用戶體驗崗如何說服其他部門

by Alex Ewerl?f

由AlexEwerl?f

為什么我們應該說服用戶更新他們的瀏覽器-這是雙贏的。 (Why we should convince our users to update their browsers — it’s a win-win.)

Unless you’ve been living under a rock recently, you’re aware of Meltdown and Spectre — two of the most widely deployed security vulnerabilities in computer history. You may also know that this is not just limited to OS-level applications, and on the web it’s as bad as it gets:

除非您最近生活在一塊石頭上，否則您會意識到Meltdown和Spectre –這是計算機歷史上部署最廣泛的兩個安全漏洞。您可能還知道，這不僅限于操作系統級別的應用程序，而且在網絡上也一樣糟糕：

A website can read data stored in the browser for another website, or the browser’s memory itself. — Microsoft Vulnerability Research

網站可以讀取存儲在瀏覽器中的另一個網站的數據，或者瀏覽器的內存本身。 — Microsoft漏洞研究

Firefox 57.0.4 (released on 4th of January) fixed this.
Firefox 57.0.4 ( 于1月4日發布 ) 修復了此問題。
Microsoft released and update for IE and Edge on January 5th.
微軟于1月5日發布并更新了IE和Edge。
Safari released 11.0.2 on January 8th, which supposedly protects the users against these issues.
Safari于1月8日發布了11.0.2 ，據說可以保護用戶免受這些問題的影響。
Chrome users have to wait until v64 (released around 23rd of January); but here is a list of what you can do now to limit the extent of the damage to your users.
Chrome用戶必須等到v64(1月23日左右發布)；但是這里列出了您現在可以采取的措施，以限制對用戶造成的損害。

Update: 2018–01–31: so far security researchers identified at least 130 malwares based on these issues: http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

更新：2018-01-31：到目前為止，安全研究人員基于這些問題識別出至少130種惡意軟件：http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

快速筆記 (Quick notes)

Not all those updates fix all security vulnerabilities, but they are the first action point.
并非所有這些更新都可以修復所有安全漏洞，但是它們是第一個行動要點。
Updating the browser is just the first step. You need to update your mobile/desktop operating system to protect yourself from a different but wider attack surface: auto updating apps. Please read more here.
更新瀏覽器只是第一步。您需要更新您的移動/桌面操作系統，以保護自己免受不同但更廣泛的攻擊面的影響：自動更新應用程序。請在這里內容。
As we understand the scope of these vulnerabilities better, more patches will come. This story is far from over.
當我們更好地了解這些漏洞的范圍時，將會出現更多補丁。這個故事還遠沒有結束。

Now the big question for us web developers is: do we keep supporting the users with older browsers that are vulnerable, or do we demand that the users have the latest browsers?

現在，對我們的Web開發人員來說，最大的問題是：我們是否繼續使用易受攻擊的舊版瀏覽器來支持用戶，還是我們要求用戶使用最新的瀏覽器？

I work at the Identity team of an international company with millions of users. No amount of work I do to secure our services can prevent the user from sharing the data on our site with a malicious or infected site open in another tab.

我在擁有數百萬用戶的國際公司的身份團隊中工作。我為保護我們的服務所做的任何工作都不能阻止用戶與在另一個選項卡中打開的惡意或受感染網站共享我們網站上的數據。

This might be the single most important side effect of these security vulnerabilities: we may actually have a perfectly valid reason to break the web for people with older browsers.

這可能是這些安全漏洞的最重要的副作用：實際上，對于使用較舊瀏覽器的人，我們可能有完全正當的理由中斷網絡。

The history of front-end development may remember this point as when we shifted from the “hippie development era” (I support all browser versions) to the “hipster development era” (I only support the latest browser versions). ?

當我們從“嬉皮開發時代”(我支持所有瀏覽器版本)轉到“時髦開發時代”(我僅支持最新的瀏覽器版本)時，前端開發的歷史可能會記住這一點。？

This is a huge shift in thinking, specially for us web developers, since we traditionally do our best to involve everyone: responsive design, progressive enhancement, and graceful degradation.

這是思想上的巨大轉變 ，特別是對于我們的Web開發人員而言，因為傳統上我們一直盡力使每個人都參與進來：響應式設計，漸進式增強和優雅降級。

This time it’s different. In the post-Snowden era, we need to take security seriously. Supporting vulnerable browser versions is equal to promoting dangerous online life. It is our job as experts to educate the users and defend them against the bad guys. If sites don’t support the old browsers, the users have to upgrade.

