It will still work on localhost, which is nice. It would be nice if it also worked on local IPs, like 192.168... Those do not work on Chrome, I think, which make mobile testing a bit more cumbersome.
But the bugzilla entry they linked to with that has been unassigned for two years, so maybe they changed their minds or figure the localhost exception is sufficient.
It's fantastic that it works with localhost (and I assume 127.0.0.1?), and it's fantastic that it doesn't work with anything else. This is the best middleground.
I wrote a script a while ago that automatically creates a subdomain on a domain I own and registers a Let’s Encrypt certificate for this exact purpose. I’ve found it very useful as it will work even for local addresses and dynamic addresses. (It will update the dns record and renew the cert on futher invocations.)
I do wish there was a public solution offering this type of easy dynamic DNS with https. (Sharing the script I wrote could cost a lot on dns hosting and increased server expenses.)
To any browser developers out there, I beg you, please, please, please whitelist lvh.me. I am so tired of security restrictions making everything painful for lvh.me.
In general, I'm NOT happy with how camera/microphone, GPS and sensors like Gyro/accel/magnetometers and beacons (radio/wifi/bluetooth/nfc), screen size/resolution, battery level, hardware port identifiers etc are accessed by any website or app on my laptop/phone.
This developed over the years without any input or choice from the end-user. The device manufacturers, platform owners (Apple, Google, Microsoft, Mozilla) and app developers joined together and forced this surveillance aparatus on all end-users.
Dear Apple: for Christmas I'd like physical, no-bullshit power shutoff switches for your camera and microphone on the Macbook Pro. Other devices too—if you can manage it, that'd be great. Sincerely, the people who put tape over their cameras, the people who don't because it's ugly and messes with closing the lid but wish they could, and the people who would be in one of those two camps if they understood the risk (so, altogether, 100% of your users).
From my understanding, Apple has done sort of what you're asking for, they've hooked up the physical wiring of the camera LED to the camera itself, so it is physically impossible to power the camera without the LED being turned on (as opposed to the "turn on LED" being part of firmware logic that could be hacked).
I think I understand the risk, and I definitely would not bother with such a switch even were it available. So maybe I actually don't understand it.
What exactly is the risk? Have there been any actual cases of someone being spied on with their laptop webcam that would have been prevented by a switch? I'm only aware of cases where the webcam switch would not have helped (e.g. roommate sets up notebook to record owner naked). Even that is incredibly rare, or if not rare, almost never reported.
If anyone is looking for a nice webcam cover for laptops, I've found the super-thin ones (marketed as "0.7mm thin" by EYSOFT and others on Amazon, etc) are fantastic. Very cheap, very thin, visually unobtrusive, and dead-simple to use. Doesn't interfere with closing my Macbook at all, it protrudes less than the rubber bumper around the screen border.
Still miss the physical mic mute button on my old Thinkpad X230... and it didn't have a webcam button for that, but we've _almost_ had all of the right features in the past...
macOS already ask the user for permission the first time an app tries to use a camera/microphone.
If you want to be asked each time, install OverSight.
If an attacker can access your webcam/microphone at will this means they can run arbitrary code to capture your screen, display anything you want and capture your keystrokes.
In this case the camera or microphone is the least of your worries.
This sucks, my community[1] has a local offline-first video/audio call app that we run on a physical mesh network.
This will make it impossible for people to talk to each other, without first needing to be connected online to some certificate authority, or without some extraordinarily difficult pre-installation process, which is often not even possible on a phone.
HTTPS was important, but now its being used to shoe horn dependency on centralized online-only authority. Perfectly ripe to censor anyone.
A browser doesn't need to connect to the certificate authority to validate a cert; only the server hosting the app 'needs' to be online (at least long enough to obtain a signed certificate every so often).
The bigger problem is that there has to be a single server hosting the app in the first place, which IMO is a severe flaw in the Web's architecture. But this change doesn't really make the situation worse.
Yes and it basically showed how it doesn't work. Applications were designed around the assumption that the user would click through the warnings. It looks like Firefox and Chromium are doing far better by restricting features to SSL, though I would be happier if they were also trying to push something more resistant to nation-state abuse...
