> So if you want to use DNS over HTTPS on Android, it is not possible to provide a fallback.
Not true. If the (DoH) host has multiple A/AAAA records (multiple IPs), any decent DoH client would retry its requests over multiple or all of those IPs.
Does Cloudflare offer any hostname that also resolves to a different organization’s resolver (which must also have a TLS certificate for the Cloudflare hostname or DoH clients won’t be able to connect)?
DoH hosts can resolve to multiple IPs (and even different IPs for different clients)?
Also see TFA
It's worth noting that DoH (DNS-over-HTTPS) traffic remained relatively stable as most DoH users use the domain cloudflare-dns.com, configured manually or through their browser, to access the public DNS resolver, rather than by IP address. DoH remained available and traffic was mostly unaffected as cloudflare-dns.com uses a different set of IP addresses.
> A cross-organizational fallback is not possible with DoH in many clients, but it is with plain old DNS.
That's client implementation lacking, not some issue inherent to DoH?
The DoH client is configured with a URI Template, which describes how to construct the URL to use for resolution. Configuration, discovery, and updating of the URI Template is done out of band from this protocol.
Note that configuration might be manual (such as a user typing URI Templates in a user interface for "options") or automatic (such as URI Templates being supplied in responses from DHCP or similar protocols). DoH servers MAY support more than one URI Template. This allows the different endpoints to have different properties, such as different authentication requirements or service-level guarantees.
Yes, but this restriction of only a single DoH URL seems to be the norm for many popular implementations. The protocol theoretically allowing better behavior doesn't really help people using these.
Sometimes devs rely on Chrome specific quirks, or are shipping broken apps that Chrome manages to make the correct guesses for it to be functional.
Many see 'it works on Chrome and mobile Safari' as 'it works' and they can get project signoff / ship / get paid / whatever and don't care about other users
The company that has the application may not know until a few users complain (if they complain) and by that point it could be too late due to the contract, or they may not understand what a different browser is or care either.
Devs, particularly those with pressure to ship or who don't know better, unfortunately see 'it works in Chrome' as 'it works', even if it is a quirk of Chrome that causes it to work, or if they use Chrome related hacks that break compatibility with other browsers to get it to work in Chrome.
- Sometimes the standards don't define some exact behavior and it is left for the browser implementer to come up with. Chrome implements it one way and other browsers implement it the other way. Both are compatible with the standards.
- Sometimes the app contains errors, but certain permissive behaviors of Chrome mean it works ok and the app is shipped. The developers work around the guesses that Chrome makes and cobble the app together. (there may be a load of warnings in the console). Other browsers don't make the same guesses so the app is shipped in a state that it will only work on Chrome.
- Sometimes Chrome (or mobile Safari) specific APIs or functions are used as people don't know any better.
- Some security / WAF / anti-bot software relies on Chrome specific JavaScript quirks (that there may be no standards for) and thinks that the user using Firefox or another browser that isn't Chrome or iOS safari is a bot and blocks them.
In many ways, Chrome is the new IE, through no fault of Google or the authors of other browsers.
This is a lesson in capitalism. It’s so much more profitable to ignore small users bases when you can just tell them to “try switching to Chrome”.
I think you’re wrong about Safari itself being the reason chrome isn’t a 90%+ market owner; rather, it’s apple’s requirement that no other browser engine can exist on iOS.
Other browser engines can exist. JIT has to be the system’s. Others can use Apple’s JavascriptCore to gain access to it and do whatever they want on top.
> I think you’re wrong about Safari itself being the reason chrome isn’t a 90%+ market owner; rather, it’s apple’s requirement that no other browser engine can exist on iOS.
It sounds like capitalism has so far saved us from a Chrome monopoly, then.
To nitpick, you mean "unfettered capitalism". As in no government involvement. Which has the identical problem to unfettered anarchy: coalitions form, creating governments. Since many markets have network effects (e.g. bulk purchasing gives lower price per unit) a monopoly tends to be one of the possible steady state solutions. But any monopoly can choose to become a governor of their market, being able to impose regulation even through means other than government (e.g. pull resources, poach, lawsuits, or even decide to operate at a loss until the competition is dead (i.e. "Silicon Valley Strategy").
