The problem with your approach is that you are assuming that people are fine that scan for in production for security issues. While it is true that everyone does it, this arguments falls flat because there are plenty of systems which will avoid the risk and for good reasons.
Well, those who have done some iOS or Android development know that any good app requires extensive hacking. Unfortunately this doesn't work in a cross-platform manner. For the simplest applications having a cross-platform framework is fine but if you really want to make an immersive app for iOS or Android you need to go native. Now this is not to say that some applications will work perfectly fine under this framework.
>Now this is not to say that some applications will work perfectly fine under this framework.
Probably most handy in line of business applications where a functional UI that works for your entire organization would be preferred over platform specific immersion.
Yes it is over-engineered. Heck, even WordPress is engineered. Blogs are essentially static pages with the comments as a moving part (i.e. dynamic). Most blogs can happily leave on a static web folder if bound to something like Disqus or whatever you decide to use.
It's true. I've over-engineered my blog as well to be isomorphic, but then I realized there was zero need for client side functionality so I've rendered it all static via a simple crawler. Much easier to deploy and serve with NGINX. Comments are powered by Disqus.
Oh simply invest into more tangible things, like companies, land and properties, etc. Unless communism becomes modern again it is safe to say that your assets should be secured.
It is not about the ads any more. Information is far much more important and they do a fine job at taking over every information stream they can get to. In the long run this will play a huge role.
HTTPS is a good idea but it really doesn't work for me. I am one of those paranoid people who want full end-to-end SSL without exceptions. HTTPS Everywhere doesn't fill the bill.
PanicMode is ridiculously simple extension. Once activated, it will swap HTTP for HTTPS without leaking even a single packet. Not even pre-flight requests are spared.
PanicMode is not good for general purpose browsing mainly because 99% of the site break badly, i.e. they do not support SSL at all. That is very telling and sad reality. The way I use it is with profiles. I have a bunch of chrome profiles that I use for different purpose. One of my profiles is just for social browsing - facebook etc. I have another one for company stuff. Those profile have panic mode installed and activated. Because I care about security in those profiles I don't mind if I click on a facebook link and it doesn't open up because at least I know that I am protected against side-channel attacks.
It is a very simple mechanism but works well when used effectively.
> PanicMode is ridiculously simple extension. Once activated, it will swap HTTP for HTTPS without leaking even a single packet. Not even pre-flight requests are spared.
Sounds pretty cool and useful to me. As it tends to happen, though, all promises of additional security a Google Chrome extension makes are invalidated by a single notice—
> Panic Mode can read and change all your data on the websites you visit
As a side note, I noticed that lately my sensitivity to these kinds of threats has come down significantly due to multitude of useful extensions and apps requiring ridiculous permissions. Seems like a dangerous trend: not knowing that an app is going to do sneakily collect your data is one thing; knowingly and willingly grant every little extension wildcard access time after time is quite another. I was very happy to ditch Android because of that. Perhaps I’m too paranoid, of course.
