Placeholder Image

字幕表 動画を再生する

  • [MUSIC PLAYING]

  • ANNOUNCER: This is CS50.

  • DAVID MALAN: Hello world.

  • This is the CS50 Podcast, episode 4, zero indexed.

  • My name is David Malan.

  • And I'm here with CS50's own Colton Ogden.

  • COLTON OGDEN: David, I'm curious what the first browser that you ever used

  • was.

  • DAVID MALAN: It was probably like Netscape 1.0 or something.

  • COLTON OGDEN: Netscape Navigator?

  • DAVID MALAN: Maybe, or even one of its predecessors,

  • one of the very first prototypes of a browser.

  • But it was old school for sure.

  • COLTON OGDEN: This would have been on a Windows computer.

  • DAVID MALAN: Gosh, probably.

  • Well, I started off life using Macs, and then I

  • switched I think in college to using PCs and windows.

  • And then, eventually, I think after a few years of teaching CS50

  • did I switch back to Mac.

  • So--

  • COLTON OGDEN: I think the meme is that there are

  • a lot of browsers that have come out.

  • There are a lot of popular browsers these days--

  • Chrome, Firefox, Opera, Edge.

  • On that list is not a particular browser of quite a bit of infamy,

  • that browser being Internet Explorer.

  • DAVID MALAN: Yeah, that one proved the bane

  • of most developers' existence for some time

  • because it was just so non-compliant when it came to certain standards.

  • And Microsoft really did its own thing with various interpretations

  • of the HTML and/or CSS specs.

  • I remember even we had struggled with that for some of our own web apps.

  • Like you'd get it working on Firefox.

  • You'd get it working on Chrome.

  • You'd get it working on Opera.

  • But, damn it, it doesn't actually work as you expect

  • in IE, especially IE6, version 6.

  • COLTON OGDEN: Indeed.

  • I mean, we used to even use BrowserStack internally, which is a website that you

  • can test on multiple--

  • you can sort of look in a browser and see

  • it working on multiple actual browsers.

  • DAVID MALAN: Yeah, no, and that was in large part because of that,

  • especially if a lot of us develop here on Macs.

  • And so it wasn't really easy to run Internet Explorer, let alone

  • any Windows-based browser.

  • But, yeah, we had some third-party help with that, which was handy.

  • COLTON OGDEN: Yeah, and IE6 was the particular offender because they did

  • have IE7.

  • They did have IE8.

  • And, from what I remember, they improved on some of the noncompliance

  • that IE6 sort of bore at the time.

  • But what's funny is this week, in doing some research for the podcast,

  • I came across an article--

  • a blog post, rather, by Chris Zacharias.

  • DAVID MALAN: Yeah, no this was wonderful--

  • "Conspiracy to Kill Internet Explorer 6."

  • COLTON OGDEN: Indeed.

  • He is a former YouTube employee.

  • And this is back in 2009-ish.

  • And, back then, I mean YouTube was huge.

  • You know, it started around 2005, 2006, but 2009 was really

  • when it started to kick off.

  • DAVID MALAN: Yeah, and I think, as the story goes,

  • they had just been YouTube acquired by Google.

  • And they were in the process of being integrated into Google's

  • own software-based workflows.

  • But enough of the developers on the YouTube team

  • were just completely fed up it seemed with having

  • to support IE6, which was still a non-trivial percentage of their user

  • base.

  • And I think, understandably, YouTube and presumably in turn Google

  • didn't want to deprecate support for IE6 because there's

  • a lot of employees at companies whose systems are pretty locked down.

  • There's teachers in schools whose computers are pretty locked down.

  • So there's a lot of users out there who can't just follow your instructions

  • to update to another browser.

  • They need like the IT department to actually do it for them.

  • So I was an understandable business concern.

  • But, as I understand it, the developers wanted nothing to do anymore with IE6.

