Ok, ordered. Crappy ordering process though, you have to pick a password without any particular reason to (don't ask your customers to make an account if you don't actually need one...), the certificate they use is invalid and they drop you on a page in Spanish after an English language ordering process that does not even bother to confirm you just made a purchase.
Haven't tried the one you mention, but this is a huge problem with many sites these days. Some don't even bother to have a logical sequence of page transitions (like the examples you give) - and many other issues, which are easily avoidable. I think it's partly due to the mad rush for startups to be first to market and cash out soon as possible.
I hate to be that guy, but I believe I need to share this. I was amongst the "lucky" ones who managed to get one of the phones of the first batch they sold (my Serial Number is lower than 1500). After using the phone for 20 minutes, I realized that the OS is _very_ far from being usable. I was able to spot more than 10 bugs that would prevent any regular smartphone user to use Ubuntu Phone as a replacement of a rudimentary smart phone.
I guess we will have to wait/help/contribute a lot to get it closer to an acceptable quality level.
In the meantime, I wonder if there is any way to install Android on the Ubuntu Edition E4.5.
> I was able to spot more than 10 bugs that would prevent any regular smartphone user to use Ubuntu Phone as a replacement of a rudimentary smart phone.
Please can you share the bugs so that others can actually judge usability for themselves? Have you filed the bugs?
No, you really don't. Because if that was the case, instead commenting here, why won't you go to Ubuntu phone bug tracking or whatever and give your feedback there where would be actually useful? Just a though.
Hey its useful to me. I am looking for a new phone in around that price range. This is the first I have heard of an Ubuntu phone being available, and useful to get an opinion from others even if it does seem negative.
I have this phone since around 20th of March and like it really very much. The Terminal app is hilarious. I was pleased to find much more stuff in the Ubuntu store than expected. Telephony is perfect.
The one thing I do not like is the runtime of the battery. 44 hours was the absolute maximum I had this phone running before it went black (just turning it on, entering the SIM-PIN, having Bluetooth, GPS and WiFi turned off and doing nothing else). In my typical usage pattern, a runtime of 24 hours is the more realistic value. Have to load it every day :-(
I literally don't know anyone who doesn't charge daily (wake up, take it off charger, put it on the charger around 11:30 PM same day), except my dad and me as we use our phones on stand-by and just for calls, and a little bit of messaging. I work from home so I do all my smartphone stuff on my computer, and when I go out I'm with friends, not on my phone. And even then, we tend to charge every 2-3 days.
I think it's typical for a good smartphone to have to load it every day. I recharge my S4 at night and then still have to boost it up at work. Mobile data is a power hog.
I've noticed the Moto G can typically go 36-48 hours (or more?) without a charge (depending on how light your use is).
Sometimes I come in and crash without putting it on the charger and realize what I've done the next morning. When that happens, I don't have to worry about immediately charging it even then; usually it still can make it to the end of that day (business hours) without being on a charger. This happens around once a week or so, maybe more sometimes.
I'm on my second Moto G, and this has been true for both, so it's not a one-off thing.
I use blackberry q5 which gives 16 hours battery. My android counter part gives 20. Battery life is overated and it all depends on the usage. This one only just started.
I got burned once with a windows phone Omnia 7 as an early adopter and it was beyond useless (lack of apps/configurability) so I will definitely not rush again on unproven phones despite my interest in Ubuntu. Also the price/specs on this phone is horrible compared to Xiaomi Note 4G (190euro) which I own and can recommend to anyone. I hope Ubuntu phone catches on though. Competition is good.
The specs on that Xiaomi are really nice value. I'd been looking at the 2nd gen Moto E or G for my parents, but the Xiaomi beats it, although at a higher cost.
It just amazes me how cheap tech has become. The other day I was looking through the Microsoft Store, saw a $90 ish tablet that had various discounts at times bringing it down to an absolutely ridiculous $60-70 range. I checked out some reviews and they were glowing (in terms of value), it actually runs windows 8 and comes with a year of Office 365 and an hour of Skype minutes every month. I can hardly imagine anyone buying Office 365 for a year at $70, instead of just buying this tablet instead haha. Of course it's no Mac Pro, but it surprised me.
HP stream 7 was the name. I just sat there grinning while watching the reviews on this device, computing is truly becoming completely and totally ubiquitous this decade, even consumer computing is becoming a cheap commodity.
