I recommend updating the title to make it clear that only the Let's Encrypt client software has changed its name (and moved to EFF). The Let's Encrypt CA has not changed anything.
More information about this move can be found here:
It's also worth pointing out that you can have up to 100 SANs in a certificate, so you can technically issue for up to 20x100 (2000) subdomains per week.
It also, ironically, broke a bunch IIS and Azure Web App hosted sites due to an incorrect intermediate being sent by the servers, with no recourse for new and renewing users at the moment...See https://github.com/sjkp/letsencrypt-siteextension/issues/42
Internet Explorer doesn't support SNI on Windows XP, correct.
Let's Encrypt doesn't force you to use SNI, though. SNI is not something you "stick" on a certificate - it's a TLS extension which you don't have to use at all.
I implemented the native OS X notifications in Firefox/Gecko some years ago. The native OS X API limitations were pretty frustrating (at least at the time, iirc), just didn't line up with the Web APIs all that well. Not blaming Apple, they weren't designing with our use cases in mind, just saying I can understand Google's temptation to avoid integration in order to retain control.
In the end it's a tough call about what you value more.
I just wrote in a thread over on reddit how I use Chrome specifically for its implementation of desktop notifications. Native notifications on OSX are lacking to say the least. They show very little information when compared to Chrome. I hope this is an option that can be switched off when rolled out to stable at a later date.
Last year Chrome announced it's discontinuing support for it's notification center (http://www.theverge.com/2015/10/14/9531133/google-removing-c...) on Mac and PC, so I imagine they are replacing it with native versions of each OS. To note, Stable is always several weeks behind Canary, so you can see the latest build of the notifications which shows more info than the stable version.
But surely Google want to keep notifications more interactive. Native notifications on OSX only allow for minimal interaction and are truncated to a small number of characters. I really hope they allow for other options.
> How about the site NOT bothering me in the first place? Not even for my consent?
So you'd rather no one have the ability to receive real time notifications from a web application just so you can't be bothered for a second from a permission request that you can actually ignore in its entirety?
I don't really understand your view point. Web applications can provide very rich functionality so why would you want to limit that to non-real-time?
Notification flag prompts interrupt my browsing flow.
A browser popping up a permission request to ask me whether I want to receive notification is very likely an annoying interruption, and is not relevant to my current task. It would be much better to indicate that the site is notifications-capable with an icon, heck the sites can have an opt-in button, just don't pop up that prompt and force me to acknowledge it.
>Web applications can provide very rich functionality so why would you want to limit that to non-real-time?
Because applications also provide very shallow functionality -- and especially most of the ones I see asking for notifications (makes sense too: marketers and spammers and the first to jump on such features).
Also because a user can always go to the settings of the application and explicitly enable it. That's why there are settings.
If they don't like settings pages, and think users would not find them, they could also have an "enable notifications" link/button somewhere prominent in the header/footer etc for the user to click, instead of directly asking users.
As for non-tech savvy people, notifications and popups just confuse most of them, and they blindly tend to click to dismiss them, either yes or no, often without even reading the message carefully (or at all). That's something that has been hammered on by UX experts since the dawn of time.
Having a web feature off by default is essentially damning it to not exist, so that's a non-starter. If you don't like the features that are enabled by web standards most of them can be globally disabled by turning JavaScript off.
>As already mentioned, there's already a setting for turning off notifications globally
That's good, but might be too blunt a hammer. What should be is a standard way to turn them on/off per individual site, WITHOUT unsolicited popups.
>Having a web feature off by default is essentially damning it to not exist, so that's a non-starter.
As an IT teacher in a past life I've seen 10 year old kids go through 10 layers of obscure program settings to enable a particular behavior / proxy their way out of a school network / etc.
If people care enough for notifications, they will find a way to enable them. If they don't, no harm done.
> If people care enough for notifications, they will find a way to enable them. If they don't, no harm done.
If people don't care enough about notifications, they will find a way to disable them. If they don't, no harm done.
I appreciate that you have your own preference on this matter, but do you really think that most people don't like notifications? Most people want them.
>I appreciate that you have your own preference on this matter, but do you really think that most people don't like notifications? Most people want them.
A source for that?
What's a fact is that all people didn't had them for the first 15+ years of the web, and I've never heard people complaining about that lack -- whereas people always asked for faster loading websites, less popups, no auto-play for sound and videos, ability to turn off ads, etc.
Notifications are necessary for many applications, they are not for traditional websites although sadly that doesn't stop them from requesting permission. Imo the notification feature really should require at least https, like many other intended-for-applications browser features like service worker and location. On mobile you could replace most native apps (twitter, facebook, mail etc) with a web app if they supported notifications and save gigabytes of space for stuff that actually needs to be native.
Most people don't. Most people are annoyed by their browser bugging them to make decisions for things they don't care about or need. Notifications from browsers or web pages is clearly a poor fit, UX wise.
In this thread, most people calling for deny to be the default state for notifications are being downvoted, while people defending the default of "ask" are being upvoted. Do you consider this sufficient evidence?
