Category: Tech

Posted on
by

The cost of implementing HTTPS on your own site is a lot lower now than it used to be. For instance:

  • Let’s Encrypt offers free certificates for any site, and some web hosts have software integration that make ordering, verifying and installing a certificate as simple as checking a box and clicking a button. (I’m impressed with DreamHost. I turned on secure hosting for some of my smaller sites a few months ago by just clicking a checkbox. It generated and installed the certs within minutes, and it’s been renewing them automatically ever since.)
  • Amazon now has a certificate manager you can use for CloudFront and other AWS services that’s free (as long as you don’t need static IP addresses, anyway) and only takes a few minutes to set up.
  • CloudFlare is offering universal HTTPS even on its free tier. You still need a cert to encrypt the connection between your site and CloudFlare to do it properly, but they offer their own free certs for that. They’ll also let you use a self-signed certificate on the back end if you want. (It’s still not perfect because it’s end-to-Cloudfront-to-End instead of end-to-end, but it’s better than plaintext.)

You may not need a unique IP address anymore. Server Name Indication (SNI) enables HTTPS to work with multiple sites on the same IP address, and support is finally widespread enough to use in most cases. (Unless you need to support IE6 on Windows XP, or really old Android devices.)

Now, if you want the certificate to validate your business/organization, or need compatibility with older systems, you may still want to buy a certificate from a commercial provider. (The free options above only validate whether you control the domain.) And depending on your host, or your chosen software stack if you’re running your own server, you may still have to go through the process of generating a request, buying the cert and going through the validation process, and installing the cert.

But if all you want to do is make sure that your data, and your users’ data, can’t be intercepted or altered in transit when connecting to reasonably modern (2010+) software and devices, it’s a lot less pain than it was even a year ago.

The hard part: Updating all your old links and embedded content. (This is why I’m still working on converting Speed Force and the rest of hyperborea.org in my spare time, though this blog is finally 100% HTTPS.)

And of course dealing with third-party sources. If you connect to someone else’s site, or to an appliance that you don’t control, you have to convince them to update. That can certainly be a challenge.

Expanded from a comment on Apple: iOS to Require HTTPS for Apps by January at Naked Security.

Posted on
by

Sophos reports that Facebook is testing a feature to hide new posts from your timeline so they don’t feel so permanent. Of course they’re still searchable until you actually delete them, so they’re still permanent in that sense.

What’s odd: Facebook posts don’t feel permanent to begin with, even though they effectively stick around forever.

Thinking about it, two things make an internet post feel permanent to me:

  1. Can I count on it sticking around?
  2. Can I count on finding it again?

Facebook, despite a lot of improvements over the years, is a mess. The newsfeed algorithm means you can’t just keep scrolling back. The timeline view isn’t reliably complete. Search is kind of a crap shoot. Don’t get me started on trying to find a particular old post on Twitter!

And that’s dealing with sites I can expect to stay online over time. A post on a forum, or a comment on someone else’s blog, or any social network could easily vanish in someone’s server crash or business shutdown.

If I can’t count on being able to find what I post a few years down the line, it feels like it’s temporary, even if it isn’t.

This is one reason that my Flickr portfolio feels more permanent than my Instagram photos: I can find them without resorting to third-party apps. If I want to find a particular photo on Instagram, I have to page down through my profile until I find it. On Flickr, I can find a 10-year-old photo of a fountain in seconds by searching for “fountain” and expanding the “Your photos” section of the results.

Then again, running my own site is only reliable as long as I can afford it. If something happens to me, and I can’t pay for hosting anymore, what then? I figure I’d simplify things down to where I could get a basic, super-cheap hosting plan. Make the blogs read-only so they can be served statically from a shared server or S3 bucket, or move them to WordPress.com, or just be willing to let them crash under load. But what if I’m incapacitated and can’t convert it? Or just plain not there anymore? If I really want to keep my corner of the web up “permanently,” I’m going to have to make a plan ahead of time.

