Secure sites stay logged in once Google Chrome is closed!

[Simon Zerafa]

Hi,

I am getting reports from Google Chrome users that when they have the "Continue where I left off" feature enabled and then close the browser, logon's to secured sites (such as Banking Sites) remain active and can be reused when the browser is restarted even after a short wait (5 minutes or so).

Is this a "feature" of the "Continue Where I Left Off" feature or is this a major security hole in Google Chrome? :-)

It would seem to be the latter to me but if this is a feature then it needs to be fully explained to the end user so they are not caught out.

Kind Regards

Simon Zerafa

Simon's PC Services

[Joao da Silva]

+cc marja, jochen, nepper

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Simon Zerafa]

Hi

Looks like this issue is already open as a bug:

  https://code.google.com/p/chromium/issues/detail?id=130291

This would seem to be a fairly important security issue.

What is the progress in getting this issue resolved?

Having persistant logins across SSL sessions would seem to be a serious security bug to me.

Kind Regards

Simon

[Michael Glenn]

I just discovered this issue while switching my mother from IE to Chrome and helping her log into a secure bank site. As far as I'm concerned this is an outrageously poor security practice. The person or team that QA'd/approved this change for public release does not have the correct mindset for protecting Google as a company and it's users from the consequences of insecure design elements.

I'm surprised this Chrome security breach isn't plastered all over the front pages by now. 

At the very least, authentication to HTTPS sites should never automatically persist after a browser is closed regardless of one's definition of a session--UNLESS THE USER HAS EXPLICITLY OPTED-IN as in the case of specifically checking "keep me logged in" on the site itself (which of course no sane bank or other sensitive site would ever allow as an option).

I posted under the bug report linked above (130291), but then noticed the issue was closed on June 21 with no stated intention to fix, so users need to be warned.

[Joshua Woodward]

I just logged into my bank site, closed the browser, repopened browser, visited bank site ... all in a matter of 30 seconds

When I returned to the website I was logged out. Maybe this is an issue with your banking site, and they should place in a mechanism to logout/kill session upon closing.

Not sure if your suggestion of session control as it pertains to HTTPS sites is reasonable, you can't really control everyone's implementation of a login/logout procedure.

As far as I know there is not a login/logout standard, just guidelines, and killing all https session via browser implementation is pretty drastic.

Make sure you educate your mother to logout manually on every site she visits, that is the only way I know of to be sure you are logged out, to do it yourself.

Cheers.

--

Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

--

http://joshuawoodward.com

Google+ - http://joshuawoodward.com/+

Twitter - @howtohtml5

[Tibor]

Are you sure you had "Continue where I left off" enabled?

Because if you would then you wouldn't have to visit the bank site after browser is restarted because it would be opened automatically.

I can recreate the problem with lloydstsb.com, and it's definitely not issue with bank's site because if "Continue where I left off" is not enabled the banking session is ended properly when browser is closed.

[Tibor]

Of course I don't have "Remember me" enabled on banking site.

[Michael Glenn]

"Make sure you educate your mother to logout manually on every site she visits, that is the only way I know of to be sure you are logged out, to do it yourself." 

Joshua, actually I did educate my mother to log out manually before discovering this issue. But then I mistakenly assured her that closing the browser would ensure security even if she forgot to log out. I proceeded to demonstrate and whoops...discovered it's not the case!

"I just logged into my bank site, closed the browser, repopened browser, visited bank site ... all in a matter of 30 seconds. When I returned to the website I was logged out. Maybe this is an issue with your banking site, and they should place in a mechanism to logout/kill session upon closing."

As Tibor said, "Continue where I left off" must be enabled in Chrome to see the behavior we're talking about. However, I'm finding this issue is bigger than just Chrome or any particular banking site and in this regard your statement that manual logout is the only way to be sure is correct.

I tested a couple different banking sites using Firefox, Chrome and IE9. FF and Chrome are set to restore tabs from the previous session and of course IE will, infamously, no longer do this automatically. Well now maybe I have a clue as to one reason the IE dev team has been stubborn on this point. Both FF and Chrome maintained the SSL session logged-in state after closing/reopening the browser. Only IE9 forced the sessions to a logged-out state after closing/reopening and selecting "Reopen last session". 

