Google Chrome got me a complaint from client #1 (my wife) and troubleshooting time today :onfire:
I have a frequently viewed power monitoring device with its own webserver on my network. It worked fine earlier this morning, but the webpage stopped being accessible before noon. OK, restart a couple of times, nope that didn’t fix it.
Cutting a long story short I finally discovered that some time this morning Chrome had decided to update itself from version 58 to 59. One of the changes in 59 is that it blocks Basic HTTP authentication (username:password passed in the URL) which is the way we access the page :roll: Until I can figure out another solution we have to login with username and password which are both long hex strings each time
And Google wonders why users block automatic updating…
Looked into this a bit more, it looks like they have removed the ability to use basic authentication, not just disabled it. So no flags or command line options to switch it back on.
If you want to keep using Chrome a messy option would be to use something like Fiddler as a local proxy to inject the authentication field into the request header - you need to Base64 encode your username/password, I think Fiddler has an option for doing that.
It’s a shame that the Internet of Things isn’t more secure. Why did someone develop a device that doesn’t allow you to use https for entering a username and password. It almost seems like some people haven’t heard of cyber-security yet. Maybe I’m over-exposed to it, but I prefer that to under-exposure. Google, and others, are trying to raise the bar little by little, but that inevitably breaks some stuff where the manufacturer/developer didn’t bother thinking securely in the first place. The recent WannaCry and NotPetya outbreaks show how dangerous the world is, especially with NotPetya using one insecure internal device to attack many others that didn’t have the initial vulnerability. That is one of the big problems with insecure IoT devices. They might seem simple and nothing to worry about, but if usurped they can act as a Trojan Horse inside your network.