My Browser Builds (Part 4)

[AstroSkipper]

34 minutes ago, j7n said:

I don't have that. Is it stable? Last time I read about it people mentioned that it crashed.

No, it is very stable in single-process mode. In multiprocess mode, it has become more stable than before. Here is my last post about the most recent version Mypal 68.13.2b: 

 

[Mathwiz]

15 hours ago, Dixel said:

Moreover, in 360 it can be forced to proceed with unsafe certs with a flag (which they might have done with an XP version, at least).

5 hours ago, VistaLover said:

The v13.x variants (Ch86-based) are known to produce the infamous "red X" icon in their URL bar over many HTTPS connections, and such reports are common inside the 360EE subforums  ... The fact they do connect implies that secure negotiation is, in essence, broken under XP (it is silently by-passed  ) ...

That has to be it. Under Bk, html5.com just won't work; under 360Chrome, it does come up with an obvious "not secure" icon where the padlock should be:

This was actually under Win 7, but it is one of NHTPG's versions. I couldn't figure out how to find out exactly what was triggering the "not secure" icon in Chrome, but an expired certificate seems like the most plausible cause.

I guess since it's under Win 7, I could remove the --ignore-certificate-errors flag; but then html5test.com wouldn't work under Chrome either!

[VistaLover]

1 hour ago, Mathwiz said:

Under Bk, html5.com just won't work;

If you must use "html5test.com" on Serpent 52 (and the rest of the UXP-based browsers), you can simply use the plain HTTP version of the test suite ; all connections work via plain old HTTP, even the ones to "api.whichbrowser.net":

Edited July 16, 2023 by VistaLover

[Mathwiz]

That's interesting. Https has become so ubiquitous I'm surprised there are any sites left that still support plain http.

In fact I just tried it on St 55 and it immediately redirects to the (non-working) https: site here. Using just the IP address (http://37.230.96.101/ for me) did the trick though.

FWIW, html5test.com's tests aren't always accurate. It says St 55 doesn't support WebP images, for instance, even though it does.

Edited July 17, 2023 by Mathwiz

[VistaLover]

10 minutes ago, Mathwiz said:

In fact I just tried it on St 55 and it immediately redirects to the (non-working) https: site here.

... I just hate it when I have to contradict you , but latest Serpent 55 works as intended here with the plain HTTP version of "html5test.com":

http://html5test.com/

Either "you" have an extension/extension setting that forces HTTPS on connections, or "I" have, in both St52+55, a "custom setting" that doesn't forcibly redirect to the secure version of a site (when it exists...); try on a fresh St55 profile, perhaps ?

[Mathwiz]

HTTPS Everywhere, perhaps? (After all, that's what it's supposed to do.)

That extension is no longer developed. "Modern" browsers don't need it, but I think it's still useful on older browsers (or browsers based on them, like ours). Usually you want the https: version if available. Luckily, it can be disabled for specific sites like this one.

And after a couple of reloads, it works!

Strangely, though, HTTPS Everywhere didn't force an https: connection when using the IP address; only when using the host name.

[Saxon]

7 hours ago, Mathwiz said:

"Modern" browsers don't need it, but I think it's still useful on older browsers (or browsers based on them, like ours).

They definitely don't, while the older ones can have troubles with mixed content on pages. Is this the case? Did you check all connections on that page? Do you use adblock? And check whether it could also be a remote font issue.

[UCyborg]

Don't these browsers simply respect your choice for HTTP rather than switch to HTTPS whenever possible? BTW, http://html5test.com/ doesn't respond to Upgrade-Insecure-Requests header. Also, when the main site is not the issue, eg. api.whichbrowser.net in this case, you can visit the security settings, the dialog with certificates, on the Servers tab, you can add an exception if you want the browser to ignore the expired certificate.

3 hours ago, Saxon said:

They definitely don't, while the older ones can have troubles with mixed content on pages. Is this the case?

Not in this case I think.

BTW, these browsers block insecure (meaning HTTP) active content by default (scripts). There's an override in about:config->security.mixed_content.block_active_content.

---

Regarding 2FA, yeah, not a fan of having online services tied to another device or anything else beyond a password, which I think is still safe if the user is mindful. But banks enforce it because EU wants to and it seems like switching banks more likely than not just means you need another app. Maybe there are still banks that offer to send a SMS rather than having to rely on an app which has to have encrypted stuff stored on the device and if that stuff is gone, you're locked out. Though it's the same with SMS if the phone goes kaput, but at least no worries about activating the damn app.

[Mathwiz]

13 hours ago, UCyborg said:

Regarding 2FA, yeah, not a fan of having online services tied to another device or anything else beyond a password, which I think is still safe if the user is mindful.

There should be an option for 2FA, particularly on email sites, but it shouldn't be mandatory. Let the users decide how much security they need.

OTOH, 2FA would've saved Hillary Clinton a ton of grief when Podesta got phished back in 2016, so maybe 2FA should be "encouraged," at least on non-personal accounts. The email service could require more frequent password changes if 2FA isn't used, for instance.

[Mathwiz]

13 hours ago, UCyborg said:

Don't these browsers simply respect your choice for HTTP rather than switch to HTTPS whenever possible?

Per Wikipedia:

Quote

Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.-

So it's an optional mode on "modern" browsers. Also, many sites specify "strict transport security," one effect of which is to automatically upgrade http connections to https on that site, once a successful https connection has been made.

[VistaLover]

14 hours ago, Mathwiz said:

one effect of which is to automatically upgrade http connections to https on that site,
once a successful https connection has been made

Relevant info on HSTS:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Emphasis put on the "note":

Quote

Note: The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP. Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honour the Strict-Transport-Security header. Browsers do this as attackers may intercept HTTP connections to the site and inject or remove the header.

[feodor2]

On 15 Èþëü 2023 ã. at 7:53 AM, basilisk-dev said:

I understand your desire to focus on MyPal rather than having your time split between two browsers, but if you ever have the desire to continue Centaury development you have my full permission to do so.

Good to know, but what about the actual developer Moonchild or you are is he if i did not know.

I may be wanting to rebuild Centaury after i shall make Mypal68 become stable complete version.

 

What do you all think? What about Waterfox classic or Basiliks?

[dmiranda]

I think the more variation in browsing-sources and experimentation, the better. That is the magic of FOSS.

[AstroSkipper]

13 hours ago, feodor2 said:

I may be wanting to rebuild Centaury after i shall make Mypal68 become stable complete version.

 

What do you all think? What about Waterfox classic or Basiliks?

Hello @feodor2! I would be very happy if Mypal 68 was completely finished first. There are still a few things missing, such as automatic updating of extensions, Internationalisation & Localisation, and so on. But I would be very pleased about further development on Centaury and Waterfox, too. The more different choices in Windows XP, the better. Especially if the coder is such talented as you. 

[UCyborg]

On 7/11/2023 at 10:53 PM, VistaLover said:

OT2: @basilisk-dev : I honestly hope you're not located in those parts of The States afflicted by record high temperatures... If you are, I can surely empathise, since from July 12th a very intense and prolonged heatwave, originating from Northern Africa/The Sahara Desert, will find its way towards my area of the world... Anyone still thinking "Climate Change" is safely many years to come?

No. You may come to stormy Slovenia if you got bored of the heat.

---

Was anyone on their Dropbox recently (those that have the account)? I didn't see the logout button/link/whatever was supposed to be there. Was sleepy and didn't check the rendering on Firefox. I logged out by navigating to https://www.dropbox.com/logout.