CH

January 11, 2017

Best ecommerce landing page of 2017

Filed under: webdev — Benjamin Vulpes @ 9:46 p.m.

I have discovered a gem: www.bikesdirect.com. Chrome loads and parses the DOM within 166 ms, and the whole page loads over my residential straw of an internet pipe in 2.22 seconds1.

It even works without JavaScript.

Nobody ever said that you have to import all of the Frontend Community's bad decisions to sell online, and if you're all just reselling crap from China anyways it's a race to the bottom and companies with the low ongoing costs (eg, refrained from biting off expensive-to-maintain "cutting-edge dynamic browser experiences") will beat the pants off those whose websites go down For Reasons or only work on the fastest modern computers running the absolutely latest version of Chrome.

  1. For contrast, a highly unscientific sampling of other Web 2.0 properties:

    site dom load full load
    Netflix.com 1.83s 9.91s
    Instagram.com .781s 1.58s
    Facebook.com .635s 1.16s
    Yahoo.com 2.80s 12.76s
    Google.com .653s 1.55s
    Bing.com .427s .427s

    Gaze ye at the runner-up: Bing. Not only is it faster on homepage load but it's been giving me better results than Google of late. The fuck kind of weird world do I live in anyways. []

January 8, 2014

best modal evar

Filed under: webdev — Benjamin Vulpes @ 12:00 a.m.
best modal evar

The 90's seem to be making a resurgence. The Drinking Record, Bootstrap: Geocities… and now this:

best_modal

January 2, 2014

Log in with Crypto: Only Moderately Bad Ideas Edition

Filed under: webdev — Benjamin Vulpes @ 12:00 a.m.
Log in with Crypto: Only Moderately Bad Ideas Edition

Ars reported on the FIDO group's work recently:

To register with a FIDO site, you won't enter a password into the site. Instead, hitting register will alert your authentication devices—typically an app on your smartphone—of the attempt to register. If that attempt is approved (for example, by using a registered fingerprint or entering a PIN), the device will generate a public/private key pair. The public key will be sent to the online service; the private key will be retained on the authentication device.

Given the thing various kooks have been screaming about since I crawled out of the primordial soup of middle school and gazed in wonder at the Internet1, that all your boxen are belong to NSA, storing private keys on known-compromised devices is the best indicator that FIDO Alliance itself is a front of the arm of the USG responsible for social engineering attacks against the security toolchain.

It's not entirely a bad idea, in fact barring the storage of private keys on phones2 logging into a website with your public key should be standard operating procedure - it's 2014 for chrissake! Sadly, computer illiteracy is the order of our situation and doesn't look to be getting better any time soon. How then to take this good idea (well-crapified by the typical industry groups and their state handlers) and implement it in a way that doesn't suck massive?

An answer would be The Cardano3 - a hardware encryption, decryption and signing device designed for use in hostile computation environments (that'd be most). The device in question generates and maintains a public/private keypair from the on-board battery4. Interacting with the device is done through USB. Plug it in, acquire public key. Drop encrypted file on filesystem so mounted, and if it matches your key, the Cardano will decrypt it. Drop some plaintext onto the mounted filesystem and get it signed by your stored private key. The final piece in the encryption toolchain is the "fry/reset" process: at any time, the owner of a Cardano can depress the fry button and the Cardano will wipe its storage and generate fresh keys5.

The operating principle being that the Cardano guarantees electronic security if you guarantee physical security. The device comes equipped with a "fry" button for wiping your private key from the machine - a necessary feature in the event that one wants to operate the device in a physically hostile environment6.

On top of all of this lovely limited featureset, the Cardano touts a rather impressive RNG7. Given that your Macbook's internal RNG has been ruined by the all-seeing American apparatus to keep you from (among other neat things) generating sufficiently high quality SSH connections, SSL connections, or attaching to wifi access points in a way the NSA can't eavesdrop upon.

So there's this industry group who wants you to keep your keys on your phone, and then there's this tiny little operation that may one day ship a hardware crypto device that does all the things the industry group's mobile application will do (once they get around to releasing the standard, that is). Given that your keys are your passport to the cryptostate, you should probably consider in depth whether or not you feel like leaving those on a mobile device whose non-volatile storage is trivially dumped remotely.

Footnotes:

1

I think we were still capitalizing it at that point.

2

huehuehue

3

I stand to profit from this device's success.

4

Onboard battery being necessary to keep noise from the power system leaking into the RNG and ruining the quality of numbers so randomly generated, among other things.

5

This has the lovely side effect of rendering intercepting the shipment of your Cardano a pointless exercise. Best practices upon receipt would be to fry the keypair a few times upon receipt of the device, and running the public keys so generated through Phuctor for good measure.

6

Although it'd behoove anyone operating in that hostile of an environment to keep a finger on the fry button and maybe hire some personal defense.

7

Some resources for further exploration here. Links are rotting away as we speak though.

---