用户体验岗如何说服其他部门_为什么我们应该说服用户更新他们的浏览器-这是双赢的。...

用户体验岗如何说服其他部门

by Alex Ewerlöf

由AlexEwerlöf

为什么我们应该说服用户更新他们的浏览器-这是双赢的。 (Why we should convince our users to update their browsers — it’s a win-win.)

Unless you’ve been living under a rock recently, you’re aware of Meltdown and Spectre — two of the most widely deployed security vulnerabilities in computer history. You may also know that this is not just limited to OS-level applications, and on the web it’s as bad as it gets:

除非您最近生活在一块石头上，否则您会意识到Meltdown和Spectre –这是计算机历史上部署最广泛的两个安全漏洞。 您可能还知道，这不仅限于操作系统级别的应用程序，而且在网络上也一样糟糕：

A website can read data stored in the browser for another website, or the browser’s memory itself. — Microsoft Vulnerability Research

网站可以读取存储在浏览器中的另一个网站的数据，或者浏览器的内存本身。 — Microsoft漏洞研究

• Firefox 57.0.4 (released on 4th of January) fixed this.

  Firefox 57.0.4 ( 于1月4日发布 ) 修复了此问题。

• Microsoft released and update for IE and Edge on January 5th.

  微软于1月5日发布并更新了IE和Edge。

• Safari released 11.0.2 on January 8th, which supposedly protects the users against these issues.

  Safari于1月8日发布了11.0.2 ，据说可以保护用户免受这些问题的影响。

• Chrome users have to wait until v64 (released around 23rd of January); but here is a list of what you can do now to limit the extent of the damage to your users.

  Chrome用户必须等到v64(1月23日左右发布)； 但是这里列出了您现在可以采取的措施，以限制对用户造成的损害。

Update: 2018–01–31: so far security researchers identified at least 130 malwares based on these issues: http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

更新：2018-01-31：到目前为止，安全研究人员基于这些问题识别出至少130种恶意软件：http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

快速笔记 (Quick notes)

1. Not all those updates fix all security vulnerabilities, but they are the first action point.
   并非所有这些更新都可以修复所有安全漏洞，但是它们是第一个行动要点。

2. Updating the browser is just the first step. You need to update your mobile/desktop operating system to protect yourself from a different but wider attack surface: auto updating apps. Please read more here.

   更新浏览器只是第一步。 您需要更新您的移动/桌面操作系统，以保护自己免受不同但更广泛的攻击面的影响：自动更新应用程序。 请在这里阅读更多内容。

3. As we understand the scope of these vulnerabilities better, more patches will come. This story is far from over.
   当我们更好地了解这些漏洞的范围时，将会出现更多补丁。 这个故事还远没有结束。

Now the big question for us web developers is: do we keep supporting the users with older browsers that are vulnerable, or do we demand that the users have the latest browsers?

现在，对我们的Web开发人员来说，最大的问题是：我们是否继续使用易受攻击的旧版浏览器来支持用户，还是我们要求用户使用最新的浏览器？

I work at the Identity team of an international company with millions of users. No amount of work I do to secure our services can prevent the user from sharing the data on our site with a malicious or infected site open in another tab.

我在拥有数百万用户的国际公司的身份团队中工作。 我为保护我们的服务所做的任何工作都不能阻止用户与在另一个选项卡中打开的恶意或受感染网站共享我们网站上的数据。

This might be the single most important side effect of these security vulnerabilities: we may actually have a perfectly valid reason to break the web for people with older browsers.

这可能是这些安全漏洞的最重要的副作用：实际上，对于使用较旧浏览器的人，我们可能有完全正当的理由中断网络。

The history of front-end development may remember this point as when we shifted from the “hippie development era” (I support all browser versions) to the “hipster development era” (I only support the latest browser versions). ?

当我们从“嬉皮开发时代”(我支持所有浏览器版本)转到“时髦开发时代”(我仅支持最新的浏览器版本)时，前端开发的历史可能会记住这一点。 ？

This is a huge shift in thinking, specially for us web developers, since we traditionally do our best to involve everyone: responsive design, progressive enhancement, and graceful degradation.

这是思想上的巨大转变 ，特别是对于我们的Web开发人员而言，因为传统上我们一直尽力使每个人都参与进来：响应式设计，渐进式增强和优雅降级。

This time it’s different. In the post-Snowden era, we need to take security seriously. Supporting vulnerable browser versions is equal to promoting dangerous online life. It is our job as experts to educate the users and defend them against the bad guys. If sites don’t support the old browsers, the users have to upgrade.

