的稽核紀錄是無法被更改與刪除的。

The third-party security audit must assess:

  • The veracity of Symantec’s claims that at no time private keys were exposed to Symantec employees by the tool.
  • That Symantec employees could not use the tool in question to obtain certificates for which the employee controlled the private key.
  • That Symantec’s audit logging mechanism is reasonably protected from modification, deletion, or tampering, as described in Section 5.4.4 of their CPS.

最後還特地放話說,有新的消息時會再考慮更進一步的反擊:

We may take further action as additional information becomes available to us.

可以發現語氣非常硬,要不是 Symantec 的市占率這麼高,Google 大概也不會這麼費工...

Symantec 提供的報告可以在「Test Certificates Incident Final Report」、「Incident Report 1」、「Incident Report 2」取得。

把 Google Chrome 的套件移植到 Firefox 上

在「Porting Chrome Extensions to Firefox with WebExtensions」這邊提到了 WebExtensions 計畫:

The technology is designed for cross-browser compatibility: to a large extent the API is compatible with the extension API supported by Google Chrome and Opera. Extensions written for these browsers will in most cases run in Firefox with just a few changes. The API is also fully compatible with multiprocess Firefox.

提供另外一種方式開發,吸引 Google Chrome 現有的 extension 開發者,也就是利用現有的 ecosystem 來幫助自己,把本來需要整個重寫的工作降低...

Opera 換 WebKit...

Opera 決定放棄自己維護 render engine 了,將改用 WebKit:「Opera gears up at 300 million users」。

不確定是什麼樣的考量,我猜是為了省成本順便做的決定。翻了 gs.statcounter.com 的資料,Opera 的全球佔有率愈來愈低,看起來還蠻有可能的?

不過大多數的公司還是不管他吧:

YUI Target Environments

以及:

YouTube 將 99% PV 影片加上 WebM 支援

YouTube 發了一篇公告,將站上約 30% 的影片另外壓一份 WebM 格式,而這 30% 佔全站 99% pageview:「Mmm mmm good - YouTube videos now served in WebM」。

目前在 Firefox 4+、Opera 10.6+、Google Chrome 支援 WebM 格式,手機平台則是 Android 2.3 (Gingerbread) 支援。

希望有一天可以完全取代 H.264...