The cost of implementing HTTPS on your own site is a lot lower now than it used to be. For instance:

  • Let’s Encrypt offers free certificates for any site, and some web hosts have software integration that make ordering, verifying and installing a certificate as simple as checking a box and clicking a button. (I’m impressed with DreamHost. I turned on secure hosting for some of my smaller sites a few months ago by just clicking a checkbox. It generated and installed the certs within minutes, and it’s been renewing them automatically ever since.)
  • Amazon now has a certificate manager you can use for CloudFront and other AWS services that’s free (as long as you don’t need static IP addresses, anyway) and only takes a few minutes to set up.
  • CloudFlare is offering universal HTTPS even on its free tier. You still need a cert to encrypt the connection between your site and CloudFlare to do it properly, but they offer their own free certs for that. They’ll also let you use a self-signed certificate on the back end if you want. (It’s still not perfect because it’s end-to-Cloudfront-to-End instead of end-to-end, but it’s better than plaintext.)

You may not need a unique IP address anymore. Server Name Indication (SNI) enables HTTPS to work with multiple sites on the same IP address, and support is finally widespread enough to use in most cases. (Unless you need to support IE6 on Windows XP, or really old Android devices.)

Now, if you want the certificate to validate your business/organization, or need compatibility with older systems, you may still want to buy a certificate from a commercial provider. (The free options above only validate whether you control the domain.) And depending on your host, or your chosen software stack if you’re running your own server, you may still have to go through the process of generating a request, buying the cert and going through the validation process, and installing the cert.

But if all you want to do is make sure that your data, and your users’ data, can’t be intercepted or altered in transit when connecting to reasonably modern (2010+) software and devices, it’s a lot less pain than it was even a year ago.

The hard part: Updating all your old links and embedded content. (This is why I’m still working on converting Speed Force and the rest of hyperborea.org in my spare time, though this blog is finally 100% HTTPS.)

And of course dealing with third-party sources. If you connect to someone else’s site, or to an appliance that you don’t control, you have to convince them to update. That can certainly be a challenge.

Expanded from a comment on Apple: iOS to Require HTTPS for Apps by January at Naked Security.

Facebook is testing a feature to hide new posts from your timeline so they don’t feel so permanent. Of course they’re still searchable until you actually delete them, so they’re still permanent in that sense.

What’s odd: Facebook posts don’t feel permanent to begin with, even though they effectively stick around forever.

Thinking about it, two things make an internet post feel permanent to me:

  1. Can I count on it sticking around?
  2. Can I count on finding it again?

Facebook, despite a lot of improvements over the years, is a mess. The newsfeed algorithm means you can’t just keep scrolling back. The timeline view isn’t reliably complete. Search is kind of a crap shoot. Don’t get me started on trying to find a particular old post on Twitter!

And that’s dealing with sites I can expect to stay online over time. A post on a forum, or a comment on someone else’s blog, or any social network could easily vanish in someone’s server crash or business shutdown.

If I can’t count on being able to find what I post a few years down the line, it feels like it’s temporary, even if it isn’t.

This is one reason that my Flickr portfolio feels more permanent than my Instagram photos: I can find them without resorting to third-party apps. If I want to find a particular photo on Instagram, I have to page down through my profile until I find it. On Flickr, I can find a 10-year-old photo of a fountain in seconds by searching for “fountain” and expanding the “Your photos” section of the results.

Then again, running my own site is only reliable as long as I can afford it. If something happens to me, and I can’t pay for hosting anymore, what then? I figure I’d simplify things down to where I could get a basic, super-cheap hosting plan. Make the blogs read-only so they can be served statically from a shared server or S3 bucket, or move them to WordPress.com, or just be willing to let them crash under load. But what if I’m incapacitated and can’t convert it? Or just plain not there anymore? If I really want to keep my corner of the web up “permanently,” I’m going to have to make a plan ahead of time.

Otherwise my carefully preserved photos, articles, and extended musings will be toast…leaving behind as context only broken links and all my supposedly (but not really) ephemeral offhand remarks on Twitter and Facebook.

After switching one of my self-hosted WordPress blogs to all-HTTPS, I ran into an odd problem: Jetpack Related comments stopped working after a while.

After going back and forth with Jetpack support and my web host, it turned out the problem was with the SSL configuration on my site. Jetpack has to download a copy of your posts in order to calculate recommendations, and it uses libcurl to do that. Curl has stopped supporting the RC4 cipher in SSL connections because weaknesses have been found in it…and that’s what my server was using! (Ack!) I assume it was an old compatibility setting that never got updated.

Jetpack needed to reindex the site, but couldn’t retrieve anything, so it got stuck on “Indexing request queued and waiting…” Disconnecting and reconnecting didn’t work. Jetpack thought it was connected, so it didn’t report an error. (I assume it uses a different library for some things.) Pages were loading the script and the placeholder, but didn’t have suggestions to put there. And of course it wasn’t done indexing, so it didn’t offer a reindex button on the debug page.

What to do:

SSL ciphers are a server configuration setting, not a problem with your SSL certificate, so you don’t need to revoke and reissue the cert. If your hosting provider manages your server, you can ask them to disable RC4. If you run your own server, you’ll need to look up how to disable RC4 on IIS, Apache, NginX, etc. You can verify your site’s settings at Qualys’ SSL Server Test: Look for RC4 in the results and see if it’s labeled Yes or No.

If Jetpack doesn’t start indexing after you change your config, try turning off the Related Posts module and turning it back on. It only took a few minutes before recommendations started appearing on the site again.

There is one downside, which is that some older browsers (specifically Internet Explorer on Windows XP) may not be able to connect. As always, it’s a trade-off.