这次不一样了。 在后斯诺登时代，我们需要认真对待安全性。 支持易受攻击的浏览器版本等于促进危险的在线生活。 作为专家，我们的工作是教育用户并保护他们免受恶意分子的侵害。 如果站点不支持旧的浏览器，则用户必须升级。

This is a win-win situation:

这是双赢的局面：

• Developers get rid of legacy browser support for good
  开发人员完全摆脱了对旧版浏览器的支持
• The users get forced to make an important security decision (hopefully for the good).
  用户被迫做出重要的安全决策(希望这样做是对的)。

If we don’t react quickly, the exploits of these issues will be deployed massively and the effect is beyond our control. The genie is out of the bottle.

如果我们不Swift作出React，这些问题的利用将被大规模部署，其后果是我们无法控制的。 精灵已经掉了。

这是处理器的大众丑闻 (This is the VW-scandal of processors)

In 2015, Volkswagen was caught cheating on the emissions of their diesel engines. They cheated to make their cars more attractive to buyers. In this one, processor manufacturers “overlooked” some security concerns in their processors so they would have higher performance metrics.

2015年， 大众因柴油发动机的排放而被骗 。 他们欺骗以使他们的汽车对买家更具吸引力。 在这一篇中，处理器制造商“忽略”了其处理器中的一些安全问题，因此他们将拥有更高的性能指标。

I work at an international company building the login pages. Millions of users use our login to access the services of a wide range of companies. Naturally, my team is very concerned about security. We do our best to keep the system as secure as possible, but no amount of effort can mitigate this kind of vulnerability in browsers. For example:

我在一家建立登录页面的国际公司工作。 数百万的用户使用我们的登录信息来访问众多公司的服务。 自然，我的团队非常关注安全性。 我们尽最大努力保持系统的安全性，但是没有任何努力可以缓解浏览器中的这种漏洞。 例如：

• The httpOnly cookies are no longer inaccessible from JavaScript.

  JavaScript不再无法访问httpOnly cookie。

• The session cookie is super easy for other sites to steal (session spoofing).
  会话cookie非常容易被其他站点窃取(会话欺骗)。
• Chrome extensions that keep the passwords are now potentially leaking.
  保留密码的Chrome扩展程序现在可能会泄漏。

• The very HTML containing the <script> tag is vulnerable, so XSS is a breeze.

  包含<scri pt>标记HTML非常容易受到攻击，因此XSS轻而易举。

Here’s an exercise: see how many of the OWASP top 10 vulnerabilities are now impossible to fix in versions prior to 2018 of any major browser.

这是一个练习：查看OWASP前10个漏洞中有多少现在无法在任何主要浏览器的2018年之前的版本中修复 。

Do we really want to serve users who don’t have a recent browser with the risk that the user’s data or our business will be compromised? Or do we (as professionals and experts) take a stand and educate the users about the dangers and guide them to mitigate the risk?

我们是否真的想为没有最新浏览器的用户提供服务，而冒着用户数据或我们的业务受到损害的风险？ 还是我们(作为专业人士和专家)站在立场上，对用户进行有关危险的教育，并指导他们减轻风险？

We need to drop support for vulnerable browsers. This will probably face a lot of resistance in a market that has traditionally been very flexible and forgiving towards the user stack (as long as they use our services, we’re good). But someone has to start the change.

我们需要放弃对易受攻击的浏览器的支持。 在一个传统上非常灵活并且可以容忍用户堆栈的市场中，这可能会遇到很多阻力(只要他们使用我们的服务，我们就很好)。 但是有人必须开始改变。

一线希望 (The silver lining)

In every crisis there is an opportunity. I argue that it’s the coolest thing that has happened to the web development community since ES2015. We all know the pain and cost of supporting old browsers (specially the browsers which are not evergreen):

在每一次危机中都有机会。 我认为这是自ES2015以来Web开发社区发生的最酷的事情。 我们都知道支持旧浏览器(特别是不是常绿的浏览器)的痛苦和代价：

• We have to bloat the code to shim features that modern browsers already have
  我们必须膨胀代码来填充现代浏览器已经具有的功能
• Debugging an older browser using its old-school debugging tools is not far from the experience of driving a car from the scrapyard after driving a modern car
  使用老式的调试工具调试较旧的浏览器与驾驶现代汽车后从废品场驾驶汽车的体验相距不远

• We can’t rely on browser integrity (IE, I’m looking at you), so we cannot serve some sensitive information at all to certain browsers.

  我们不能依靠浏览器的完整性( IE，我在看着您 )，因此我们根本无法向某些浏览器提供一些敏感信息。

• We have to deal with various CSS/SVG rendering issues
  我们必须处理各种CSS / SVG渲染问题

• We have to test edge cases for different browsers just because we support them! There are whole businesses developed around the idea of automating this tedious task with various success/effort ratios.

  我们必须为不同的浏览器测试边缘情况，因为我们支持它们！ 围绕着以各种成功/努力比率使这一繁琐的任务自动化的想法发展了整个业务 。

• The module system is now supported by all major browsers. Dropping support for vulnerable browsers has the side benefit of simplifying and modernizing our deployment channels. You may not need to transpile your code at all!