Second-gen Moto E came out just as my wife's Nexus 4 was giving up the ghost, and so far it is the perfect replacement. She was a little upset that it cost so much ($150), at which point I thought it unwise to remind her how much our iPods have cost over the years.
Just looked it up. Currently $79, with a $25 Windows Store voucher and $69-worth of Office 365. Extremely tempted but I really need to stop buying random tablet-y devices I'll never use.
Hehe, that really is a temptation. I wish there was one all-purpose device (maybe modular, like the earlier Modu phone [1] and now Google's Project Ara (still to come).
[1] Read about Modu in TechCrunch some years ago. An Israeli startup backed by Yossi Vardi, IIRC. Not sure what happened to it. But the idea seemed promising.
So I got one of those stream 7 tablets. I like it when I use it as a device, but windows 8 isn't quite ready for a tablet os I feel like. I was wanting a keyboard & trackpad pretty quickly. By adding a keyboard case, I might as well use a netbook anyway at this weight profile. Also tapping on some things can be awkward.
Also the battery dies on you quickly on idle, and it doesn't charge that easily through usb, you need a really high power charger for the charging indicator to turn on.
Are netbooks still being produced in mass scale? I was considering buying a netbook recently, as a 2nd lighter machine than my laptop, so that I can take it when I go out to nearby places like for shops / malls, and use short spells of free time outside to do some work (at least work that's light on CPU/RAM resources, like Python programming, or even email or technical topic browsing). But a few computer shops I went to, told me that Asus / Acer (for example) are not making new ones these days. This is in India, BTW. Don't know if this issue (if real) is specific to this region or not.
By netbook I meant more those really cheap "11 laptops that cost about $200 and quickly get performance issues in a year. The HP stream 11 is one example. Or a chromebook.
I was in the same position: Moto G or something similar.. but lots of reviewers complained about battery life.. And then I saw the price and specs of xiaomi note: 2Gb RAM, 3100mAh and 5.5"+good resolution. If nothing else more interesting appears in the next weeks, I'm gonna buy a second one for my wife.
Sort of, but also not really. Two decades ago, say around 1995, a computer was still pretty damn expensive. A decent system (not high-end systems like we use for gaming today, but very basic office stuff) would easily set you back $1k to $2k, which is a bit more in today's dollars. That wasn't accessible to everyone, especially because these things weren't good enough to replace your office, your phone, your TV, your gaming console, your newspaper, your camera etc. So it was an additional cost to all of that.
And while it was already large two decades ago, it's not ubiquitous in the sense of finding $70 star trek like tablets in remote villages in central Africa, like happens today. Ubiquitous in the sense that outside of the 10-20% upper-middle class of the US/Europe, who've indeed had personal computing for decades, we're seeing computing arrive en masse to an additional 1-2 billion people, and probably billions more not long after, now that you get full desktop software, with complete hardware including input and a screen and battery, at $70 retail, and sub $50 second hand. That's insane.
You guys remember the $20 smartphone media talk last year? Should have arrived by now. In any case, this decade is something special. Chips are using so little energy nowadays, low res screens, too. Things are sturdy, cheap. The electricity costs per year are a tiny fraction of the device's costs (which is on its way to 5 to 10c a day per device) Computing is actually going to become accessible to 4-5 billion people by the end of the decade, that's something really new. And we're seeing a lot of initiatives in terms of free, global-coverage connectivity in the form of internet, too, for low-data applications like messaging, banking, wikipedia etc. e.g. FB & Google's initiatives.
I had the Omnia 7 and had the same frustration. Nothing wrong with the phone itself, but the OS was clunky and the Windows Phone app store was basically empty...
Any recommendations on where to buy the Note 4G? I got mine at pandawill, but I'm curious about other places. It was my first time buying from a Chinese e-retailer.
That's how I convinced myself to buy the windows phone. "Oh, it's windows ! I can program for it with C# & WPF. It will be fun.. for a week..". I hack enough things on my laptops (ubuntu). I needed a cheap phone to make calls, send sms easily, put alarms, listen to music, browse web, ocassionaly snap pictures and read some pdfs when I'm bored. Xiaomi is perfect for my needs until now.
Interesting price strategy. They're obviously not aiming what you'd think of as the professional developer / early adopter market, otherwise they would have reduced the bezel, switched to a higher resolution screen, increased the specifications, and at least doubled the price. Are they hoping for this to be stocked in retail stores, and directly compete with Android at the Moto G sort of level?