Otherwise my carefully preserved photos, articles, and extended musings will be toast…leaving behind as context only broken links and all my supposedly (but not really) ephemeral offhand remarks on Twitter and Facebook.

Posted on
by

It’s weird to look back on all the posts I made agonizing about whether or not to buy a netbook.

It was never anything I would have used on a regular basis, and I knew that (which is why I never went through with buying one). It would have been something I used on trips, mainly conventions, and only to overcome the shortcomings of late 2000s smartphones.

Mainly: photos and typing.

Photo by VIA Gallery from Hsintien, Taiwan - HP 2133 Mini-Note PC (front view compare with pencil) uploaded by Kozuch, CC BY 2.0
Photo by VIA Gallery from Hsintien, Taiwan – HP 2133 Mini-Note PC (front view compare with pencil) uploaded by Kozuch, CC BY 2.0
Back then, I always carried another camera to get the “good” pictures, because phone cameras were still crappy. So if I wanted to post something online, I had to get it off the camera, onto a computer, and then upload it. Today’s smartphone cameras and apps are so much more capable that they mostly solve the photo issues.

It’s still painfully slow to type anything of length on a phone, but tablets have emerged since then and are a lot easier to type on. Hybrids like the Surface Pro and add-on keyboards make it even easier.

Touchscreens have solved the crappy trackpad problem netbooks had.

Faster phones and cell networks, and a more mobile-friendly web, have made a lot more things possible directly on the phone.

Netbooks, meanwhile, are pretty much forgotten, at least in the form they existed in at the time. Chromebooks are doing OK, at least in schools, but they aren’t quite the same thing. You’d think “netbook” would refer to something more like the network-dependent Chromebook, but it typically referred to the tiny form factor of a mini-laptop.

Looking back at the Tori Amos signing that I mentioned in the series’ first post: These days I probably would have taken the pictures directly on my phone and posted to Instagram within minutes. As for the blogging, I might have powered through on the phone and added the pictures directly, or I might have done so on the tablet and added the pictures that would already have synced from the phone over WiFi.

I wouldn’t carry a laptop of any size around the convention floor, that’s for sure. And I probably wouldn’t bring one on a short trip at all unless I was planning on working during the evenings.

Posted on
by

I finally moved the public side of this blog over to HTTPS last weekend. Traditionally I’ve preferred to put public info on HTTP and save HTTPS for things that need it – passwords, payment info, login tokens, anything that should be kept private — but between the movement to protect more and more of the web from eavesdropping and the fact that tools are making it harder to split content between open and encrypted sides (the WordPress app sometimes gets confused when you run the admin over HTTPS but keep the public blog on HTTP), I decided it was time.

The last sticking point was putting HTTPS on my CDN, and I’d decided to try getting Let’s Encrypt and CloudFront working together over the weekend. Then Amazon announced their Certificate Manager for AWS, which took care of the hard part. All I had to do was request and approve the (domain-validated) certificate, then attach it. Done!

Downside: Because I opted for the SNI option on the CDN, rather than pay the premium to get unique IP addresses on every CloudFront endpoint, the images won’t work with older browsers like IE6. (Server Name Indication is a way to put more than one HTTPS site on the same IP address.)

On the other hand, the cert I have on the site itself is SHA2-signed (as it should be, now that SHA-1 is no longer sufficient), so it wouldn’t work with older browsers even if I turned off the CDN and kept the images on the server.

It’s the first time I’ve actually broken the ability of older browsers to see any of my personal sites. I’ve broken layouts, sure, but not completely cut them off. In general I’d rather not, but I think I’m OK with it this time because

  1. SHA1 really does have to go, SHA2 is well-established, and it’s not like I’m providing downloads of modern browsers or a critical communications forum for people who are stuck with ancient hardware/software because that’s all that’s available to them.
  2. SNI has been around for TEN YEARS.