This page's content is in a div named "mobile-pusher" with a 400px padding-right, which then gets disabled when loading a JS script from a third-party domain (ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com). wtf?
What is the preferred way to include https in your development flow? Have an nginx or apache running? What about automated tests against a running application?
localhost is considered "secure" and doesn't need https - this can be used by most development and automated testing flows. For remote development, I tend to setup a caddy server which makes it very easy to get an SSL certificate.
petters|6 years ago
hannob|6 years ago
That would defeat the security purpose.
Anyone within your local network (which practically speaking very often means the next Wifi your device could find) could attack you.
varenc|6 years ago
wlesieutre|6 years ago
> Mozilla will provide developer tools to ease the transition to secure contexts and enable testing without an HTTPS server.
https://blog.mozilla.org/security/2018/01/15/secure-contexts...
But the bugzilla entry they linked to with that has been unassigned for two years, so maybe they changed their minds or figure the localhost exception is sufficient.
https://bugzilla.mozilla.org/show_bug.cgi?id=1410365
The last comment proposes a whitelist for development domains, but no response to it.
vortico|6 years ago
iwalton3|6 years ago
I do wish there was a public solution offering this type of easy dynamic DNS with https. (Sharing the script I wrote could cost a lot on dns hosting and increased server expenses.)
nhumrich|6 years ago
k_bx|6 years ago
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out certificate.csr
openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem
mercora|6 years ago
ip route add local 192.0.2.123/32 table local dev lo
which makes your system act like this is a local address without actually being one.
EDIT: nvm i just realized that wont solve your issues with mobile development...
unknown|6 years ago
[deleted]
peterlk|6 years ago
vinay_ys|6 years ago
This developed over the years without any input or choice from the end-user. The device manufacturers, platform owners (Apple, Google, Microsoft, Mozilla) and app developers joined together and forced this surveillance aparatus on all end-users.
This power balance has to change.
chii|6 years ago
asark|6 years ago
atonse|6 years ago
asdfasgasdgasdg|6 years ago
What exactly is the risk? Have there been any actual cases of someone being spied on with their laptop webcam that would have been prevented by a switch? I'm only aware of cases where the webcam switch would not have helped (e.g. roommate sets up notebook to record owner naked). Even that is incredibly rare, or if not rare, almost never reported.
sethhochberg|6 years ago
Still miss the physical mic mute button on my old Thinkpad X230... and it didn't have a webcam button for that, but we've _almost_ had all of the right features in the past...
hereme888|6 years ago
IloveHN84|6 years ago
unknown|6 years ago
[deleted]
octavn|6 years ago
unknown|6 years ago
[deleted]
galad87|6 years ago
mrtweetyhack|6 years ago
[deleted]
LeoPanthera|6 years ago
Nextgrid|6 years ago
In this case the camera or microphone is the least of your worries.
marknadal|6 years ago
This will make it impossible for people to talk to each other, without first needing to be connected online to some certificate authority, or without some extraordinarily difficult pre-installation process, which is often not even possible on a phone.
HTTPS was important, but now its being used to shoe horn dependency on centralized online-only authority. Perfectly ripe to censor anyone.
1. https://gitter.im/amark/gun
comex|6 years ago
The bigger problem is that there has to be a single server hosting the app in the first place, which IMO is a severe flaw in the Web's architecture. But this change doesn't really make the situation worse.
tenebrisalietum|6 years ago
anilakar|6 years ago
d33|6 years ago
progval|6 years ago
indalo|6 years ago
ry4nolson|6 years ago
spaceribs|6 years ago
Traubenfuchs|6 years ago
What is the preferred way to include https in your development flow? Have an nginx or apache running? What about automated tests against a running application?
roblabla|6 years ago
This is still mildly annoying.
jeffk_teh_haxor|6 years ago
lightedman|6 years ago
How about making that work, first?
0xNippon|6 years ago
[deleted]
joaobeno|6 years ago
[deleted]
user17843|6 years ago
OrgNet|6 years ago
[deleted]
idlewords|6 years ago
minitech|6 years ago
tuxracer|6 years ago