That does sound fairly crazy, but it may well be that's more sensible than it sounds in parts of Europe, for instance Spain, where the early adopters won't have the same money as they do in the US, and the iPhone is expensive enough as to be almost nowhere to be seen.
Seems quite different from FirefoxOS, who have a much more pointed strategy of radically undercutting price, and targeting markets in the developing world.
bq is already a very popular brand here in Spain, so I suppose they will be targeting their current market (and if they get devs in the process, better).
They also make an e-reader [1] with open source software. I'm somewhat obsessed with the idea of using it for ssh/mosh as a portable terminal. It would be very cool to hear if someone has tried this, before ordering one. I mailed some random guy at BQ and he said he never tried it, but also found it interesting. If you find it interesting too, maybe you could run down and ask around! :)
How is it open source? Where can I find the source? How can I build software for it, and how can I load the software onto the device?
I found this[0] but it is in Spanish, and many of the links to source don't go anywhere. It seems like they us Debian and Qt, which would be very neat.
Note that I don't have the device so I don't know if this works, but if there are problems with the instructions I assume BQ would help (since the open sourceness is a selling point).
(I don't know but...) I like the idea of an e-ink terminal, however I fear the slow refresh rate would make editing difficult. I guess someone somewhere has tried it though...
The specs of that particular one show no bluetooth (and no OTG usb), so can't connect a keyboard.
It also has no wireless apart from wifi; and only 512MB (though that's plenty for ssh!)
Yeah, it has to be "OTG" (on the go), aka "usb host". Seems relatively uncommon.
Beats a line printer! Can relate - I'm ecstatic that (70s era) unix utilities are blazing instant on a phone. I'm sure vim would also work on an e-reader, if you don't need to find the cursor.
I should research this. Working on e-ink/e-paper would be so much better on the eyes - and incredible battery life (they claim 2 months for the Kindle).
That's pretty cool! But being able to connect a physical keyboard is important to me; I want to be able to actually code/admin/email/whatever, preferrably replacing a laptop for extended periods of time. :)
Yes. Just install the Terminal app. If you have a screen lock configured you're asked again to get to a shell prompt. You get a regular prompt as the "phablet" user but have unrestricted sudo access. It's easier to use ssh though: http://askubuntu.com/q/348714/7808
What's nice is that it's just a regular Ubuntu shell prompt, not a hacked up one like you get on Android. All the usual stuff you expect to have is there. The Terminal app integrates nicely too - for example if you use less, then swiping up and down scrolls up and down.
Note though that by default the root filesystem is read-only. You can make it read-write, but then the image-based OTA updates aren't expected to work and of course if you break things you get to keep all the pieces. For this reason I've avoided doing this for now, but it's nice to know that I can do it. I expect I'll probably end up rolling my own customized images instead in order to keep my phone more reliable.
The technical specs look very, very similar to the Zopo ZP910 I own and which I bought about two years ago, for about 200€. The CPU unfortunately isn't the same (MTK 6589 versus MTK 6582), otherwise it would be easy to port Ubuntu to it based on bq's builds. I don't really have much dependency on Android apps (just give me a browser, a media player and a way to make phone calls/texting), so Ubuntu Phone fits my bill. I would not buy a new phone just to run it, but I'd happily "upgrade" my current phone to it, because the new versions of Google's apps are quite heavy (material design and all that) and the hardware is starting not to cut it.
Nice touch that the clock on the screen shows "14:10", which is of course similar to the latest released Ubuntu version (14.10, from October last year). Coincidence? :)
Yeah the demo/description was pretty inspiring. Phone->dock+monitor+storage->computer (for everyday stuff). The linked tablet video seems close enough but I'd love a phone version to theoretically have one device for everything.
This is still my "tech wish for the year" :D
Even if it's possible with this device (which I don't know) that's still an ARM processor you have. It's a Cortex A7 a bit faster from what you get in a Raspberry Pi 2 but not much.
Anyway, those phones or tablets that turn into supposed regular computers are cool, but at the end of the day when I have access to a screen and keyboard there is usually a computer not far. Since my data is in the cloud anyway, I'd rather use that separate computer than my phone.
There are plenty of situations where I don't want to trust the available computer with my data.
And I very frequently find myself in situations where the network connection is so poor that streaming my data over the network is an exercise in frustration.
When I then walk around with more and more powerful computers in my pocket, it's great to be able to make use of it.