"Not sure if your suggestion of session control as it pertains to HTTPS sites is reasonable, you can't really control everyone's implementation of a login/logout procedure. As far as I know there is not a login/logout standard, just guidelines, and killing all https session via browser implementation is pretty drastic."

From what I've read so far, it appears true that there's no clear standard for session logout across browser sessions and even the meaning of "session" is somewhat vague. However, IMO there should be an RFC to clarify and standardize session persistence--especially for secure sites. And I think locking this security hole down by standardizing behavior among the handful of major browsers is far more practical than changing millions of websites. 

I think many, if not most, users have a false sense of security around closing browsers and expect tabs to be restored in a logged-out state. Of course, inactivity timers will eventually (hopefully within minutes) log-out most secure sessions--except, as I said, in the case of explicit opt-in options to "keep me logged in" which would never be offered by sensitive sites like banks. Whatever the final outcome, Internet standards should IMO always err on the side of tighter security by default and relaxing of security practices should be an individual opt-in activity.

[Evans Turner]

I've been rescued on multiple occasions because of the intended behavior in Google Chrome. I frequently restore a tab that was accidentally closed and resume where I left off.  Ctrl+Shift+T reopens the tab I accidentally closed, preferably in the exact state I left it. This is HUGE when I would otherwise have to start over in a multiple-page submission process.

Regarding online banking sites, the bank site should have a session time-out anyway (based on a temporary, unique session ID stored in a cookie file). The time-out is controlled by the web site's implementation of cookies and session IDs. I can manually log-out if I want to make sure no one can get in. If I closed the tab without logging-out, then restored it immediately, I would still be logged-in. If I restored it 10 minutes later, my session would have timed out and I would have to log-in again.

Google Chrome is also a life-saver for allowing me to restore tabs after experiencing an unexpected browser crash. I do not want this to change!

A browser is a tool for getting work done. With Chrome OS and web apps, the browser is becoming more like your operating system. I would not tolerate an operating system that was designed to forcibly dump what I was doing even when it was possible to restore / resume it. To me, Chrome is a tool for doing things and should not restrict itself arbitrarily.

-Evans

[Michael Glenn]

Evans, you make some good points (I mentioned the inactivity timeout as well) for keeping this behavior. Perhaps we could all at least agree that browser behavior choices of this magnitude should be user selectable (and not buried too deeply for typical users to find). Let individuals have the option to choose between tighter security and convenience as opposed to forcing or defaulting everyone into a more open, generic behavior. Microsoft learned this lesson the hard way (after significant damage to their reputation).

[Joshua Woodward]

I believe that it should be left to the developer to decide. Not all HTTPS sites require that automatic logout. Also there is no way to determine which sites this should happen on, from the browser vendors perspective.

Currently I work for a company, we are PCI compliant, and we deal with consumer credit reports. We have a auto logout function tied to the "onbeforeunload" event.

Users are not as aware, or have a false since of security, that's why as developers we need to implement best practices.

On Jul 16, 2012 6:08 AM, "Michael Glenn" <darc...@gmail.com> wrote:

Evans, you make some good points (I mentioned the inactivity timeout as well) for keeping this behavior. Perhaps we could all at least agree that browser behavior choices of this magnitude should be user selectable (and not buried too deeply for typical users to find). Let individuals have the option to choose between tighter security and convenience as opposed to forcing or defaulting everyone into a more open, generic behavior.

--

[Pavel Ivanov]

On Mon, Jul 16, 2012 at 9:08 AM, Michael Glenn <darc...@gmail.com> wrote:
> Evans, you make some good points (I mentioned the inactivity timeout as
> well) for keeping this behavior. Perhaps we could all at least agree that
> browser behavior choices of this magnitude should be user selectable (and
> not buried too deeply for typical users to find). Let individuals have the
> option to choose between tighter security and convenience as opposed to
> forcing or defaulting everyone into a more open, generic behavior.

Browser already has this option and it's not buried too far. This
option is called "Continue where I left off". If you want more
convenience and if the current OS user on the current computer is used
only by you then you turn this option on, if you want more security
and/or the current OS user on the current computer is used by somebody
else and you don't trust to that somebody then you turn this option
off. It's that easy and it's really natural - if there's a chance that
somebody else will open the browser after I closed it I don't want for
that person to continue where *I* left off. And the same stands the
other way round - I don't want to continue where *the other person*
left off.


