Re: media.libreplanet.org non-requested confusing auto download issue

[Miroslav Rovis]

On 210505-11:17+0300, Jean Louis wrote:
> * Miroslav Rovis <miro.rovis@croatiafidelis.hr> [2021-05-04 19:58]:
Hi Jean!
> > 
> > I've tried to find out who the webmasters are on the
> > related main page and around with no success, so I'm
> > asking about it here.
Still not clear about who the webmaster is.

But since you're on bugs at gnu (as your email says), I hope
my lead and your explanation is sufficient to make the
change, and I hope it will just happen, silently is fine for
me. 

> > https://media.libreplanet.org/u/libreplanet/m/locking-the-web-open-a-decentralized-web-that-can-operate-as-free-software-does/
> 
> This is because their webmaster have designated all video links to
> automatically preload:

This is the (small) modification to put in effect: 
> preload="auto"
> 
> instead it should be:
> 
> preload="none" or
> preload="metadata" to get only some basic information of video
> 
> and they should use poster option to let the user see only a
> screenshot from video.

It is this: 
> The problem is that people working on those websites usually have
> enough money and very good Internet and they assume that all of the
> planet is the same, somehow funny when conference is planet related. 
> 
> In many countries people pay good amounts for data, and often Internet
> is not fast, it could take many hours to load such video.
It is also that analysis is more than an order of magnitude
slower than simple browsing. I can't know what I take into
my machine quickly even with year 2020 launched modern
(commodity) processor machine (AMD Ryzen 7 Pro 4750G), with
unnecessary preloading like this, that only analysis can
tell what it (likely) is.

What I mean is, it took a couple of minutes to
preloading-imposed download into browser cache a good
portion of grandsun1715.webm file, but when, seeing the
quick growing of the network trace and understanding that
some unexpected traffic was happening, I cut the network
connection (physically), and went on to analyse with
Wireshark and some scripts of mine, it took me many hours to
reach to my conclusion, because Wireshark, Tcpdump, and
other are good tools, but the network is not optimized for
analysis, it's optimised for quick use, not analysis...

So, many hours it took me to analyze and reach to my
(probable) conclusion, including the failed decryption of
exactly the huge unexpected download. That basically means
that possibly there was MiTM and spoof that happened as
well. Hope not, but thearetically possible.

To me, knowing what gets into my machine --and the
browser is the most used for intrusion, has the attack
surface ridiculously huge and hard to control-- is as
important as free software and hardware. Free software and
hardware must be safe, else my freedom can easily be
compromised and hence it's not freedom anymore. [*]

> This is the accused snippet:
> 
>   <video controls
>          preload="auto" class="video-js vjs-default-skin"
>          data-setup='{"height": 720,
>                      "width": 1280 }'>
>     <source src="/mgoblin_media/media_entries/2335/grandsun1715.webm"
> 
>             type="video/webm; codecs=&#34;vp8, vorbis&#34;"
>             />
>     <div class="no_html5">Sorry, this video will not work because
>       your web browser does not support HTML5
>       video.<br/>We recommend you install a <a 
> href="https://libreplanet.org/wiki/Libre_Browsers_Lib
>                                                    
> +re_Formats">freedom-respecting browser which supports free formats</a>!</div>
>   </video>
> 
> If you have some extension in the browser, you may protect yourself. 
> KB
> 
> In Firefox-based browsers, it is possible to change the behavior by
>   going to Preferences ↝ Privacy & Security ↝ Permissions ↝ Autoplay
>   and then blocking both audio and video.
Good advice.

[...]
> - MediaGoblin or webmasters should not impose auto preloading;
> 
> 
> Jean
> 

-------
 
[*] I must depart on this tangent here.
  I know I belong to very rare kind of people who try to
  control their machines by, among other things,
  (continuous) network inspection, which means
  TLS-decryption of (all) traffic and reading what happened.

  The Freedom of users need people who will do this. I use
  Pale Moon, and I also use Firefox nightly (much less,
  because the maverick Pale Moon inspires much more confidence
  to me than big tech Mother of his), because, appart
  from Google's Chrome (which is out of consideration for
  me, Google is the world's top unofficial spying company,
  covered by advertizing)
  they are the only easily set up TLS-decrypting browsers
  that I currently know of.

  For less familiar readers:
  https://wiki.wireshark.org/TLS
  
  Debian Firefox package and I also think other even freer
  browsers do not have TLS decryption available other than
  if you patch them and recompile. And not simple patches are
  needed any more (as it used to be several years ago), but
  very complex.
  
  So if anybody familiar with browser authoring/packaging and
  TLS read here, bear in mind this issue when
  creating/rewriting or packaging a browser that will
  fully serve libre users.

-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
my PGP-key:
https://www.croatiafidelis.hr/FCF13245ED247DCE443855B7EA9884884FBAF0AE.asc

signature.asc
Description: PGP signature