Even if you don't have a fast Internet pipe, you can just boot the PC from your Android phone instead, using DriveDroid. I'm not sure if you can also access the files on the sdcard, though.
I'm holding off until the Meizu MX4 Ubuntu goes on sale -- but perhaps I shouldn't - does anyone know if it is exactly the same as the one being sold now running Android?
If so, I might get that one and install Ubuntu myself.
Being burned by two FirefoxOS phones (mostly burned by not being to upgrade to anything latest and stuck to some version). So I'll be careful this time... But I so much wanted to try it out...
I can't thank you enough! I haven't looked deeply into other sources, and used the phone as a normal user (I've borrowed it to a friend of ours, when they went to Italy for vacation (we are US based)), and then I used them again when travelling to Bulgaria.
Why FirefoxOS phones there? Because they don't draw much attention, they are cheap, and reliable for basic phone needs - calling, texting, even some browsing. Also the battery life is pretty good.
They are bit sluggish, but still much faster than other cheap phones.
You're welcome! They are quite hard to find. I accidently stumbled over the mozfr community builds while figuring out how to compile a current version myself :)
Love it. Only one missing feature prevents me from buying it: Ubuntu Phone doesn't seem to have easy, painless, over-the-air syncing of calendars and contacts with third-party applications/services like Google Apps and Microsoft Exchange, for snappy access to that data whether I'm online or offline.
I've had the complete opposite experience with Android phones which is why I probably plan to stick with an iPhone when I upgrade my 4S within the next few weeks. I know people who have Android phones who are waiting to upgrade to Lollipop.
I guess he meant that once an OS update is downloaded, it cannot be swept right and forgotten, but it stays in notifications forever. I have one Moto G I use as a bike navigation, don't plan to ever update it to Lollipop as I run only OsmAnd on it and it always insists on getting upgraded to 5.0.x.
On a moderately specced phone they can be. Plus maps just got less and less usable in my opinion. The map gained more screen space but got unusably slow, and no idea how to access features that I previously used (buttons for zoom in and out for example. Pinch zoom when driving is dangerous).
Yes, the original version of Google maps was good, then they kept upgrading it until it became unusable (it was incredibly slow on my phone). I managed to downgrade it, but now the local bus app that uses maps doesn't work.
Yes and no. The phone image is read-only by default, with RW areas for user data / tmp / logs etc. You can easily make the RO portion RW, and then apt-get or dpkg install random packages. However the caveat is we never test that scenario, so if you break it, you get to keep the pieces. You can then re-flash it to get out of this of course.
This phone made me think a lot about the future of mobile in emerging markets. I was reading a lot of great feedbacks about Mozilla with Firefox OS in Africa and some South American countries, they are very happy about the price/value of devices and the fact that these countries have a very basic (or even no) infrastructure, makes them very interesting for these systems, because you can actually build from scratch, using pretty recent technologies.
All this introduction is to try to understand the Ubuntu Phone world, I don't think it can emerge against Android or iPhone, so it should definitely compete against Mozilla in emerging markets, but it looks like is coming a little bit late. I am also curious about how developers will react to the platform, with a native or HTML5 approach, looks similar to the Microsoft strategy. Firefox was able to get devs easily because the HTML5/Javascript is an easy combo and is widely known, native development requires more efforts and has a steeper learning curve. A smartphone is 20% platform and 80% ecosystem, no apps means no users.
I am honestly interested in trying it, I did it for Firefox, writing a simple weather app for it, so I would like to do the same. At the moment, I am not sure the system will be able to compete, but happy to be proven wrong!
I had mine delivered by the end of March and there were no delivery costs to Germany at all (I had ordered two phones, though, - maybe there is a threshold for free delivery).
The battery being a LiPo (lithium polymer) could be a concern (they are quite unstable and explode on contact with water) and IIRC are not allowed to be brought on planes. They can also be permanently damaged if you allow the voltage per cell to get too low and do not have a huge amount of recharge cycles.
Macbook Pro laptops have been using LiPo batteries for at least the last few years[1], so this isn't anything new. I don't know of anyone being prevented from flying because of a MBP, so I doubt this will be a problem.
There are two types of "Lithium Polymer" batteries:
> Originally, "lithium polymer" stood for a developing technology using a polymer electrolyte instead of the more common liquid electrolyte.
> The second meaning appeared when some manufacturers started applying the "polymer" denomination to lithium-ion cells in pouch format.
