I just don’t get why this shitty practice of embedding a JS PDF app in a web page seems to be proliferating. It’s not just restaurant menus. It’s store catalogs of all kinds, and community newsletters that are doing this stupid shit.

They make their PDF menu undownloadable in order to present some fancy page turning animation that only works in some subset of browsers.

I just visited websites of 19 Dutch restaurants hoping to download menus for offline use. Results:

• 3 had downloadable PDFs
• 2 had images that could be saved That’s it. The rest either had completely dysfunctional websites or interactive HTML or interactive PDF that could not be easily downloaded. HTML could be saved but that’s a shit show overall.. a disaster when trying to create an MHT file then try opening that from a smartphone.

A bathroom remodeling service who sells bathrooms on the order of $5k—15k has a contact page that requires a CAPTCHA. It’s as if customer dignity has been tossed out and merchants no longer see the need to respect the traditional role of serving their customer. So I have to wonder, are customers who are willing to spend 4—5 figures on a custom bathroom really willing to solve a CAPTCHA and effectively become subservient to the business they are patronizing?

I’m like, if you’re going to trouble me because you can’t be bothered to do your own spam filting, maybe you don’t really need my business.

A software package was released as a tarball, but if it’s not listed in the releases (which gives the size) you’re stuffed if you need to know the size before downloading because curl -LI $url gives content-length: 0.

cross-posted from: https://infosec.pub/post/11021006

…
TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

 undefined

    
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH


  

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

• I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could

I ran this command to see if the PDF menu was small enough for my capped internet connection:

 undefined

    
$ torsocks curl -LI 'https://cafevanbommel.nl/wp-content/uploads/2023/11/Van-Bommel-Menukaart-November-2023-FOOD.pdf'
HTTP/2 200 
date: Tue, 09 Apr 2024 16:01:40 GMT
content-length: 1480
cache-control: no-cache, no-store, must-revalidate, max-age=0
cache-control: no-store, max-age=0
server: imunify360-webshield/1.21


  

PDF was only 1k, so of course I have no objections. Fetched it using wget, and it was just ASCII text in the form of HTML-wrapped javascript. WTF?

 undefined

    
<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="robots" content="noindex, nofollow">
    <title>One moment, please...</title>
    <style>
    body {
        background: #F6F7F8;
        color: #303131;
        font-family: sans-serif;
        margin-top: 45vh;
        text-align: center;
    }   
    </style>
    </head>
<body>
    <h1>Please wait while your request is being verified...</h
  

cross-posted from: https://sopuli.xyz/post/10725880

I simply wanted to submit a bug report. This is so fucked up. The process so far:

① solved a CAPTCHA just to reach a reg. form (I have image loading disabled but the graphical CAPTCHA puzzle displayed anyway (wtf Firefox?)
② disposable email address rejected (so Bitbucket can protect themselves from spam but other people cannot? #hypocrisy)
③ tried a forwarding acct instead of disposable (accepted)
③ another CAPTCHA, this time Google reCAPTCHA. I never solve these because it violates so many digital right principles and I boycott Google. But made an exception for this experiment. The puzzle was empty because I disable images (can’t afford the bandwidth). Exceptionally, I enable images and solve the piece of shit. Could not work out if a furry cylindrical blob sitting on a sofa was a “hat”, but managed to solve enough puzzles.
④ got the green checkmark ✓
⑤ clicked “sign up”
⑥ “We are having trouble veri

Calling out #Startpage for this sneaky malicious timing tactic:

1. show results below invisible sponsored links
2. inject sponsored links at the top and expand them ~⅓—½ of the screen height
3. users trying to click on one of the first few non-sponsored links clicks on a sponsored link which quickly expands at a moment when it’s too late for users to stop themselves from clicking. People cannot re-adjust their mouse position fast enough.

I get burnt on that more often than not.

Suppose I want to share a link that works well in a text browser like lynx, or in a GUI browser with domain-specific javascript enabled and the rest disabled, and images disabled.

How do you do that? There is no format specification for this. The best you can do is write a paragraph telling users how to visit the link.

So the question is, why don’t we create a superset of the URL specification to include variables that deshitifies the page being visited and includes warnings for various anti-features?

First attempt to load this shitty Cloudflare page resulted in a forced cookie popup with no “reject all” option. There are ~50+ or so switches to click off spanning two tabs (one hidden way at the bottom in fine print for “vendors”). Fuck that.

Usually when I encounter this particular variety of shit I switch to “torsocks lynx '$URL'”. In this case, it gave a 403 claiming “enable javascript and cookies to continue” to Lynx.

Then I loaded the archive version in Firefox with js and animations both disabled, and finally the text was reachable. But then an animation at the bottom played anyway. So I had to disable still images to stop the animation (guessing the ad is an animated GIF).

What a disasterous display of