  • And so they started sneaking into YouTube's own code base

  • a little banner advert essentially urging

  • IE6 users to upgrade to any number of suggested other browsers.

  • And they gave some direct links.

  • COLTON OGDEN: Yeah, no, it was pretty crazy.

  • And one of the stories that Chris even talked about in his blog

  • is empty source tags in images would just

  • load whatever the document root was.

  • And this would have the effect of essentially recursively loading,

  • similar to an iframe, all of the server's contents.

  • DAVID MALAN: Yeah, and that was just one of the bugs

  • I think that kept tripping them up.

  • COLTON OGDEN: And that one had the--

  • from what I remember reading, it actually

  • could cause blue screens of death on Windows machines.

  • DAVID MALAN: Yeah, no, I believe it.

  • And I'm amazed that bugs like that persist.

  • And, even if they do eventually get fixed though,

  • if you have a lot of systems out there that are not 100% up to date,

  • then you're stuck dealing with these kinds of issues.

  • But what was funny, I thought, about the blog post disclosure years later,

  • after which they couldn't really get all that into trouble,

  • presumably, was how, coincidentally, the Google Docs team had recently

  • started advertising a similar message on top of Google Documents,

  • which of course was already owned by Google.

  • And that too was encouraging users to upgrade

  • to a newer version of a browser.

  • So they kind of snuck in under the radar there, but, even when it was detected,

  • it sounds like there was some internal tensions with the lawyers,

  • with the managers.

  • But, in the end, it kind of worked out OK.

  • But it's kind of a fascinating--

  • I think, if you take a step back at it, it's

  • kind of a fascinating risk for any company.

  • Unless you are constantly auditing your own lines of code,

  • or you have really a robust process in place,

  • it's possible for one or a few developers

  • to slip something past the others, for better or for worse.

  • Now this seemed to work out for the best in the end.

  • In fact, I think you noted IE's usage plummeted actually,

  • coincidentally or causally, after this particular change because YouTube

  • was so popular.

  • But you could imagine some adversarial employees

  • using this power of the ability to change their code base for more

  • evil purposes, if you will.

  • COLTON OGDEN: Yeah, and, on that note, I can certainly

  • understand why companies, especially as large as Google or Facebook,

  • want to instate these code review processes and ensure that this doesn't

  • happen and to make sure there are no sort

  • of committing back doors to production, directly to production, so to speak.

  • DAVID MALAN: Yeah, absolutely.

  • We just spoke recently about a new feature

  • that you can use on sites like GitHub where

  • you can have the notion of code ownership

  • so that, if a colleague changes a particular file or a line of code

  • really that you or I wrote, we can actually

  • have the whole pipeline notify us before that change to code is approved.

  • But it seems like the YouTube team here benefited from a bit of superpowers

  • when it came to who could actually push code,

  • probably some changing processes because it's not that easy presumably

  • to integrate an acquisition like YouTube into Google.

  • So they had this window of opportunity where they were actually

  • able to do something very developer friendly, but not necessarily

  • managerial or lawyerly friendly.

  • COLTON OGDEN: Indeed, I like to think it turned out well in the end.

  • DAVID MALAN: It did.

  • In fact, no one really worries about IE6 anymore,

  • let alone IE, which has now been replaced by Edge.

  • And even Edge now is based in part on the same core processor

  • that essentially Chrome itself is.

  • So things are starting to converge perhaps, which is interesting.

  • COLTON OGDEN: Indeed.

  • And I mean even modern browsers aren't immune to sort

  • of some of the issues that plague--

  • I guess any software at large, you know, every piece of software

  • is susceptible to issues.

  • In particular, this week, Firefox had a major issue over the weekend.

  • DAVID MALAN: Yeah, I heard that someone didn't

  • renew their certificate, so to speak.

  • COLTON OGDEN: Indeed.

  • So Firefox ships with a certificate that sort of basically

  • verifies that the add-ons that are installed onto the browser

  • are verified by Mozilla as being legitimate and not malicious.