The first one (polymer bag around a lithium ion battery) is currently used in many devices, but the second (polymer electrolyte) is not commonly used and seems to be an active area of research.
I'm uber curious about the technical aspect of it. Software side, how it compares to other OSes in terms of cpu and ram usage, battery life etc. How different is the distribution from the desktop/server images (libc, compile flags, ...).
Honest question here: what does anyone need 4g for?
On HSPA+ (H+) my connection is fast enough for any purpose besides downloading movies, and it's not like I've got unlimited data. Even 3g's theoretical speed is great if they could get that to work for a change.
I have 4g on a company laptop and the speed is better than many places' WiFi, but I have yet to find an excuse to use it (someone has to pay that data bill). It's not like I don't know how fast it really is, I just don't see the point of it right now. In 5 years 3g really will be too slow for many applications, but as it stands...
It's not about you. It's about having multiple users within the same band. In crowded places you might have full 3G signal and the internet will still be shit because of how many people are using it. With 4G it should be better, it's not all about top speeds.
> In 5 years 3g really will be too slow for many applications
You answered your own question. It's progress, and the sooner people around the world adopt 4G, the sooner it becomes the standard, just like 3G before it.
You're right, and my Nexus 4 and Lumia 521 are getting along just fine without LTE as well, and will continue to for the next 1-2 years I hope to get out of them. It will be at least another 10-15 years before 3G is turned off in favor of whatever the baseline is then (hell, we still have 2G which by all accounts should be dead by now).
4G has much better latency than HSPA+ for me. Video streaming is much smoother and breaks up less. FaceTime is much better than on HSPA+. If I see 4G in my status bar, I know my connection is going to be at least as good as coffee shop WiFi.
It contends better too, which affects everyone.
I have unlimited LTE for £15/mo (Three UK) so I don't need to worry about paying for the data.
Coverage is a problem in some areas. In many parts of australia the 3g coverage has been left pretty damn miserable. while they have invested in 4g.
additionally contention levels are just horrible on the 3g services. what's that 20 Kb/s and 40% packet loss just because you were silly enough to use it near a train station.
I'm Looking forward to get a new Phone. I am however undecided on Firefox OS and Ubuntu OS. Leaning towards Ubuntu but this device looks like a first-gen smart phone... once you see the bezel you can not unsee it!
I just set up an Ubuntu 14.04 server on Digital Ocean. One "apt-get install mail-stack-delivery", and one edited line in /etc/postfix/master.cf later (just to get 587 submission working) and I have my own mail server including STARTTLS on smtp and imap. Made me wonder, will we see sync options on Ubuntu Phone to sync mail/calendar/own-cloud with one (SSH) account? Seems to me the possibilities are endless and very exciting. Please stay true to FOSS principles, resist the temptations, give the (mobile) web back to the people!
Certainly you can encrypt the email part, But I'm not sure how NSA proof it will be when the whole server is in the RAM of one that you don't control though.
Does it run Whatsapp? No? What is this, a cellphone? Oh, cool, but we stopped using cellphones a while back, we now use portable computers the size of a cellphone which run widely adopted social apps. It's for a niche market you say? Oh, cool.
Sarcasm aside: I am still waiting for an official FFOS Whatsapp version, meanwhile I am using my ZTE Open as a PC+camera+GCM dongle to run some fun hacks, kindda like a Tessel Machine.
True, although there is a couple of unofficial APIs that have managed to stay up. Now, the big question, how will FB make its money back? It has to open Whatsapp to advertizers and/or integrate to its platform of services. Or did it buy it to take it down while pushing FB chat as a standalone web/native app?
Is the support for all (or nearly all) 3G/4G networks limited to higher-end chips? I believe at least e.g. the iPhone has identical hardware worldwide?
Oh, how I would love this device to be a class leading spec. It's nearly time for a new phone, and I'd love an Ubuntu handset, but don't think I'd be up for the technical downgrade by purchasing this mid-(to-low-)range device.
When the first announced Ubuntu for phones they tried to kickstart a phone with class-leading specs but there wasn't enough interest for it to be feasible.
OT: If anyone from bq.com is reading this: Why can't I select Germany, France, or Austria as a country to ship to? Why do I have to provide my nationality (personal information, not part of the shipping address)?
Would you mind to explain what you are talking about ? I thought telegram are more secure than whats app and etc . I would gladly hear what do you think about these app in general.
The protocol is published, and the client is open source, but the protocol has a whole bunch of design issues, and that's the real problem with Telegram.