Absolutely not. This is an echo chamber of people interested in technology and startups. To extrapolate out to the broader entire web user audience is a massive logical fallacy. I would hope that's obvious to almost anyone.
When you visit an SSL encrypted website a little lock icon appears. It used to be when you visited a site with an RSS feed a little RSS icon would light up. I see no reason why notifications shouldn't be exactly the same. Give some ambient/unobtrusive notification of the capability. Don't force me to stop what I'm doing and make some decision for something completely orthogonal to what I'm currently doing.
Because I'm old enough to have seen stupid trends like this come and go. I like to browse the web on my terms and not be bombarded by useless information. I know it's a crazy concept for some young people these days but sometimes people don't want any interruptions or distractions like real time notifications. If anything notifications should be entirely opt in where you explicitly go to a page on a website and turn it on--not spamming every time you visit to ask if you want to turn them on.
Then just fucking disable them jesus nobody gives a shit. All you're doing is complaining. In case your time is too precious to lookup how (because complaining about meaningless shit on the internet is obviously more important) I've written you a nice guide:
- Open Chrome.
- In the upper-right corner of the browser window, click the Chrome menu Chrome menu.
- Click Settings > Show advanced settings.
- In the "Privacy" section, click Content settings.
- In the dialogue that appears, go to "Notifications" and choose the following:
- Do not allow any site to show notifications: You won’t see any notifications from websites.
Why does it have to assume when I vist a site I want the distraction at all? How about we put it in a setting or other page I have to explicitly visit and opt in to receive notifications. Just like signing up for emails, etc...
Seems like someone put a lot of effort into thinking through the use case.
Browser based chat apps like Slack, webmail, among other things are the sort of stuff I like some notifications on. Yeah there's a "app" for Slack, but it's a web view. Easier for me to have it as a pinned tab and always know where it is since it's either Chrome or terminal where I spend most of my time.
That's a valid point for such apps as Slack or Gmail etc.
But then:
a) the majority of the apps asking for notifications are spammy sites (as always the louder offenders).
b) Slack, Gmail etc can have its notifications enable toggle hidden in Settings (and Slack indeed has significant customization options for notifications there).
If we start saying "ok, Slack is useful, so it's OK to allow it to show an unsolicited popup asking to show notifications" then next thing we have half the useless web also doing the same.
It's not a slippery slope either -- it's just how the web and spam works, with spammer sites/ads/etc exploiting any given opportunity to be loud and soliciting to the max...
If you're so easily annoyed you should really be surfing with JavaScript off. The reality is that sites can do any number of things to annoy you because you are giving them permission to execute code on your machine. If you don't trust them with this permission then don't give it to them.
What's "easy" about it? My annoyance is the age old popup annoyance, something tons of web users have lamented for ages.
Ever heard anyone say they LIKE unsolicited popups? Even if it is to ask permission for something?
>The reality is that sites can do any number of things to annoy you because you are giving them permission to execute code on your machine. If you don't trust them with this permission then don't give it to them.
Sounds like a slippery slope. I don't understand these kind of half-thought arguments.
I never said I want webpages to act as simple text. I like dynamic pages and apps -- I just don't like unsolicited popups and dialogs.
The same holds true for the desktop, and countless people have expressed their frustrations with such popups there too. Starting from Clippy, the most annoying popup of all time, to the backslash against Windows (Vista?) "asking for admin permissions" dialog, which made them tone it down, and all the way to today...
If you don't like dialogs at all I don't know why you are getting so bent out of shape over this feature. Any webpage can do alert("look at me") and you actually HAVE to act on that.
What I don't get is how expressing my opinion -- necessarily in multiple comments, as people respond to my initial arguments or misinterpret them and I get back into the discussion, not to mention me being naturally chatty --, makes me "bent out of shape", "so easily offended", etc. over the feature.
If people didn't want web notifications, they wouldn't have been explicitly added in to the specs.
This thread is getting ridiculous. I appreciate people don't like notifications but the very few sites that request them are sites like gmail, discord, irccloud etc which the majority of people absolutely do want notifications from.
> If people didn't want web notifications, they wouldn't have been explicitly added in to the specs.
Web standards aren't a democratic process that all the web users vote on. They're defined by a consortium of companies each with their own special interests and agendas. Pop-ups were allowed by web standards and we've gone out of our way to build tools to prevent them.
> If people didn't want web notifications, they wouldn't have been explicitly added in to the specs.
Which people? The developers or the end users? It's a cliché but I can't see my non-techie mom or dad, or cousins, aunts, uncles ever wanting website notifications on their laptop, not even for gmail.
So now everybody gets alerts to accept notifications so those 0.001% techies/devs who want them can use them? they could enable it themselves.
The _very few_ sites include also techcrunch and others. I see people thinking they got a virus because they're getting notifications on their OS by a website they've accepted by mistake.
And also because "always deny" or "turn off" is too blunt a tool.