  • And it turns out that they forgot to renew that certificate over the weekend

  • or by the weekend's arrival.

  • And, therefore, all Firefox users sort of over time,

  • because it doesn't happen immediately, but, within about a 24-hour period, all

  • of their add-ons were no longer functioning.

  • DAVID MALAN: I know.

  • And that's a pretty big deal because the people are

  • relying on add-ons or extensions or plug-ins,

  • however you want to think about them.

  • To have all of your features stop working

  • is not that exciting or not that good.

  • And I should concede that this is a not uncommon problem.

  • At least, I like to think I'm in good company

  • here because I have, for instance, been guilty of not renewing

  • some of our certificates in time.

  • In fact, this happened just a few months ago

  • where one of our certificates for CS50's website, so similar in spirit

  • in that these things too have an expiration date just like code signing

  • certificates can, I had set a reminder to actually renew this certificate.

  • And I thought we had migrated all of our certificates

  • to an auto-renewal process on Amazon's cloud platform.

  • And so I literally kept ignoring, ignoring, ignoring the email reminders

  • that I was being sent because I thought we had automated it all.

  • But, nope, it turns out that one certificate was not

  • yet configured to auto-renew.

  • And so, at the stroke of midnight or whatever it was,

  • the darn thing stopped working.

  • We and some of our students noticed.

  • And, thankfully, it only took a few minutes to fix,

  • but it turns out that constant email reminders and a Google Calendar

  • reminder is not sufficient, at least when I'm in charge of the certificates.

  • COLTON OGDEN: Yeah, no, problems like that are somewhat easy to solve.

  • Unfortunately, Firefox had some problems because their certificates

  • were actually deployed with the browser itself.

  • They had to remote deploy a new certificate

  • through their sort of system called--

  • what's the series called?

  • I think it's called series, actually.

  • I don't think I wrote it down here.

  • But the system is called Normandy.

  • And they have a system that allows them to actually

  • remote deploy the new certificates.

  • Or, actually, well, it lets them perform research studies.

  • Studies was the name of it.

  • They have a tool called Studies, which allows them

  • to remote deploy and remote test sort of behavior in folks' browsers.

  • And this allowed them to ship a new certificate, which

  • they signed because this is actually technically an add-on, this feature.

  • They signed this with a new certificate that they then

  • shipped with this feature.

  • DAVID MALAN: I see.

  • COLTON OGDEN: Yeah, but it's interesting that, somewhere in the process,

  • there's presumably someone who had set a reminder that didn't quite go off

  • or didn't quite get noticed.

  • So it happens to the best of us, perhaps.

  • DAVID MALAN: Yeah, thankfully, Mozilla, in their blog where they sort of break

  • down this process, a-la how Facebook recently broke down

  • how their passwords were stored in plain text, they outlined sort of the ways

  • that they got this right, I guess, in fixing the problem,

  • but they also did disclose the issues that they faced

  • and ways that they would approach making sure that it doesn't happen again.

  • COLTON OGDEN: Yeah, no it was really, to their credit,

  • a nice post-mortem online, so to speak, which is worth reading.

  • If you go to hacks.mozilla.org, you can find it under the May 2019 listings.

  • DAVID MALAN: Indeed.

  • We don't really use Chromebooks here at CS50,

  • but we have some of them lying around.

  • We've seen some folks using them, but Chromebooks

  • have up to this point, up until fairly recently,

  • been a fairly limited operating system in as much

  • as they're essentially Chrome on a computer.

  • COLTON OGDEN: Yeah, dedicated.

  • So it's meant to be used really only in cloud.

  • There isn't any client-side software or at least the appearance

  • thereof, even though there actually is, even

  • though it supports Google Docs and Gmail and Google Calendar

  • and some other apps too that can be used offline.

  • But, of course, you can't actually send and receive