If the protocol was properly designed, the proprietary nature of the server wouldn't be an issue as we could write a server implementing the protocol too. For instance, I don't have to worry about all of tarsnap being open source, because I know from the way the client is implemented that the server can't do a damned thing to sniff my data.
However, due to how much of an awful botch job the protocol is, even if the server was FLOSS, it would still be untrustable.
WhatsApp's security improved an awful lot back in November when it got end-to-end encryption.
MTProto has... issues. It uses IGE (infinite garble extension, a variation on the accumulated block chaining - ABC - mode of operation) as its mode of operation, which isn't exactly widely used or battle proven and is considered broken. Something like GCM wouldn've been a saner choice. Another issue is that it uses SHA1 for message authentication. Now, the issue isn't so much that they're using SHA1, but that they aren't using a MAC for message authentication.
If you’ve created HTML5 apps or mobile websites for
other platforms — there’s good news: the path
to Ubuntu
couldn’t
be quicker. We support both the Webkit/Blink and
Cordova development standards — and with a separate
API that enables
websites to be quickly converted to run independently
of a browser, with full access to phone notifications
and
settings, the same goes for your web applications.
The more the better. As a consumer, I like choice. As a developer, multiple options means we move towards open industry standards rather than vendor lock-in and single points of control.
I'd buy any android phone with a hardware keyboard, but those days are long gone now - with the bigger screens, the manufacturers have given up one them
Google has 88 apps in the Android app store. Which ones are you looking to replace?
Edit: Here's a list of the "core apps". https://wiki.ubuntu.com/Touch/CoreApps Notably missing are email and SMS apps, so I'm not sure what they're using for those.
The "Core Apps" have a bad name. They are community-developed apps, that may be included in the stock image. What you're really looking for are the "System Apps": https://launchpad.net/ubuntu-system-apps
I haven't seen a maps app, but I know they're using Here/Nokia for location services (https://insights.ubuntu.com/2014/07/30/nokia-here-maps-comin...). I think the BQ phone comes with a location "scope". The Here HTML5 app is pretty good on FxOS, so they could be using that.
I wonder why you'd need a specific chipset to have an RTC alarm. Couldn't it be added on the board independently? After having so many Nokias, I'm still amazed how so many phones miss what should be a basic feature.
Why? They're not the highest end, but then again the price and other specs makes it clear that this is not intended as a high end phone. For a mid range phone MediaTek CPU's are easily powerful enough. Unless you have other objections?
MediaTek have not been historically known for engaging with the open-source community, documenting their chipsets, and complying with the GPL, to put it mildly.
Unless anyone knows that's changed in recent years?
That may be so, but there's hardly any CPU around you can even boot without binary blobs of some form these days. E.g. consider the massive pain the Coreboot people are going through to get anything reasonably open out of Intel.
I would prefer more open hardware and will vote with my wallet if there's something open of reasonable price/performance, but I choose to be pragmatic about it. In this space, even getting something I can run a non-locked down Linux on is an improvement.
I too was looking for what was available for IM and hadn't heard about Telegram until I saw it works on Ubuntu phone. Terrific system and now I kind of feel bad for not using it all along!
That it's compatible is nice, but Telegram cannot be recommended as a secure messenger. Knowledgeable people have reviewed its cryptography and found it wanting, even "bizarre and nonsensical". You may want to look into other alternatives?
"Although applications like Whatsapp, Google+ or Candy Crush aren't there yet you get many others such as Telegram, HERE maps and Cut the rope, and web apps like Facebook and Twitter"
Now, trying not comment about Candy Crush being considered a "must have" app for a smartphone, it will be still a tough sell, especially in the EU, where Whatsapp is a necessity for a lot of users.
No https:// by default. Again, if you market this as towards the nerdy audience: Put _everything_ behind HTTPS. I simply do not want to let others know, what phone I might buy.
spacefight is right. Offering HTTP along with HTTPS is an antipattern. As an example, I give you Reddit, where HTTP and HTTPS services are identical. That means you can log in on the HTTPS site, and I can have your session cookie or even your password.
The only sane solution is to set up HTTP to redirect to HTTPS, and add an HSTS cookie.
Allowing access on both http and https is indeed a bad practice, but not in regards to the scenario you described.
The scenario you described has been covered since long by the 'secure' attribute, available when creating cookies. Assuming the authentication was performed from within the https channel, the cookie won't be disclosed when requests are triggered on the http channel. This covers the 'Reddit' case from an application layer perspective.