Pavel

[Jim]

This option's behavior changed in Chrome 19. Before then when using the " Continue where I left off " option, the browser would not save session-only cookies and restore them on the next start up. This meant that the user would have to reenter  their login information the next time Chrome was opened. Either Google got too many complaints from people having to re enter their login information for secure sessions or Google decided to err in favor of  saving users those seconds spent having to relogin vs security so they made Chrome save the session-only cookies rather than deleting them.   

[Jesper]

There are different levels of security.

I am normally the only user of my computer. 

But it could be stolen. And having physical access to my computer means that the thief can also crack my Windows password and log in as me. That's almost a no-brainer. And if I have "Continue where I left off" turned on in Chrome, then he can open my last session.

Before this radical change in Chrome, this was as far as the thief could get. He could see which websites I had open when I shut down my computer. He could also see my history. Of course that is a weak security breach and not pleasant, but at least he could not access my online mail and in other ways access any websites as me. He could not act as me on the internet. And that is a major difference.

Now, when a thief steals my computer, he can gain access to all the web sites that requires login and that I was logged in to when I turned off my computer. He can act as me. Send mails as if he was me. Write on discussion boards as if he was me. Impersonate me on Facebook, etc.

That is really a very big difference to me.

So no, it is not just about either restoring nothing or restoring everything to as it was when I left it. I want something restored, but not all. Specifically, I don't want my online identity restored.

I want the non security related things restored (like my Chrome windows and tabs), but I do not want to still be logged in to any website, except if I explicitly told that website to remember me (for instance, a non-important TV guide website where I just have an account to select my favorite TV stations).

What I want is that when I leave my computer, I want to make sure that I am being logged out of all important web sites. Because whenever I leave my computer, there is a risk that it could be stolen. The risk is small, of course, but it is there, and I don't want anyone to be able to steal my online identity.

And yes, I "could" make sure I log out of all web sites I have logged in to in the current session before I shut down the computer. But I don't always remember. I can log in to a web site and then just close that tab. Now it is out of sight which website it was. After a day of work I might forget that I even logged in to that web site earlier that day.

Of course I could delete all cookies. But I do not want to delete all my cookies with specific settings for dozens of non-login web sites. I only want the session cookies deleted. But there is not even an option for deleting only session cookies in Chrome. And there was no reason to have that option before, because shutting down the browser always cleared all session cookies. It is child knowledge. Or rather was. But now the Google Chrome developers changed that.

So Google changed something very basic, and they did not think all the implications through. They introduced a major security problem.

Sadly they are acting arrogantly about it instead of admitting their mistake and make steps to correct it. Those steps could include to make it a specific opt-in option to also save session cookies across sessions if you choose to "Continue where I left off", and have a big warning telling about the security implications of turning that option on.

Jesper

Den mandag den 16. juli 2012 16.08.20 UTC+2 skrev Pavel Ivanov:

[Pavel Ivanov]

So, somebody steels your computer, have time to come home and crack
your OS password (which shouldn't be easy if security matters to you
and you don't use something really easy as "123456") and you won't
have time to change all your passwords in the meantime? Or you think
some of the sites that matter to you won't end your session in one
browser when you change password in another?
Seriously I don't believe this is a viable threat if you use your OS
security properly. You have much more attack surface in this case
through your Downloads folder if it's not encrypted and you don't
clean it often.


Pavel

[Jesper]

You do have a point if I immediately discover the computer is gone, or if I discover it after a few hours – and if the important websites actually log me off when I change my passwords – and if I can get access to another computer within reasonable time. Furthermore, it is a very time consuming task to change all my around 150 passwords. It would take many hours. And if I am on vacation, I might not discover that the computer is gone until several weeks later.

But my point is that I don't even want to be in a situation where I have to hurry to change all my passwords. If just Chrome would log me out when I shut it down, the problem would not be there. All my logons would still be safe. I would not have to worry about them.

About the Downloads folder, I don't get your point. I have nothing of importance there... Mostly downloaded programs or similar. And I can't see how someone could log in as me on websites through files that can be found in the Downloads folder?