這次不一樣了。在后斯諾登時代，我們需要認真對待安全性。支持易受攻擊的瀏覽器版本等于促進危險的在線生活。作為專家，我們的工作是教育用戶并保護他們免受惡意分子的侵害。如果站點不支持舊的瀏覽器，則用戶必須升級。

This is a win-win situation:

這是雙贏的局面：

Developers get rid of legacy browser support for good
開發人員完全擺脫了對舊版瀏覽器的支持
The users get forced to make an important security decision (hopefully for the good).
用戶被迫做出重要的安全決策(希望這樣做是對的)。

If we don’t react quickly, the exploits of these issues will be deployed massively and the effect is beyond our control. The genie is out of the bottle.

如果我們不Swift作出React，這些問題的利用將被大規模部署，其后果是我們無法控制的。精靈已經掉了。

這是處理器的大眾丑聞 (This is the VW-scandal of processors)

In 2015, Volkswagen was caught cheating on the emissions of their diesel engines. They cheated to make their cars more attractive to buyers. In this one, processor manufacturers “overlooked” some security concerns in their processors so they would have higher performance metrics.

2015年，大眾因柴油發動機的排放而被騙。他們欺騙以使他們的汽車對買家更具吸引力。在這一篇中，處理器制造商“忽略”了其處理器中的一些安全問題，因此他們將擁有更高的性能指標。

I work at an international company building the login pages. Millions of users use our login to access the services of a wide range of companies. Naturally, my team is very concerned about security. We do our best to keep the system as secure as possible, but no amount of effort can mitigate this kind of vulnerability in browsers. For example:

我在一家建立登錄頁面的國際公司工作。數百萬的用戶使用我們的登錄信息來訪問眾多公司的服務。自然，我的團隊非常關注安全性。我們盡最大努力保持系統的安全性，但是沒有任何努力可以緩解瀏覽器中的這種漏洞。例如：

The httpOnly cookies are no longer inaccessible from JavaScript.
JavaScript不再無法訪問httpOnly cookie。
The session cookie is super easy for other sites to steal (session spoofing).
會話cookie非常容易被其他站點竊取(會話欺騙)。
Chrome extensions that keep the passwords are now potentially leaking.
保留密碼的Chrome擴展程序現在可能會泄漏。
The very HTML containing the <script> tag is vulnerable, so XSS is a breeze.
包含<scri pt>標記HTML非常容易受到攻擊，因此XSS輕而易舉。

Here’s an exercise: see how many of the OWASP top 10 vulnerabilities are now impossible to fix in versions prior to 2018 of any major browser.

這是一個練習：查看OWASP前10個漏洞中有多少現在無法在任何主要瀏覽器的2018年之前的版本中修復。

Do we really want to serve users who don’t have a recent browser with the risk that the user’s data or our business will be compromised? Or do we (as professionals and experts) take a stand and educate the users about the dangers and guide them to mitigate the risk?

我們是否真的想為沒有最新瀏覽器的用戶提供服務，而冒著用戶數據或我們的業務受到損害的風險？ 還是我們(作為專業人士和專家)站在立場上，對用戶進行有關危險的教育，并指導他們減輕風險？

We need to drop support for vulnerable browsers. This will probably face a lot of resistance in a market that has traditionally been very flexible and forgiving towards the user stack (as long as they use our services, we’re good). But someone has to start the change.

我們需要放棄對易受攻擊的瀏覽器的支持。在一個傳統上非常靈活并且可以容忍用戶堆棧的市場中，這可能會遇到很多阻力(只要他們使用我們的服務，我們就很好)。但是有人必須開始改變。

一線希望 (The silver lining)

In every crisis there is an opportunity. I argue that it’s the coolest thing that has happened to the web development community since ES2015. We all know the pain and cost of supporting old browsers (specially the browsers which are not evergreen):

在每一次危機中都有機會。我認為這是自ES2015以來Web開發社區發生的最酷的事情。我們都知道支持舊瀏覽器(特別是不是常綠的瀏覽器)的痛苦和代價：

We have to bloat the code to shim features that modern browsers already have
我們必須膨脹代碼來填充現代瀏覽器已經具有的功能
Debugging an older browser using its old-school debugging tools is not far from the experience of driving a car from the scrapyard after driving a modern car
使用老式的調試工具調試較舊的瀏覽器與駕駛現代汽車后從廢品場駕駛汽車的體驗相距不遠
We can’t rely on browser integrity (IE, I’m looking at you), so we cannot serve some sensitive information at all to certain browsers.
我們不能依靠瀏覽器的完整性( IE，我在看著您 )，因此我們根本無法向某些瀏覽器提供一些敏感信息。
We have to deal with various CSS/SVG rendering issues
我們必須處理各種CSS / SVG渲染問題
We have to test edge cases for different browsers just because we support them! There are whole businesses developed around the idea of automating this tedious task with various success/effort ratios.
我們必須為不同的瀏覽器測試邊緣情況，因為我們支持它們！圍繞著以各種成功/努力比率使這一繁瑣的任務自動化的想法發展了整個業務。
The module system is now supported by all major browsers. Dropping support for vulnerable browsers has the side benefit of simplifying and modernizing our deployment channels. You may not need to transpile your code at all!
現在，所有主要瀏覽器都支持該模塊系統。放棄對易受攻擊的瀏覽器的支持具有簡化和現代化我們的部署渠道的附帶好處。 您可能根本不需要翻譯代碼！

到底是什么意思 (What does it really mean?)