The vulnerability is rather in browsers (such as Firefox). They allow the rewriting of an existing cookie value through the http channel, although it was originally set through the https channel. This is a huge problem and I still don't understand why this isn't reported by any researcher as a critical security flaw...
In either case it leaks information. Even if I can't get your session key, I can see every URL you visit, and every field you put in. Also, if your login form can be served over HTTP (or any included script is, which thankfully Chrome now disallows when the page loads over HTTPS), I can just get your password. Guess how Reddit serves their login form? Yup, it's right on http://www.reddit.com/.
You are right, all your Reddit traffic should be encrypted, but the reason is not because it's a vulnerability, it's because you have a personal expectation of privacy, which is different from an unexpected or undesired incident in their information system.
Let's not forget that from Reddit's point of view, the browsing of the public content is not confidential, hence no need to hide it. Only your credentials are confidential, hence their transmission is configured to happen through a secure channel by default (if you're lucky). As long as it matches their security policy, it is not a vulnerability, per say. The vulnerability here is that Reddit 1) accepts authentication events sent through HTTP and that 2) Reddit keeps considering accounts as reliable after a successful HTTP authentication. We could also argue on the quite insignificant consequences of your Reddit account being hacked (for most users) in opposition to the disclosure of a password that you have not used anywhere else (isn't it?).
As a user, you believe that the Reddit pages you browse should be private, which led you to conclude Reddit is flawed. I agree that Reddit users' traffic should be kept private. But, we are still in an era where information security is defined by the expectations of corporations, not those of customers/users. The total cost induced by the fact that anyone on the same network as you can see your Reddit traffic remains lower than improving the security of the platform.
If you want Reddit to consider this as a "vulnerability", you need to either convince lots of users to stop using Reddit until they fix this (traffic volume pressure) or convince loud people to start shaming their owners on large audience news sites (shame pressure). These two strategies are the only ones that work, to my knowledge. As long as their business keeps running and there is no shamming, they don't have any real incentive to pull the source code and fix this: it's not a major security vulnerability. (the fact that browsers overwrite https cookies from http responses is a major one, though...)
I consider them vulnerable. As a test I successfully hijacked a Reddit identity using nothing but tcpdump on my router. Leaking credential information is a form of vulnerability. Just because lots of people do this does not make it less vulnerable.
Even if Reddit allowed you to log in via HTTPS only and kept your session cookie secure, but let you browse anonymously over HTTP, they'd still be leaking info about what you are browsing, as you said. I agree, this is a problem for the user. Say, the user is looking at topics about maternity leave while her boss doesn't know she is pregnant. What can the boss do with this info? Or say the user is looking into methadone clinic experiences at work?
Browsing over HTTP also lets an attacker inject content. Ads are the obvious and somewhat innocuous case, but think about the phishing opportunities here. "Please log in to proceed" with a form that submits the password to the attacker.
You are right they won't change until either their users start complaining, or something really bad happens as a result of this negligence, but I am simply using them as an example of a pretty widespread issue. Lots of sites do this and it's very unfortunate.
How about ad fill rates? I'm not directly involved in add ops myself, but I've heard that now, even in 2015, major web properties still see a roughly 60% drop in ad revenue on HTTPS. Thats a big deal for an advertising supported website. (Though obviously not so much a big deal for a website like this selling an Ubuntu cell phone).
It took 3 minutes to write this comment. Getting a new cert up and running will take you $5 and 15 minutes if you follow these instructions. Free if you use startssl.com. Cheapest wildcard I found was https://www.ssls.com/ when they ran a sale: $42. Current cheapest Google turned up was https://cheapsslsecurity.com/sslproducts/wildcardssl.html for $60. Personally, I prefer wildcard certs whenever possible, free certs from startssl.com.
Setting up passwords is additional effort. Just leave them blank. To me that doesn't seem like an excuse to subject your users to what HTTP entails, and to subject yourself to the liability it implies.
It's because they are. How many times will this be brought up? The browser has no way of knowing whether gmail.com should be serving a self-signed cert (pinning notwithstanding), so it must treat a self-signed cert as a MITM attack at all times. Try to think through how else it could possibly work, and you'll see why the browsers do this.
The browser should treat any HTTP connection as a MITM attack at all times, too. Actually, it should also treat it as multiple MITM because everyone in your network or in the path can see your traffic.