And if you meant my cache folder, only non-https files would be there (I hope, unless the Chrome people changed that as well!). And that is not a big problem to me.

My whole point is that I don't want anyone else to be able to act as me on the internet, and I want my online stuff safe.

But of course, I have turned off "Continue where I left off" after I discovered the bug (which seems to be a bug in the minds of the developers as they deliberately made the code that way ;-)), but this has the effect that I sometimes just put my computer into hibernation so that I can continue with the tabs and windows where I left off. But I cannot log out of all websites when I do that, so it is a security risk I take when I do that. Chrome has now no way to delete all session cookies and at the same time remember the addresses of all tabs and windows. It could that before and did it well, but it can't do that anymore – that functionality is completely gone from Chrome now. Thus, it is a clear backstep for Chrome, and a really strange one.

[Stephen]

Stay off the internet then! Nothing is ever going to make you 100% safe.

On Tue, Jul 17, 2012 at 9:53 AM, Jesper <jesper...@gmail.com> wrote:

My whole point is that I don't want anyone else to be able to act as me on the internet, and I want my online stuff safe.

--
Best Regards,
Stephen Allen

http://webweenie.blogspot.ca/

[Tibor]

This is like saying "Stay off the roads! Nothing is ever going to make you 100% safe.", and this is the wrong answer.

The right answer is: buy a safe car and use all its safety features, and don't buy a car what may have airbags turned off if you don't do some special procedures to reset the car to a proper state. 

Can be applied to anything, don't stay inside buildings because buildings may collapse, ships may sink, and so on, nothing is life is 100% safe, but smart people are working on making things safer, and this should apply to browsers too.

People were educated that closing a browser is safe and should end all sessions (i.e. log off internet banking automatically). I know this isn't the safest way to protect themselves but it worked, and it still works in majority of browsers. 

Chrome's target group (unless recently changed) are the one bit users, who are so beginners that sometimes fail in basic tasks like creating a Yahoo! login (recent example in family). Such users have no idea that they can click on their username it top right corner in Gmail and select Sign out. They don't even know there's such funcionality, because they expect computers and software to work like other stuff they know, i.e. if they turn off the light the light is turned off, no need to log off from electricity company first.

Educating the masses requires lots of time, until then software should be smarter.

[Joshua Woodward]

"People were educated that closing a browser is safe"

I was 'educated' that you log out. I have never thought closing a browser window logs you out, never, never, ever.

Joshua Woodward

http://joshuawoodward.com/ +
http://twitter.com/howtohtml5

[Tibor]

Are you claiming you are an average/regular user and not a power user? If not it doesn't count how you were educated. 

Regular users are told "click that X button in top right corner and you're good". The reason is that there's no universal log out method, so even if it is mentioned that one has to log out it is always added to close the browser, and all people remember is clicking the X button.

The trend is that software protects average users, i.e. by giving them less choices (simpler control panel in Windows), hiding things (i.e. no menu bar), and making defaults much safer (i.e. no option to suppress invalid certificate warning in Chrome). Providing an option what makes regular users' browsing less safer is completely opposite to this and to everything I thought Chrome is until now.

Power users are not really affected because they know what this is all about but the masses who have no idea of the backgrounds are at risk.

On Monday, July 23, 2012 3:29:05 PM UTC+1, Joshua Woodward wrote:

"People were educated that closing a browser is safe"

I was 'educated' that you log out. I have never thought closing a browser window logs you out, never, never, ever.

Joshua Woodward

http://joshuawoodward.com/ +
http://twitter.com/howtohtml5

[Joshua Woodward]

On Mon, Jul 23, 2012 at 8:10 AM, Tibor <jbt...@gmail.com> wrote:

Are you claiming you are an average/regular user and not a power user? 

If not it doesn't count how you were educated. 

Why does that not count?

What if, even at "regular user" status, I was never taught that closing the browser logs you out? How does regular/power user reflect what I have always been taught?

 

Regular users are told "click that X button in top right corner and you're good".

Again, your making assumptions for everyone.

 

The reason is that there's no universal log out method, so even if it is mentioned that one has to log out it is always added to close the browser, and all people remember is clicking the X button.

