CodeClimber

[UPDATE: There is a workaround]

This morning, following the release of Chrome 6, I decided to upgrade to the latest version.

But as soon as I tried going to Gmail I got the following error:

SSL connection error. Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error 128 (net::ERR_SSL_UNSAFE_NEGOTIATION): The SSL renegotiation extension was missing from the secure handshake. For some sites, which are known to support the renegotiation extension, Chrome requires a more secure handshake to prevent a class of known attacks. The omission of this extension suggests that your connection was intercepted and manipulated in transit.

This happens because “starting with 6.0.453.1 Chrome began requiring the TLS renegotiation extension from a small number of sites (Gmail included). This extension is required to prevent TLS renegotiation attacks”. This means that if you use Gmail (or any other Google application, like Docs, Reader and so on) over HTTPS and you are behind a proxy that alters in some way the data passed (like MITM proxies), you will not be able to access Gmail any more.

This problem has been reported on Google Chrome forums and also in the issue tracker of Chromium, but has been marked as invalid because they are now trying to increase the security, implementing the renegotiation extension.

While this is a good thing, most companies are not always up to date with the latest technologies, and since this extension is standard since “just” 6 months, Google cannot expect everyone to have it implemented already.

What you should do if you have already installed and you get the SSL Connection Error?

[UPDATE] After having commented on the Chromium bug, Adam Langley answered that if you manually specify a proxy, the check is disabled automatically. And if you have a transparent proxy (so no proxy configured in the options) you can disable the check using the command-line option: --allow-ssl-mitm-proxies.

Thank you Adam for also commenting here with the complete explanation of the problem.

The only thing you can do is revert Google Chrome back to version 5. Unfortunately this requires you to uninstall Chrome, and reinstall the old version using the offline installer that you can download from Google site at the following address: http://dl.google.com/chrome/install/375.55/chrome_installer.exe

Unfortunately uninstalling Chrome means you loose all your stored passwords and some other things because a Chrome 6 profile cannot be read from Chrome 5. So if you are unsure, do a backup of your profile folder before trying to update to Chrome 6.

I hope Chrome either allow users to “ignore” some errors, like they do when the certificate is not valid, and that in meantime all MITM proxies get updated to support the renegotiation extension (and all IT guys install the updated version).

A lot of reactions started on Twitter this morning following the publication of the article titled “The Future of Silverlight” on the Silverlight Team Blog. One that caught my attention was written by Hadi Hariri:

After a few messages I realized that he was talking about Silverlight.

The problems Silverlight addresses

The official announcement says between the lines:

… Silverlight enables applications that deliver the kinds of rich experiences users want. We group these into three broad categories: premium media experiences, consumer apps and games, and business/enterprise apps.

Even in their own statement, they acknowledge that Silverlight is not for building web apps, but is to address very specific features that you don’t have in HTML/CSS/JS.

Most of the features of Silverlight are already included in HTML

But if you take a closer look to the features they list, and you compare them with what HTML (where with HTML I mean the sum of HTML, JavaScript and CSS) can do, you realize that, with the exception the adaptive streaming and other advanced video features, everything can be implemented in HTML: there is HW-accelerated canvas in HTML5 to fulfill the need of “power” of web games, there are already dozens of JavaScript UI control libraries, like jQuery UI to helps you build rich and “desktop-looking” web applications with very little effort, there is local storage and even a local database to store information locally in the browser, there are web workers to keep the application responsive during heavy computations, and much more will come with HTML5.

Some might argue that, even then, Silverlight has a more mature IDE and most developers don’t have a clue about programming in JavaScript and writing HTML+CSS. This only partially true: you reuse your C# skills and your knowledge of the CLR, but you need to learn all the pattern and best practices specific to this new paradigm, like MVVM, you have to deal with the “all is async” problem, and you probably don’t want to just drag and drop SL controls onto the developer surface, so even the IDE helps just a little here. And looking at it the other side of the coin, I’m pretty sure JavaScript oriented IDE and even more commercial control vendors will start making “d&d-able” controls to make JavaScript development as easy as desktop development.

Silverlight is more than the browser

The article finishes with that emphasis: “Silverlight is much more than a browser technology”. Sure it allows you to build “out of the browser” apps, even desktop apps, and now Windows Phone 7 apps. I think this is a great advantage for developers that build desktop apps, but I just don’t see Silverlight as a web application technology.

What is Silverlight really for?

If you asked me where I would use Silverlight I’d answer:

• To build desktop applications
• To build Windows Phone 7 native applications
• And to build islands of interactivity of web applications, where the current “simpler and more standard” technologies are not enough, like in media applications.

Andrew Tokeley wrote a very nice post that goes into the details of when you need to use Silverlight instead of HTML/JS/CSS.

I think this is also how Microsoft should market it: a technology that allows you to create rich “web-looking” applications on the desktop, complex video components for the web , and to reuse the same skills to build native mobile applications for Windows Phone 7. But they should stop comparing Silverlight to HTML5, they are complementary technologies, not competing technologies.

What are your opinions on this topic? Please share them on the comments.