Posted on
by

I finally moved the public side of this blog over to HTTPS last weekend. Traditionally I’ve preferred to put public info on HTTP and save HTTPS for things that need it – passwords, payment info, login tokens, anything that should be kept private — but between the movement to protect more and more of the web from eavesdropping and the fact that tools are making it harder to split content between open and encrypted sides (the WordPress app sometimes gets confused when you run the admin over HTTPS but keep the public blog on HTTP), I decided it was time.

The last sticking point was putting HTTPS on my CDN, and I’d decided to try getting Let’s Encrypt and CloudFront working together over the weekend. Then Amazon announced their Certificate Manager for AWS, which took care of the hard part. All I had to do was request and approve the (domain-validated) certificate, then attach it. Done!

Downside: Because I opted for the SNI option on the CDN, rather than pay the premium to get unique IP addresses on every CloudFront endpoint, the images won’t work with older browsers like IE6. (Server Name Indication is a way to put more than one HTTPS site on the same IP address.)

On the other hand, the cert I have on the site itself is SHA2-signed (as it should be, now that SHA-1 is no longer sufficient), so it wouldn’t work with older browsers even if I turned off the CDN and kept the images on the server.

It’s the first time I’ve actually broken the ability of older browsers to see any of my personal sites. I’ve broken layouts, sure, but not completely cut them off. In general I’d rather not, but I think I’m OK with it this time because

  1. SHA1 really does have to go, SHA2 is well-established, and it’s not like I’m providing downloads of modern browsers or a critical communications forum for people who are stuck with ancient hardware/software because that’s all that’s available to them.
  2. SNI has been around for TEN YEARS.

And as it turns out, DreamHost’s ModSecurity rules block IE6 to begin with, so the whole site’s already broken in that browser.

So I guess next time I redesign I can finally drop any IE6 workarounds. :shrug:

Posted on
by

Nestle Crunch Thin Mint (Now with Peanuts!)

I was at the store the other day and noticed that they had a limited edition Thin Mints-flavored Nestle Crunch, based on the classic Girl Scout cookie. I had to pick it up. But when I looked at the ingredients, I was in for a surprise:

Ground peanuts.

Why they put ground peanuts in the Crunch/Thin Mints mashup, I couldn’t say, because peanuts aren’t in either Nestle Crunch or Thin Mints. (Not on purpose, anyway, though they do list a cross-contact warning.) And nothing in the packaging except for the ingredients and allergy statement makes any mention of it. The candy bar isn’t labeled as Crunch + Thin Mints + Peanuty Goodness, it’s just labeled as Crunch + Thin Mints.

This is why clear labeling is important: I would never have expected to find peanuts in a combination of two things that don’t have peanuts in them.

Posted on
by

Billboard pair: Legs have feelings too.

It’s not quite as good as the Microsoft Surface billboards I saw a few years back, but it’s the first pair since then to prompt me to share a photo. The two signs are usually rented out together, but advertisers typically just pick two boards from a campaign. I appreciate the effort to design a pair of signs that only really make sense together.

Even if it does seem to suggest that you’ll be dismembered in order to fit better on the airplane.