Where is your source for this?

 

The trend is that software protects average users, i.e. by giving them less choices (simpler control panel in Windows), hiding things (i.e. no menu bar), and making defaults much safer (i.e. no option to suppress invalid certificate warning in Chrome).

This is like people relying on government to provide them food and water, OK so that example is pretty extreme. However, relying on someone else is your first mistake. You are also assuming that every developer out there knows every security hole, knows every best practice, and is enforcing it.

 

Providing an option what makes regular users' browsing less safer is completely opposite to this and to everything I thought Chrome is until now.

Power users are not really affected because they know what this is all about but the masses who have no idea of the backgrounds are at risk.

In my opinion, if your do not like the fact that your bank is not logging you out when you close your browser, that is an issue you need to take up with your bank. Email them feedback to implement a function to detect when a window is closed and take action necessary to log you out.

Forcing every HTTPS session to be flushed is not a solution. Just because I have a HTTPS connection for my blog, does that mean there is highly critical data that needs to be protected, and the browser should "log out" forcefully?'

Educate your "regular users" and leave it up to the developer.

--

[PhistucK]

I think your "average user" argument can also function as a counter argument.

The average user does not change the defaults (or ever enters the settings tab). A more than average user - might. A power user - usually does.

I am not sure the previous preference (to restore the last open tabs) was blindly transitioned to the "Continue where I left off" feature. For the sake of the more than average/power users - I do hope they converted that option to "Show the new tab page" or something so they could reassess the new, alternative feature (not a very nice user experience, but a safe one, I guess).

☆PhistucK

[Jim]

On Monday, July 23, 2012 12:11:20 PM UTC-5, PhistucK wrote:

I think your "average user" argument can also function as a counter argument.

The average user does not change the defaults (or ever enters the settings tab). A more than average user - might. A power user - usually does.

I am not sure the previous preference (to restore the last open tabs) was blindly transitioned to the "Continue where I left off" feature. For the sake of the more than average/power users - I do hope they converted that option to "Show the new tab page" or something so they could reassess the new, alternative feature (not a very nice user experience, but a safe one, I guess).

This option's behavior changed in Chrome 19. Before then when using the " Continue where I left off " option, the browser would not save session-only cookies and restore them on the next start up. This meant that the user would have to reenter  their login information the next time Chrome was opened. Either Google got too many complaints from people having to re enter their login information for secure sessions or Google decided to err in favor of  saving users those seconds spent having to relogin vs security so they made Chrome save the session-only cookies rather than deleting them.

   

Also people who do not use the " Continue where I left off " are logged off of their web sites which are using session-only cookies just like they have been since Google started Chrome and just like other web browsers do!

 

[Tibor]

It doesn't count because you've received some education, either from others, either as self learning. Because you ended up a power user probably your thinking was totally different from the beginning, i.e. you read the related information before started to use new stuff.

Most computer users nowadays don't receive any education. They buy a device, (PC, laptop, tablet, mobile phone) and they try to figure out things, or ask the staff at the shop, or they ask someone they know to help (family or friends). Very few invest in a computer course because it's not mandatory, and there are still lots of schools where IT is not mandatory or at least available as an option.

Of course people are all different so each case is different. I assumed you are a smart guy and figure out that we are speaking statistically not in exact numbers or about individuals. And it's not the power users who are likely to have problems but the masses who have no information mainly because are not interested (like many people wouldn't use seat belts if it weren't mandatory).

Even statistics are more skewed than usual in this field because each country is very different, and there are huge differences between regions of the same country too.

This means there are people who are average users but have received some sort of formal education, but the masses haven't and will not in the future either. Computers became like TV and VCR/DVD, everybody wants to use them but only few know it properly. Most people figure out how to start a movie, but how many can program a recording for every weekday? For many even setting the clock is a task beyond their knowledge, fortunately with digital TV we have time broadcasted as well so almost all VCR/DVD devices with blinking clock disappeared. Or how many people can program their oven/microwave to start cooking for 90 minutes an 6am next day? 

And remember, these are all devices what come with step by step instructions, but people don't read the instruction manual until smoke comes out and they need the service phone number. Computers don't come with such instructions. There are help pages what are not quite well organised and there are online tutorials but both require previous knowledge without what people either don't find them either don't know what to do them.