We could argue if it even makes sense to differentiate between SSL with self-signed certs and plain HTTP connections when warning users, I'll give you that. But in no way SSL with self-signed are worse than HTTP.
> Try to think through how else it could possibly work, and you'll see why the browsers do this.
VPNs aren't secure end-to-end. You can still have your connection spied upon and/or hijacked in the link between the VPN gateway and the website servers (including by the VPN operators themselves!).
Sure the client has encryption (most VPN clients do), but that's just up to their servers. From the PIA servers to the final web server, there's no extra protection, so if you're accessing an HTTP service, it's unencrypted.
OP here. Sorry for the URL, but I caught it in my twitter feed on my mobile phone and posted it.
Maybe HN's mods can fix that. I tried to editing it but while you can edit the title and/or add text, you can't edit the URL (which makes sense, actually).
I think the reason is that they want separate pages by countries, not by languages. For instance, they have three different pages in Spanish (Spain, Mexico, Uruguay).
What if I live in Spain and only speak English. What if I live in a Catalan region and want Catalan? What if I live in GB and want to read it in Spanish as it's my first language?
With the world being as global as it is and people readily moving around, geographic location does not equal language preference.
Ideally the site would have geographic specific sections but allow all languages it has translations for in each section. Bonus points if you default language based on my HTTP headers and allow session based overrides.
Some of those regions are known for being proud of their language and culture, so in case of similar specs and cost many people will chose a vendor that covers their native (or L2 but local) language instead of one that doesn't. Something to take into account is that e.g. Catalan (or Valencian or Balearic, you name it) represents between ~9M and ~11M native and L2 speakers (depending on sources).
What else... Oh yes, the regions where Catalan is official in Spain are among the wealthiest when considering the average income for its residents. That sounds like a good pond to fish for early adopters. Basques with even less population (and less L1 and L2 speakers, even in % than Catalans) are also among the wealthiest. The use case doesn't seem that narrow anymore, doesn't it?
Every single big company in Spain is able to communicate in any official language. Dude, it means business!
Finally, and I'm leaving a lot of stuff behind, people are usually not very thick skinned and calling the support of these languages "very limited use case" could be considered, well... inconsiderate at least.
Obviously it depends on the use case and audience, but language and location should not be conflated by default. Location allows customization of currency, measurement units, legal policies, shipping information, tariffs, dates/times, etc independently of the copy language. There are plenty of countries with more than one major language (there are almost 40 million Spanish-speaking citizens of the US and India has 23 official languages), so websites that guess language based on country alienate a lot of users.
Your browser already tells every website what language(s) you speak in the Accept-Language header, so it's not like that information isn't available.
My (very subjective) guess, is that many of those 40 millions Spanish speakers in the US speak English as well, and the percentage of those who don't and would use an e-commerce site is low.
Still, I would imagine major e-commerce websites to add support for a langugage in the website, if the potential userbase is big enough (for example, the Apple Store does).
My knowledge of India is very limited , but it always seemed to me that the unifying language really is English (again, from a very cursory glance, Amazon, Apple and HP have Indian e-commerce stores in English).
My point is that decoupling language and location as a general feature does not make much economic sense in the vast majority of cases.
This is especially true for major e-commerce sites: think about Amazon, and the number of items being sold (millions ?). Many of those are sold only in a particular store, or have variations between a store and another: how much would it cost to translate all the articles for all the stores in x languages ?
I've been doing eCommerce for a long time now and the number of site that realize this is shockingly limited.
With a few exceptions, the translations you are using for a country website's language are possible to use for any country where a visitor wants to use the language. Exceptions include things like country specific product features and such. Those kinds of things would need a little though.
The data is all there and the tech is all there. It's just a desire or realization that is missing.
Don't misunderstand me, I can see your point, and it would be a feature I might want to use in some cases.
But apart from the data and tech you need people implementing it, and I can understand most companies not seeing covering your/our case as worty of the added development/maintenance cost that it would entail.
What gets me is Amazon. I'd love to be able to see the Germany (country) site in English. Right now trying to return a tablet that went bad, and google trans is of limited help.
Yeah, but at least they let you do cross-country purchases. I live in the US and send my son in Europe gifts from the DE and FR Amazon sites. Lucky for me I know enough of the languages to muddle through the process. :)
Other companies are MUCH worse. Apple and Google being good examples. Try either being in the US or having a US credit card and purchasing in the EU. Nightmare!
Let's hope the phone shows up :)