And as it turns out, DreamHost’s ModSecurity rules block IE6 to begin with, so the whole site’s already broken in that browser.

So I guess next time I redesign I can finally drop any IE6 workarounds. :shrug:

Posted on
by

I woke up to ten or so first-time comments* in the moderation queue at Speed Force this morning. As I started reading them I was briefly confused: they were well-written, specific comments about comic books….that had nothing to do with the posts they were attached to. Complaining about Bendis’ writing on an interview with Paul Ryan (the artist, not the politician). Gushing about an Ultra-Humanite figure on a review of a Flash comic. Tips on finding exclusive Aquaman figures on a Flash TV episode review.

Then I felt strangely nostalgic, because I hadn’t seen this sort of spam in a long time.

As near as I can tell, the spammer finds a related site, scrapes comments from it, and pastes them into the target site. To what end I’m not sure, because the comments all linked to Facebook profiles. Most comment spam seems to be about link generation to prop up a spamvertised site in search rankings. But sure enough, when I searched for phrases from the spammy comments, I found the originals on a Daredevil fan blog, an action figure site, an artist’s blog, and so on.

I’ve got to give the spammer a little credit for two things:

  1. Finding actual comics-related blogs to scrape comments from.
  2. Inserting typos to make it harder to match. Though Google’s pretty good at fixing those.

In the end, though…

*plonk!*

*I have WordPress set up so that first-time commenters always go through moderation, while returning commenters are allowed through unless they trips a filter.

Posted on
by

The thing that takes me longest to set up on a new phone is the notification settings. It’s configured in each app individually, and it seems like everyone wants to get your attention.

Too many notifications end up one of two ways: tuned out so you don’t notice the important ones, or so much of a distraction that you can’t focus on anything. There are studies showing how long it takes to get your train of thought back after interruptions.

I pare audio alerts down to calls, text messages, and work-related IMs. Then I set custom alert tones for each and for specific phone numbers, so I know instantly which it is. (Assuming of course I remembered to turn on the sound, and it’s not drowned out by ambient noise.) Unfortunately every new phone or OS comes with a different set of alert tones, so it’s a pain to either transfer over the old tones or get used to the new ones.

I have silent email alerts. Social media, but only some sites and only replies or mentions that I might be expected to react to. (Not Facebook, though.) Sure, I want to know if someone’s commented on one of my photos or posts, but I don’t need it to break my concentration. I don’t need an alert for every new post on some site, or every new follower, or some auto-generated roundup.

And it takes me forever to find all those settings, turn off everything else, and change the audio for what’s left. Sometimes it’s several days before something pipes up the first time. I suspect I’m not done yet.

As much as we make all these things interactive, they’re still asynchronous. Except for calls and active chat conversations, I’m better off checking in on email or Twitter or Facebook on my own schedule, not when I’m in the middle of something else.

I can distract myself just fine. I don’t need my phone to do it for me.

Posted on
by

It shouldn’t make any difference that Twitter renamed Favoritesā˜… as Likes♥. It’s a coat of paint. But labels do matter. Just like “friend” and “follower”, “like” and “favorite” (and hearts and stars) conjure up different expectations.

Twitter says, “You might like a lot of things, but not everything can be your favorite.” Paradoxically, I find “likes” to be more specific. The star-and-favorite model comes out of Internet Explorer*, and modern browsers still use stars for bookmarks. This made “favorite” seem a little more versatile, anything from a stamp of approval to a simple check-back-for-later.

“Like,” on the other hand….

After years of requests for a “dislike” button, Facebook finally admitted that “like” isn’t sufficient to respond to everything, and will be expanding to multiple reaction buttons. I know Twitter keeps trying to be more like Facebook, but c’mon — even Facebook knows people don’t want to “like” sad news.

*Microsoft didn’t want to call their bookmarks “bookmarks.” Nobody wanted to use the same terminology as anyone else back then. They tried to call links “shortcuts” too.