However, big companies like Microsoft and Google invest lots of money in usability tests, not to mention that they have lots of usage statistics about their software. In case of MS this includes the operating system itself too. The point is that these big companies are the ones pushing computers in the direction of users with very limited computer knowledge.

Would you believe my father in law uses a computer for about 5 years and still isn't sure what is the Start button, has no idea which one is the Windows button on keyboard, for him the browser and internet is Google and he reads email in Google, plays Farmville in Google. He has no concept of files or downloads and programs. Recently he complained Skype stopped working so I sent him a download link (he lives about 1700 miles far from me) and he swared he downloaded Skype, installed it, logged in and still couldn't find his contacts. I seriously doubted he could do all this and it turned out I was right, all he did was logging in to his account on skype.com.

And it's not only about stealing one's computer and get access to their websites, but the issue exists within households, spouses, friends, parents and children, who very often share a computer and may forget to log out.

I know what the official answer is: have your own Windows/Linux/Mac user with strong password, log out of all services and OS when finished work, have your own, password protected profile in Chrome and so on.

But the reality is that families often share a computer with the same user, forget to log off internet services, have no idea they could use multiple profiles in browser, and even if they use they often don't log out.

And legitimately they learnt that closing browser ends their sessions unless explicitely opted in to keep alive, so they might not like if someone else starts the browser and will see all their email, chats or other private information.

> Where is your source for this?

This is a private conversation, all what I write is solely my private oppinion. I don't represent any company or organisations.

My source is my family, friends, participating on computer course as observer, looking an people buying computers in shops and listening to their questions.

These are the people I'm talking about, although I met professional software developers who had no idea of shortcuts and similar basics and started each program by going to Start - Programs - Some Fancy Software Folder - Fancy Folder if they wanted to start something, or user right click for copy-paste, so having a degree doesn't mean the person is a power user.

Found this by a random search:

http://www.neowin.net/forum/topic/1059362-windows-xp-category-view-the-beginning-of-the-uneducated-user/

About the same topic if you ignore the OS war part.

If this feature is for power users it should be a flag, otherwise it should be much safer because it's only 3 clicks now to enable it and it's in basic settings.

Don't have more to add so I'll expect not to post more replies.

On Monday, July 23, 2012 5:15:07 PM UTC+1, Joshua Woodward wrote:

[Joshua Woodward]

Holy...TLDR

Just tell your dad to log out every time...tell everyone you now to log out.

Log out...FTW!

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Joshua Woodward]

probably going to get beat up for now, instead of know...

my comeback should have been

"Just tell your dad to log out every time...tell everyone you know to log out."

[Tibor]

These were not posted for some reason:

It isn't like waiting the government to feed you.

We live in a collaborative society, I guess you don't grow your own food, don't build your car and home, don't generate electricity and gas, buy ready made clothes, use a computer and operating system and software created by others and so on.

The point is that we all use goods and services from others, and expect these goods and services to be the safest and the best. I.e. who do you expect to take care that your ears are not cut when you have your hair cut: yourself or the barber? If I can expect my barber to take care of my physical security, why couldn't I expect similar from my browser?

It is ironic that we can't choose to ignore certificate warnings because Google is concerned about our security, but they allow an other feature what is a far larger risk than a corporate certificate what wasn't issued by a trusted root, not to mention that for certificates there's at least a warning but there's nothing when one chooses "continue where I left off" (I know there's a learn more and I'm sure Google has worded it so that they can't be made legally responsible for anything).

Same about education. Education and license is mandatory to drive a car and even in this area it is impossible to properly educate people, so what would you expect and especially from who for computer users? It'd be ridiculous like expecting people to take a course before they start using a TV, or a phone, or a microwave what can kill as opposed to a browser what can "only" leak information. 

This leaves the only option to be that manufacturers create safer products, like microwaves what have a safety switch what turns off the microwave when the door is opened. Having smartly worded licenses and readme files what make manufacturers not responsible for any damages shouldn't be the limit where software companies stop caring about their users.

[Tibor]

Don't worry, we figured out it's a typo.

