I finally moved the public side of this blog over to HTTPS last weekend. Traditionally I’ve preferred to put public info on HTTP and save HTTPS for things that need it – passwords, payment info, login tokens, anything that should be kept private — but between the movement to protect more and more of the web from eavesdropping and the fact that tools are making it harder to split content between open and encrypted sides (the WordPress app sometimes gets confused when you run the admin over HTTPS but keep the public blog on HTTP), I decided it was time.

The last sticking point was putting HTTPS on my CDN, and I’d decided to try getting Let’s Encrypt and CloudFront working together over the weekend. Then Amazon announced their Certificate Manager for AWS, which took care of the hard part. All I had to do was request and approve the (domain-validated) certificate, then attach it. Done!

Downside: Because I opted for the SNI option on the CDN, rather than pay the premium to get unique IP addresses on every CloudFront endpoint, the images won’t work with older browsers like IE6. (Server Name Indication is a way to put more than one HTTPS site on the same IP address.)

On the other hand, the cert I have on the site itself is SHA2-signed (as it should be, now that SHA-1 is no longer sufficient), so it wouldn’t work with older browsers even if I turned off the CDN and kept the images on the server.

It’s the first time I’ve actually broken the ability of older browsers to see any of my personal sites. I’ve broken layouts, sure, but not completely cut them off. In general I’d rather not, but I think I’m OK with it this time because

  1. SHA1 really does have to go, SHA2 is well-established, and it’s not like I’m providing downloads of modern browsers or a critical communications forum for people who are stuck with ancient hardware/software because that’s all that’s available to them.
  2. SNI has been around for TEN YEARS.

And as it turns out, DreamHost’s ModSecurity rules block IE6 to begin with, so the whole site’s already broken in that browser.

So I guess next time I redesign I can finally drop any IE6 workarounds. :shrug:

Microsoft has jumped on the ditch-IE6 bandwagon with IE6Countdown.com, following in the footsteps of such campaigns as Browse Happy, End 6, and Save the Developers.

Of course, since it’s a Microsoft-sponsored campaign, it’s only promoting upgrades, rather than promoting an upgrade-or-switch message.

Static HTML points out why you might want to put your effort into some other campaign instead. Because IE6 Countdown is only an upgrade campaign, and IE6 users are all on Windows XP or below (Vista ships with IE7), they can only ever upgrade as far as IE8. Given the huge gap between IE8 and IE9 in terms of standards support, HTML5, CSS3, and so forth, IE8 will soon become the new millstone around the web’s neck.

So instead of plugging IE, consider plugging your own favorite browser, be it Firefox, Chrome or Opera. Or perhaps plug another switch campaign. After all, there are quite a few alternative web browsers out there!

IE7On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Continue reading

Internet Explorer.Microsoft’s Internet Explorer Team reports on a new IE installer release. They’ve changed a couple of defaults, updated their tutorials… and dropped the requirement for Windows Genuine Advantage validation:

Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users. With today’s “Installation and Availability Update,” Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.

As much as I prefer alternatives like Firefox and Opera, I’ve been frustrated at the relatively slow uptake of IE7. It’s just insane that 6 years after its release, we’re still stuck designing for IE6 as the world’s most-used browser.

So who’s still running IE6?

  1. People running older versions of Windows that can’t run IE7, and who haven’t switched to something else. (This is a pretty small percentage, judging by OS stats.)
  2. People who don’t know how to upgrade to IE7, or why they should.
  3. People who actually want to stay with IE6 (whether for technical reasons or just stubbornness)
  4. People who would be happy to upgrade to IE7, except they can’t/won’t run WGA (on principle, or because it’s broken on their system, or because their OS is pirated).

I don’t know how big each group is, but Microsoft seems to think it’s worth going after #4.

It’ll be interesting to see whether there’s a jump in IE7’s marketshare relative to IE6. Maybe we’ll reach that next milestone sooner than I expected.