I just mention this because it's not a problem exactly limited to capitalism. It's a problem that exists in many forms of government and economics (like socialism). It just relies on asymmetric power
Yup. It's quite obvious that such unfettered, true capitalism quickly decays to the good ol' rule of warlords.
There should be a name for this kind of fallacy, where you look at a snapshot of a dynamic system (or worse, at initial conditions), and reason from them as if they were fixed - where even mentally simulating that system a few time steps into the future makes immediately apparent that the conditions mutate and results are vastly different than expected.
No, Safari is the new IE, nothing works on it, it's full of bugs and Apple is actively preventing web standards to move on.
Do you remember how much Apple prevented web apps to be a thing by blocking web push, and breaking most things if run in PWA mode?
Apple are by far the worst offender and I can't wait for Safari to die
I made a reader app for learning languages. Wiktionary has audio for a word. Playing the file over web URL works fine, but when I add caching to play from cached audio blob, safari sometimes delays the audio by 0.5-15 seconds. Works fine on every other browser.
Could AI still be a useful tool if the reviewer performs a manual review first and then queries the LLM with:
1) Here is a new academic paper. Point out any inconsistencies, gaps or flaws in the research, and any contradictions with previous research in the field.
2) Here is a new academic paper and a journal submission policy. Does the paper meet the journal submission policy?
3) Here is a new academic paper, the review policy of the journal and a review of the paper. Does the review appear to have been conducted correctly.
4) Here is a new academic paper and a review of it. Has the review missed anything?
With the above, the reviewer could review the paper themselves, and then get the AI agent to proof read or double check everything, treating it like an editor / reviewer / secretary / grad student that they had asked to read the material. As long as the AI output was treated as potentially flawed feedback or a prompt from a third party to look deeper into something then that seems fine...
I'm surprised we are still using in-band signalling after the captain crunch whistle / blue-boxes have been around for that long
Maybe I read it differently from you, but it states
"You can use resources (e.g. publications on Google Scholar, Wikipedia articles, interactions with LLMs and/or human experts without sharing the paper submissions) to enhance your understanding of certain concepts and to check the grammaticality and phrasing of your written review. Please exercise caution in these cases so you do not accidentally leak confidential information in the process."
From my reading then that would prohibit putting the paper into an openAI service, but how an interaction with a local LLM that doesn't involve sharing anything is treated is unclear. If you had an airgapped GPU rig running a local model and you formatted all storage on it after you were done, then no information would be shared, as you are just doing a bunch of math operations on it on your own machine.
Counterexample: Storing the bcrypt hash by appending it to a CSV file containing the usernames and hashes of all users then having a login process where that CSV file is downloaded to the client and the password is verified locally against that CSV file using client-side JavaScript would probably be very bad.
Cryptography part is fine but storage or the auth process isn't.
You would like to think that no-one would write their app that way, but there are plenty of slightly less worse things that happen in practice and vibe coding probably introduces all sorts of new silliness.
I have seen it posed as 'This site has bot protection. Confirm that you are not a bot by clicking yes', trying to mimic the modern Cloudflare / Google captchas.
I 'work' remotely for a US company from abroad regularly. I have no connection to the US.
I own a corporation and it is a B2B outsourcing arrangement rather than an employee though.
I don't get the same rights as an employee, but am fine with that as they are paying me and I am voluntarily providing the work.
I am surprised more people don't try that arrangement as I have seen nothing to suggest there are problems with it so far. I just needed to get an EIN, file 8832 as I have a single member foreign corporation then fill in a W-8BEN-E and protectively file 1120-F and 8833 every year.
While this is flying under the radar, this is not legal in pretty much all jurisdictions. You are an employee and using a company to contract services. It is not legal even if you were both based in the same country.
I am not technically an employee - I get given a project and agree to complete milestones for payment. I supply my own tools and take on any risks that it won't be delivered or stuff will break. I carry my own insurance. I could hire other people to do the work if they passed my client's background check requirements and signed the NDAs.
I have a few different clients who I do work for and actively market my services.
Not quite. Disguised employment is a pretty specific and (usually) clear-cut issue with well defined criteria. The problems start when a jurisdiction broadens the definition to include whatever they want because they want to capture more tax revenue.
IANAL, but I've been freelancing for years and had a similar thing come up. In the end I was found compliant with the law, ie: not in disguised employment.
Normal DNS can normally be changed in your connection settings for a given connection on most flavours of Android.