And I don't agree with this Apple-like philosophy what says that we're good, everything else is wrong. I.e. I was told that it's not a design bug that on iPhone I need to use shift 2 times when I have to enter an email address but it's a bug in websites because they don't indicate the input is for email so that iPhone keyboard can switch to email entry mode. See the point? It's not their product faulty but everyting else.

Fixing a browser is much easier than educate millions of users. 

Users are always right but companies tend to forget this.

It's sad that serving the user is still the first item on Google's list but in reality all products started to serve Google's internal needs instead (sell more ads and products to have more revenue).

http://www.google.com/about/company/philosophy/

[Joshua Woodward]

On Mon, Jul 23, 2012 at 3:35 PM, Tibor <jbt...@gmail.com> wrote:

Don't worry, we figured out it's a typo.

And I don't agree with this Apple-like philosophy what says that we're good, everything else is wrong. I.e. I was told that it's not a design bug that on iPhone I need to use shift 2 times when I have to enter an email address but it's a bug in websites because they don't indicate the input is for email so that iPhone keyboard can switch to email entry mode. See the point? It's not their product faulty but everyting else.

Here again, it is up to the developer. The developer didn't implement the correct data type, so how is iOS (apple) supposed to know to show you a email keyboard?

 

Fixing a browser is much easier than educate millions of users.

But maybe that fix isn't best in every case.

 

Users are always right but companies tend to forget this.

Wow, users are not always right...they like to think they are always right.

 

It's sad that serving the user is still the first item on Google's list but in reality all products started to serve Google's internal needs instead (sell more ads and products to have more revenue).

http://www.google.com/about/company/philosophy/

You can always switch to another free browser/email/map/social/calendar/search/video/translate/blog/news/.../ integrated service (wow, Google gives you so many services for free)

 

[Stephen]

For Free?! Don't think so my friend; they're making reams of $ from our data.

On Mon, Jul 23, 2012 at 6:47 PM, Joshua Woodward <j...@woodwardmedia.net> wrote:

(wow, Google gives you so many services for free

[Evans Turner]

As you've noticed, iOS has a dynamic keyboard that shows appropriate keys for the type of field that has focus. I think that's one of the best things about the iOS keyboard. It saves lots of time for me because, generally, typing is more efficient and I'm less-likely to hit the wrong key. As you've noticed, when iOS detects an input field with type="email", it doesn't auto-cap the first letter and it shows extra keys for "@" and "." (which works as a shortcut for .com, .net, .org, .edu, .us). It would waste a lot of time to have these keys always-visible when non-email fields have focus (accidentally tapping one of them and using backspace). Even if a rare improperly-flagged email field requires me to tap shift or the symbol key once in a while. It still saves lots of time overall. If it was changed to match your preference, you'd have to manually capitalize the first letter of EVERY non-email field and extra keys would always be visible to be tapped accidentally. Ugh!

/tangent

-Evans

[Joshua Woodward]

Are you paying for it?

These are free (monetary) services, if you don't like the idea of them making money off your data, use another service.

There are paid email services that promote privacy, like  http://reagan.com/ 

On Tue, Jul 24, 2012 at 5:36 AM, Stephen <stephen...@gmail.com> wrote:

For Free?! Don't think so my friend; they're making reams of $ from our data.

--

[Stephen]

Never said anything about liking/disliking - just correcting a factual error.

[Tibor]

I'm not paying cash, but I pay with:

-My data.

-Testing alpha/beta/experimental features released as final (Google gets most of the paid versions tested for free saving cash).

-My time wasted with broken/incomplete features.

-Having ads everywhere.

-And who knows what else.

The point is that by lawyer talk it is free and I'm sure there are lots of legal disclosures in license agreements and various policies what make sure they can claim it's free, but in reality it isn't free so it's not nice to tell people "stop complaining, you get it for free, use other service if you don't like it".

[Tibor]

The point was the concept of expecting everyone else to adapt instead of adapting themselves to suit as many people as possible, not this specific feature.

FYI, it isn't only login boxes where I enter email addresses or website addresses, i.e. today I had to send an email containing 2 email addresses and a URL.