  现在，所有主要浏览器都支持该模块系统。 放弃对易受攻击的浏览器的支持具有简化和现代化我们的部署渠道的附带好处。 您可能根本不需要翻译代码！

到底是什么意思 (What does it really mean?)

It means you can totally rely that async/await is available on your client browser and you don’t have to transpile. It means you can assume class is supported and generators are usable TAX FREE! It means template literals, rest params, … without transpilation, polyfill or any kind of complex toolchain! Web development is simple all of a sudden.

这意味着您可以完全依靠客户端浏览器上的异步/等待功能 ，而不必进行转换。 这意味着您可以假定支持 class并且生成器可以 免费 使用 税 ！ 意思是模板文字 ， 其余参数 ……无需转译，polyfill或任何复杂的工具链！ Web开发突然变得很简单。

Hell it means you have ES6 modules NOW without Rollup, Webpack, Browserify…

地狱它意味着你有ES6模块NOW没有汇总，的WebPack，Browserify ...

This means a whole new era. I know it’s too early and every cell of your existence is screaming it’s a lie but nope! This is happening. If you want to support users with ancient browsers, do it at your own risk. If you care about your users security and your business’ integrity, you get all of that ?as a reward!

这意味着一个全新的时代。 我知道这还为时过早，您生活中的每个单元都在尖叫，这是一个谎言，但不行！ 这正在发生。 如果要使用旧版浏览器支持用户，请自担风险。 如果您关心用户的安全性和业务的完整性，那么您将获得所有这些作为奖励！

One more thing: HTTP/2 is now officially usable!

还有一件事：HTTP / 2现在正式可用 ！

OK, it sounds like I’m some sort of hero now, but most of those stuff is already available in the majority of the browsers. It’s just that for some weird reason, many developers and product managers assumed that 2.7% of the users (who use IE) actually generate the majority of their business revenue and they should go to great length to support them. Sweat no more. Even if you want to, now there’s a huge reason not to!

OK，这听起来像我现在某种英雄，但大多数的那些东西是在大多数已有 的浏览器。 只是出于某些奇怪的原因，许多开发人员和产品经理认为2.7％的用户 (使用IE)实际上产生了大部分业务收入，因此他们应该竭尽全力为他们提供支持。 不再出汗。 即使您愿意，现在也有很大的理由不这样做！

怎么样？ (How?)

This essay is more about WHY rather than HOW, but here are some quick thoughts:

本文更多是关于为什么而不是如何做的，但是这里有一些快速的想法：

• Browser sniffing can be used to detect if the users are running a vulnerable browser. You can then refuse to serve critical data to the users with browsers that can’t keep them safe. Browser sniffing traditionally haven’t been very reliable.

  浏览器嗅探可用于检测用户是否正在运行易受攻击的浏览器。 然后，您可以拒绝使用无法确保用户安全的浏览器向他们提供关键数据。 传统上，浏览器嗅探并不十分可靠。

• Show a notification bar to subtly warn the users; but who would read or react to that? In EU we got used to ignore the cookie notifications!
  显示通知栏以巧妙地警告用户； 但是谁会读或对此做出React？ 在欧盟，我们习惯于忽略Cookie通知！
• Write a test code that actually tries the attack. If it succeeds, it shows a warning (I’m sure a NPM module will show up soon, if it hasn’t already ?).
  编写实际尝试攻击的测试代码。 如果成功，它将显示警告(我确定NPM模块会很快显示(如果尚未显示的话))。

结论 (Conclusion)

Remember how we all reacted when React.js “mixed template and code” in JSX? Sometimes we have to unlearn “best practices,” because the alternative makes more sense. I’m not talking about breaking the web! I’m asking to protect our users before all hell breaks loose. Please give it some thought.

还记得当JSX中的React.js“混合模板和代码”时，我们所有人的React吗？ 有时我们不得不学习“最佳实践”，因为替代方法更有意义。 我不是在谈论破坏网络！ 我要求在一切崩溃之前保护我们的用户。 请考虑一下。

Update 1 (2018–01–16): Security Now #645 goes into details of Spectre and Meltdown and introduces a little handy utility (speccheck) to test system vulnerability.

更新1(2018-01-16)： 现在的安全性＃645详细介绍了Spectre和Meltdown，并引入了一些方便的实用程序(speccheck)来测试系统漏洞。

⚡️Liked what you read? Follow me to be notified when I write something new.

⚡️ 喜欢你读的书？ 当我写新东西时，请跟随我以得到通知。

Read You might not need to transpile your JavaScript, When should I use TypeScript? or Programming is the best job ever.

阅读您可能不需要翻译JavaScript ， 何时应该使用TypeScript？ 或编程是有史以来最好的工作 。

翻译自: https://www.freecodecamp.org/news/should-we-demand-the-latest-browser-version-d5c72f8c9ffb/

用户体验岗如何说服其他部门