It means you can totally rely that async/await is available on your client browser and you don’t have to transpile. It means you can assume class is supported and generators are usable TAX FREE! It means template literals, rest params, … without transpilation, polyfill or any kind of complex toolchain! Web development is simple all of a sudden.

這意味著您可以完全依靠客戶端瀏覽器上的異步/等待功能，而不必進行轉換。這意味著您可以假定支持 class并且生成器可以免費使用稅！意思是模板文字，其余參數 ……無需轉譯，polyfill或任何復雜的工具鏈！ Web開發突然變得很簡單。

Hell it means you have ES6 modules NOW without Rollup, Webpack, Browserify…

地獄它意味著你有ES6模塊NOW沒有匯總，的WebPack，Browserify ...

This means a whole new era. I know it’s too early and every cell of your existence is screaming it’s a lie but nope! This is happening. If you want to support users with ancient browsers, do it at your own risk. If you care about your users security and your business’ integrity, you get all of that ?as a reward!

這意味著一個全新的時代。我知道這還為時過早，您生活中的每個單元都在尖叫，這是一個謊言，但不行！這正在發生。如果要使用舊版瀏覽器支持用戶，請自擔風險。如果您關心用戶的安全性和業務的完整性，那么您將獲得所有這些作為獎勵！

One more thing: HTTP/2 is now officially usable!

還有一件事：HTTP / 2現在正式可用！

OK, it sounds like I’m some sort of hero now, but most of those stuff is already available in the majority of the browsers. It’s just that for some weird reason, many developers and product managers assumed that 2.7% of the users (who use IE) actually generate the majority of their business revenue and they should go to great length to support them. Sweat no more. Even if you want to, now there’s a huge reason not to!

OK，這聽起來像我現在某種英雄，但大多數的那些東西是在大多數已有的瀏覽器。只是出于某些奇怪的原因，許多開發人員和產品經理認為2.7％的用戶 (使用IE)實際上產生了大部分業務收入，因此他們應該竭盡全力為他們提供支持。不再出汗。即使您愿意，現在也有很大的理由不這樣做！

怎么樣？ (How?)

This essay is more about WHY rather than HOW, but here are some quick thoughts:

本文更多是關于為什么而不是如何做的，但是這里有一些快速的想法：

Browser sniffing can be used to detect if the users are running a vulnerable browser. You can then refuse to serve critical data to the users with browsers that can’t keep them safe. Browser sniffing traditionally haven’t been very reliable.
瀏覽器嗅探可用于檢測用戶是否正在運行易受攻擊的瀏覽器。然后，您可以拒絕使用無法確保用戶安全的瀏覽器向他們提供關鍵數據。傳統上，瀏覽器嗅探并不十分可靠。
Show a notification bar to subtly warn the users; but who would read or react to that? In EU we got used to ignore the cookie notifications!
顯示通知欄以巧妙地警告用戶；但是誰會讀或對此做出React？在歐盟，我們習慣于忽略Cookie通知！
Write a test code that actually tries the attack. If it succeeds, it shows a warning (I’m sure a NPM module will show up soon, if it hasn’t already ?).
編寫實際嘗試攻擊的測試代碼。如果成功，它將顯示警告(我確定NPM模塊會很快顯示(如果尚未顯示的話))。

結論 (Conclusion)

Remember how we all reacted when React.js “mixed template and code” in JSX? Sometimes we have to unlearn “best practices,” because the alternative makes more sense. I’m not talking about breaking the web! I’m asking to protect our users before all hell breaks loose. Please give it some thought.

還記得當JSX中的React.js“混合模板和代碼”時，我們所有人的React嗎？有時我們不得不學習“最佳實踐”，因為替代方法更有意義。我不是在談論破壞網絡！我要求在一切崩潰之前保護我們的用戶。請考慮一下。

Update 1 (2018–01–16): Security Now #645 goes into details of Spectre and Meltdown and introduces a little handy utility (speccheck) to test system vulnerability.

更新1(2018-01-16)：現在的安全性＃645詳細介紹了Spectre和Meltdown，并引入了一些方便的實用程序(speccheck)來測試系統漏洞。

??Liked what you read? Follow me to be notified when I write something new.

?? 喜歡你讀的書？ 當我寫新東西時，請跟隨我以得到通知。

Read You might not need to transpile your JavaScript, When should I use TypeScript? or Programming is the best job ever.

閱讀您可能不需要翻譯JavaScript ，何時應該使用TypeScript？或編程是有史以來最好的工作。