Not to mention that I hate text without punctuation, and comma and period are also hidden behind shift. Yeah I know it's my fault that I don't comply with Apple's policy of being simple and trying to have some standards instead on mobile too. And why is the + sign on 3rd layout instead of 2nd where - sign is?

I find your reasoning interesting. Are you not confused by the backspace and return keys too? Shouldn't those be removed too?

I'd bet you haven't got much experience with other keyboards.

BTW, I wouldn't even remember how the default iPhone keyboard looks if there would be a way to replace it (jailbraking is not an option, it's a company phone, I wouldn't use an iPhone otherwise). I.e. on Android there are several alternatives so one is not forced to use what Apple or Steve Jobs thought it's best for them.

Probably you'd get a heart attack if you'd see my Android keyboard what besides comma, period and smiley kes has Hungarian characters with accent always visible too. My typo ratio isn't higher than on iPhone but typing speed is much higher.

National character support is a joke on iPhone, it is only there so they can sell it like it would support input in different languages but in practice it's bullshit. And please don't start explaining that it's for my benefit so that I don't get confused by the too many keys and start typing rubbish. That's Apple talk and time has proven it's marketing bullshit (i.e. iPhone now has MMS although they sweared people don't need MMS, and they still try to convince people they don't need receive confirmation for SMS, and they don't want to automatically resend SMS if send failed first time and so on).

I think we hijacked this discussion too much already, so I stop replying to off topic. Sorry about the previous unrelated posts.

[Jim]

Upgraded to Chrome 21 in the release channel and noticed the following for this problem " If you’d like Chrome to reopen all your pages but discard session cookies and other site data, go to Settings > Show advanced settings > Content settings > Keep local data only until I quit my browser. "

 https://support.google.com/chrome/bin/answer.py?hl=en&answer=95421&p=settings_reopen_pages

The problem is that this option deletes all cookies including those cookies that are set by 2 step authentication via SMS code. If you tell Gmail to remember the setting for the next 30 days but have the above option enabled you will be forced to re-enter a new code that has been SMS'd to you.

[Mike McLoughlin]

I work for a company using Google Apps that is authorised using Shibboleth. When the "Where I left off" is on, even logging off and all closing all tabs does not end the session. The only way to solve this is to move the "where I left off" setting to be New Tab instead but this cannot be done organisation-wide using the GApps console. The security concern is clear - someone could set all browsers in an office to be "where I Left off" and then log into their emails when they leave.

[Jim]

I gave up using Chrome as my main browser on all the computers here and went back to Firefox. After seeing these antics by Google I wondered what else they have changed behind the scenes which has a detrimental effect on user's privacy. That along with their programming and inability to fix a problem with their Google+ app I did not feel comfortable using Google software.

[Andi Herr]

how do I fix this shit?

[Jim]

Don't use Continue where you left off in Chrome or switch to another browser which removes session only cookies rather than restoring them like Chrome has been doing for the past 5 years.

[Charlie Elgholm]

I hate resurrecting a very old thread like this, but this is actually very fascinating.

In their effort to give us new and good functionality someone, somewhere, managed to get a "go ahead" for this "feature" - without any further discussion on how this will impact normal usage.

I've browsed through the bug reports for this, and people at Google actually just shrugs this off as a feature, and disable further comments.

It's actually a splendid function, since I now extremely easily can get logged in access to all my friends and colleagues sites when they borrow or use my computer. Wonderful!

Thank you Google! What a complete blunder on your part.

Everyone, EVERYONE, thinks that normal sessions dies when they close all the browser windows, and they feel safe when they do not click the "Remember me"-checkbox upon login.

Nothing in the browser warns my friends that I now remember their "non remembered"-sessions when they use my computer.

Yes, I know about incognito mode.
Yes, I know about my non-default setting in the browser.

Yes, I know that you need to logout manually from all logged in sites.

Yes, I know that closing all my browser windows won't help.
My friends however, do not. They think everything is normal, since it looks normal.

I'm very perplexed that I haven't given this extremely-bad-security-practice functionality more thoughts before.
I just realised about it when I implemented new and better session handling in one of my back-end frameworks.
I guess we're all just too obstructed with what's going on in our lives to actually stop, raise our heads, and have a look around.

So, tl;dr; session-cookies are not session anymore, they're permanent. Amazing.