Before the quick-status type social networks like Twitter and Facebook took off, it seemed like everyone was starting a blog. And every company seemed to want to get in on it: it wasn’t enough to have a forum, you had to have your own community, including — you guessed it — a blog.

Things change, of course. People move on to new interests. Businesses fold and are replaced with others. Online social activity has largely gravitated toward a small number of hubs. Hubs like Facebook, Twitter, Tumblr, Pinterest, Instagram. Old blogs are left unmaintained, and die. And those island communities like My Opera, or the Newsarama forums, or Comic Bloc, have also dried up, activity moving to the hot spots. Why go to the trouble of building your own social network when you can create a page on Facebook and be part of that one for free? That’s where your users/customers/fans are anyway!

So those special-purpose sites are going away too.

In addition to K-Squared Ramblings, I had a blog on LiveJournal (still there, but I haven’t updated it in years), and a blog on WordPress.com (also still there, but I changed its focus). I also had blogs at Spread Firefox, My Opera, and ComicSpace. I wrote for Opera Watch. I could swear I had something hosted by Flock even though I hardly ever used it.

I’ve been slowly migrating a lot of that material from those blogs to this one.

  • I had two convention reports on LiveJournal, and a zillion of them here. I copied over the two posts and cross-linked them.
  • After SpreadFirefox and Opera Watch shut down, I pulled what I could from archive.org and posted the more useful/interesting bits here.
  • When I finally figured out I wanted to make Parallel Lines a photo blog, I went through the earliest posts and brought over one or two posts that were worth keeping.

The latest is My Opera shutting down. It was announced back in October, which gives you an idea of how often I go there these days. Fortunately, they announced the closure early and provided tools to download your blog posts (with comments) and files.

Looking through 27 posts, a lot more of them than I thought turned out to be cross-posts or otherwise duplicate content. I found just seven with unique content that might be worth importing (one of those was only unique because my corresponding Spread Firefox post was already gone!), either for current or historical interest, and three duplicates with their own comment threads that might be worth merging. I particularly wanted to save On Broken HTML, and was amused to find this rant against combined stop and reload buttons, a fight that’s been completely lost.

Some content has gone the other way, though: After I launched Speed Force back in 2008, I started putting most of my comics-related thoughts there, or cross-posting them. And just last year, I started my Re-reading Les Misérables project in the pages of this blog, before breaking it off as its own subsite. The difference is that those are both self-hosted sites under my control. As long as I have access to web hosting and domain registration, and as long as I have backups, I’m set.

Spectrum on the Floor (Not Pink Floyd)

You’ve probably heard about Instagram’s new terms of service, which claim the right to sell your photos. [Update: Instagram has posted a “that’s not what we meant!” statement and promised to revise that section.]

To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you.

Monetization is one thing, but selling my creative output, using it or my likeness for advertising, without my permission? That’s stepping over the line. Add this to the recent decision to hide image previews from Twitter, and a pattern emerges of a service that was once open and free starting to close ranks.

I’m not personally worried about Instagram in particular. I’ve only really dabbled in it over the last few months, treating it most of the time as a first draft for Flickr. I have maybe 50 photos and a handful of followers, and most of the people I follow there are also on other networks. If Instagram doesn’t back down or clarify the language [Update: they did], I can easily repost the photos I want to keep online and go somewhere else.

I am worried about the trend it highlights: You can’t always rely on social media.

And I am worried about the fact that these changes were announced after the Facebook acquisition went through, and after Facebook revised their terms so that they no longer have to put new terms of service to a vote. I’ve got a lot more invested in Facebook than I have in Instagram.

Where Have All The Photos Gone?

GloomI used to blog about web browsers at Spread Firefox and Opera Watch. Both sites are long gone. Countless articles I’ve linked to have vanished as publishers restructured or went out of business.

I’ve got an extensive LiveJournal from a few years back. It’s still there, but when I let my paid account lapse, I started moving over some of the less personal, more tech- and entertainment-focused posts (like convention reports) to this site, just in case a BOFH deletes it, or they change their terms of service to something unacceptable.

The question “Who owns your data?” has been repeated so often over the years that I can’t look up the post I’m thinking about, which advocated open file formats over proprietary ones (like Microsoft Office) on the basis that you should always be able to find a reader for a text document, but if you lose access to Word, or if Microsoft decides to drop support for an older format, you’re at their mercy.

The problem with social networks as services is that, like with those proprietary file types, you’re at their mercy. Want to search for a three-year-old Tweet? Tough. Facebook changed their privacy settings again? Oops. Twitter decides they don’t want apps like yours to exist, so they close off part of their API? Bye! The site you posted all your photos to decides to close up shop? *Poof!* There go your photos.

So What’s the Alternative?

Train ArrivingWhen it comes down to it, the only way to be sure you aren’t going to be exploited or abandoned is to do it yourself.

Blogging is basically the same as social networking, except distributed:

  • People publish written posts, photos, videos, and more.
  • Other people comment on them.
  • You can “share” a post by linking to it, and pingbacks/trackbacks will let them know you’ve done so.
  • You can subscribe to someone’s updates through RSS, and services like RSSCloud and PubSubHubub can make updates appear quickly.
  • Services like OpenId make it possible to authenticate visitors, which means you can start locking down who gets to see what.

The upside is that you, not Facebook or Google or Twitter, have full control of your content. The downside is that you have to exercise that control. You have to maintain the infrastructure, you have to guard against attackers, you have to filter out spam, you have to do your own backups, and you have to know at least something about the system under the hood.

We keep going to social networks because they’re so damn convenient. They take care of all that, and make your stuff easier for people to discover as a bonus.

But when you leave the network — or when it leaves you — what happens to all your photos, status updates, rants, raves, and commentary?

Who owns your profile?