Tag Archives: Web

HTTPS is a lot easier than it used to be.

The cost of implementing HTTPS on your own site is a lot lower now than it used to be. For instance:

  • Let’s Encrypt offers free certificates for any site, and some web hosts have software integration that make ordering, verifying and installing a certificate as simple as checking a box and clicking a button. (I’m impressed with DreamHost. I turned on secure hosting for some of my smaller sites a few months ago by just clicking a checkbox. It generated and installed the certs within minutes, and it’s been renewing them automatically ever since.)
  • Amazon now has a certificate manager you can use for CloudFront and other AWS services that’s free (as long as you don’t need static IP addresses, anyway) and only takes a few minutes to set up.
  • CloudFlare is offering universal HTTPS even on its free tier. You still need a cert to encrypt the connection between your site and CloudFlare to do it properly, but they offer their own free certs for that. They’ll also let you use a self-signed certificate on the back end if you want. (It’s still not perfect because it’s end-to-Cloudfront-to-End instead of end-to-end, but it’s better than plaintext.)

You may not need a unique IP address anymore. Server Name Indication (SNI) enables HTTPS to work with multiple sites on the same IP address, and support is finally widespread enough to use in most cases. (Unless you need to support IE6 on Windows XP, or really old Android devices.)

Now, if you want the certificate to validate your business/organization, or need compatibility with older systems, you may still want to buy a certificate from a commercial provider. (The free options above only validate whether you control the domain.) And depending on your host, or your chosen software stack if you’re running your own server, you may still have to go through the process of generating a request, buying the cert and going through the validation process, and installing the cert.

But if all you want to do is make sure that your data, and your users’ data, can’t be intercepted or altered in transit when connecting to reasonably modern (2010+) software and devices, it’s a lot less pain than it was even a year ago.

The hard part: Updating all your old links and embedded content. (This is why I’m still working on converting Speed Force and the rest of hyperborea.org in my spare time, though this blog is finally 100% HTTPS.)

And of course dealing with third-party sources. If you connect to someone else’s site, or to an appliance that you don’t control, you have to convince them to update. That can certainly be a challenge.

Expanded from a comment on Apple: iOS to Require HTTPS for Apps by January at Naked Security.

Moved to a faster server, ALMOST moved to NginX

As of last week, this site is being served to you by a shiny new SSD-backed VPS at DreamHost. I was hoping it would be running NginX as well, but try as I might, I couldn’t get WordPress in a subdirectory to play nice with NginX. Speed Force worked fine, but it’s at the top level of a site. Ramblings and Re-Reading Les Misérables aren’t.

Fortunately, the new virtual servers are faster and cheaper (newer hardware, after all), and with the rest of my sites running NginX I end up with about the same overall memory footprint for two VPSes so that I could put this back on Apache. I suppose that saved me time converting the zillions of .htaccess rules I’ve amassed over the years. And with the faster systems, they’re able to handle more complex/simultaneous actions without timing out or spiking memory.

Losing Opera to WebKit

Opera IconIt still feels like an April Fool’s joke, but Opera is in fact switching to WebKit and discontinuing their own engine, Presto.

I can sort of understand. They can stop worrying about the long-running headaches of browser-sniffing websites that assume Opera can’t do things that it can. They can focus their efforts on the features they want to add or enhance, instead of maintaining their own separate codebase.

But here’s the thing: Throughout its history, Opera has served as a check against monoculture, against a single engine dominating the web too thoroughly. And now, it’s embracing the engine that dominates the fast-growing mobile web.

Remember the bad old days when people just wrote for Internet Explorer, and there was basically no innovation in web browser capabilities? It took Firefox’s success to turn the tide, but Opera was there, needling the industry with things like the “Bork edition” which turned the tables on browser-sniffing websites. Opera was a constant reminder that no, the web isn’t just Internet Explorer and Firefox, or just Internet Explorer and Webkit, or just two flavors of WebKit. That it was worth building technologies to leverage cross-browser web standards instead of picking the current 800-pound gorilla and feeding it even more.

There’s a real value in having different engines approaching the web in different ways, because it prevents stagnation. And there’s real value in having different engines use different code, even when implementing the same capabilities, because that means when a security flaw is found in one browser, it doesn’t apply to all of them. I go into this in a lot more detail in the old, but IMO still relevant article, Why do we need alternative web browsers?

The problem, of course, is that as much as I appreciate that role for Opera, it’s never really been their goal. Opera’s purpose is to sell web browser-related services. In the past, an open web was necessary to do that. Now, they’re throwing in their lot with the front-runner instead.

That leaves Mozilla, whose mission actually is to promote an open web, to go it alone. Apple and Microsoft certainly don’t care. And Google only really cares to the extent that their services are available as widely as possible. And when you get onto mobile, all three prioritize getting you into their particular silo.

Webkit browsers are a dime a dozen. The only ones that really matter are Chrome and Safari, and Safari is a lot more important on iOS. Opera will soon be just like Dolphin, Rockmelt and others that I have to rack my brains to remember. Maybe it’ll be enough for the company to survive, but it won’t be enough to keep them relevant.

Farewell, Xmarks Bookmark Sync!

It’s not a huge surprise, with all the major web browsers adding their own bookmark sync services, but Xmarks (formerly Foxmarks) is shutting down in January.

I figure I’ll just use Firefox Sync, Chrome sync, Opera Link, etc. to share bookmarks between the desktop and laptop, but what I really liked Xmarks for was its ability to sync different browsers together. I’m always switching between Chrome, Firefox, Opera and Safari (and occasionally IE when I’m on a Windows box) and it’s nice to have them all on the same set of bookmarks.

I guess it’s back to periodically exporting from my main browser and importing in the secondary ones, unless I find a tool or find the time to read up on the bookmarks formats and write one.

Update: Xmarks lives!

Android Browser Using Extra Space? Check Gears!

I finally found out what’s been taking up so much space on the Android web browser on my G1: Gears!

Whenever the low-on-space warning* icon shows up on the phone, I open up the list of applications. Then I sort it by size, look for the largest apps that I don’t use anymore, and start uninstalling.

“Browser” is always high on the list, but it’s all data. While I could free up the space by telling it to clear everything, I want to hang onto things like bookmarks. Each time the icon popped up, I’d go back to the app, open up More and then Settings, and clear the cache, or the history, or cookies**, one category at a time.

Then I’d go back to the App list and it would still be using up several megabytes of space.

Yesterday, it occurred to me to check the Gears settings. Months ago, I’d set up two WordPress blogs with Turbo mode, which uses Gears as a permanent cache for the admin area. It’s great on a desktop or laptop with lots of local space and a slow or flaky Internet connection. But it wasn’t helping me much, because…

  • WordPress Turbo Mode is only really useful if you use the rich-text editor, which I don’t.
  • On the phone, I rarely manage either blog through the browser anyway. I usually use WordPress for Android (formerly wpToGo).
  • The files it stores take up a whole megabyte — per blog! (possibly more, depending on how the file system stores them.)

So I removed both sites from Gears, along with a couple of other sites that I’d added, but didn’t need anymore, and freed up about 3 MB.

It should be a while before I see that low-space icon again, and I shouldn’t have to ration my installed apps quite so closely!

*This wouldn’t be a problem if they’d given the G1 enough memory for apps in the first place, or if they’d let us install apps to the SD card (where I still have gigabytes of free space), or if I were willing to root my phone, or if I’d just bite the bullet and buy a Nexus One.

**I’d really like to be able to selectively delete cookies — or rather, to selectively keep a few cookies and delete the rest — but that’s another issue.