And because the HN crowd is full of people that design and code such defaults in their apps (including lots of browser developers), and their webpages.
It's not a forum with people merely looking for the quickest solution to solve a personal problem with how their browser behaves.
But why think about those issues when you can instead post snide, edgy, holier-than-thou snark on the internet?
Chrome's implementation of "always deny" isn't particularly blunt as a tool; you can still turn it on for sites on an individual basis.
The default of "ask" is ideal for me and most users. Judging from the number of downvotes you've received in this thread, it seems like your preference isn't particularly common. It doesn't seem too much to ask you to change a setting in Options to accommodate your uncommon preference.
I don't, I like having long stretches of time without distractions. Then I can choose when I want to catch up on mails and when I want to get to work. Please let me keep browsing the web like this too.
You keep suggesting this in replies but I don't know if you're actually serious or not. Disabling Javascript will break the vast majority of websites today from even rendering. Asking users to break rendering of the web just to stop annoying notification permission requests is silly.
You say you don't like distractions but there are dozens of ways a webpage can distract you. They can throw an alert() at you and you are forced to deal with it. This is much worse than an ignorable permission prompt.
If browsers were to remove alerts, remove all types of features that need notification dialogs, web pages could still throw a modal dialog over its content.
What you are asking for: a web with JavaScript but somehow with "distractions" prevented, is impossible. The second you allow someone to execute code on your computer, you are allowing them to do things that you might dislike.
I'm not asking that notifications be completely removed from the spec. I'm pointing out that popping a distracting dialog when you visit the root of a domain is a poor design decision that should be re-evaluated. We don't do it for SSL, RSS, favorites, and plenty of other information about a site. I don't see why web notifications are so important they need to distract people immediately upon visiting the site.
>I don't understand what you want. You say you don't like distractions but there are dozens of ways a webpage can distract you. They can throw an alert() at you and you are forced to deal with it. This is much worse than an ignorable permission prompt.
Did you see us anywhere else rooting in favor of alert() windows?
If not, how are we contradictory, or how is that they are ALSO annoying relevant? We are both against those AND against notifications. How's that hard to understand?
Yes, there are lots of ways a browser can distract us. That's why want to remove some of them. A few, like the option of a modal window, we consider necessary evil -- but still, we'd advise against developers overusing it.
That doesn't mean we can't complaint about other distractions. Like autoplay on videos and music, bad contrast, intrusive apps, etc.
Also, taking something out or making something slightly more difficult to achieve still has merit for eliminating it, even if there are workarounds. It's not "all or nothing".
The "blink" tag got killed too (FF killed it first back in the day IIRC), despite the fact that it was part of the web standard or that it could be replicated easily with JS and CSS. And guess what? We don't see the same effect as much now -- even though it's 100% possible, and takes 1 line of CSS animations to achieve.
>What you are asking for: a web with JavaScript but somehow with "distractions" prevented, is impossible. The second you allow someone to execute code on your computer, you are allowing them to do things that you might dislike.
And a world without bullying is also impossible. As long as people are people, some are stronger etc. This doesn't mean we can't or shouldn't fight against it.
The world is not "all or nothing", either no distractions at all for some Gopher-era experience, or full blown access to all kinds of bells and whistles for distraction...
I like to use Facebook chat on the web and get the same benefits of FB Messenger (e.g. notifications) without having to use the mobile app. The app strips away far more privacy rights than I'd like where as I have a lot more control with browsers.
I worked with Robert at Mozilla for many years. He might be the most talented software engineer I've ever met, and he's a strong candidate for nicest person as well. An absolute pleasure to work with. Mozilla will miss him dearly but some other project (apparently rr) just got really lucky.
We considered introducing a site seal because it's a common request but we've decided not to do it (at least for now) for reasons similar to many in this post.
It's hard to design a seal that accurately conveys the value added to a site's security by a CA, and the potential for abuse is high. A CA seal either means nothing or implies too much because having a cert from a trusted provider is just one part of what it means to be a secure website.
We were aware of the "google.com.mg" cert soon after it was issued. We didn't revoke the cert for the same reason we don't revoke most certs: as far as we can tell, the cert was issued to the entity properly controlling "google.com.mg". Whether or not that is Google (the company) is not really within our purview.
That said, in this case, as a courtesy, we did notify Google employees and made the decision to report the site to Google Safe Browsing. GSB and SmartScreen are the right places to deal with things like this.
IIRC GSB did block the site for a while, but that block seems to be gone now.
> Whether or not that is Google (the company) is not really within our purview.
Hi Josh. This is mentioned in the third paragraph of the article, but it looks like HN didn't read that far, so probably worth mentioning it again.
I didn't mention LE specifically out of respect for the work you guys are doing, but since you've posted here: why wasn't this flagged as a High Risk Certificate Request before issuing per Baseline Requirements 4.2.1?
Also where is the High Risk Certificate Request check available in the LE source?
More information about this move can be found here:
https://letsencrypt.org/2016/03/09/le-client-new-home.html