Broken Browsers Part Two

May 28, 2009 on 3:51 pm | In Musings, Promotions, Rants by Josh Jones | 51 Comments

A couple of weeks ago I posted Broken Browsers Part One, which I can only pray gave you ample preparation for today’s post, Broken Browsers Part Two!

The truth is, not that much is broken in browsers these days. They’ve been around 15 some years now, so it’s not the biggest surprise all the major flaws to be resolved by now.

In fact, I’d say the reason these two broken behaviors of modern web browsers still exist is because most still (and as I’ll try to convince you, erroneously) consider them features!

The browser should just listen to the caching info sent by the server!

Agreed… WHEN REQUESTING CONTENT FROM THE SERVER!

The fact is, pressing back or forward shouldn’t even request content from the server at all!

As one commenter brought up last week, whatever happened to “offline mode” in web browsers? Because that’s what back/forward should still be… instant “offline mode”!

Anyway, on to the second (and final) part of this browser brokenness brouhaha.

SSL Secure Certificates!

Way back in the day, a secure certificate for your website meant two things:

Your data was encrypted between the browser and the server.

The domain you were connecting to was owned by some kind of “legitimate” entity.

And way back in the day, in order for a trusted authority (trusted by the web browser developers) to sell you any secure certificate, they first actually did a little background checking (you had to fax them – in South Africa – some sort of proof of your organizational status b.s.).

Nowadays, buying a secure certificate is an entirely automated process: one that only requires you to have access to an email address @ the domain you’re buying the certificate for. All a secure certificate is telling you nowadays is that:

Your data was encrypted between the browser and the server.

The owner of the domain you are connecting to dished out $100 to some authority “trusted” by the browser!

Rewind

I’d like to now take a moment to step back and think about what benefits secure certificates provide to the end user.

They encrypt your data. Okay, although I’m not sure there’s ever been a reported case of a third party sniffing sensitive information on the Internet as it passed through their routers, I can at least see the theoretical benefit this provides.

They verify that the owner of the domain you see in your web browser has paid some money to some company that has paid some money to the creator of your web browser. I don’t see any benefit to this. In fact, I see several drawbacks to this.

For one, users don’t necessarily realize that the only thing that little lock icon is telling them is, that yes, just like their location bar says, they really are connecting to banchofamerica.com!

Phishing has hopefully taught us that the average end-user doesn’t really understand the way URLs are formed, and the fact that they REALLY ARE connecting to brankofamerica.com or www.bo/fa.com/signin.cfm means exactly bum diddly nacho to whether or not the information they are about to type into this web site is securely going where they think it is.

In fact, having that little “secure lock” icon, or any of those other “mcafee site advisor”/”verisign secured seal” logos as a proxy for actually critically examining the site you’re sending info to is a lazy cop-out that doesn’t work.

Secondly, by putting up this artificial barrier to encrypting website traffic, you’re discouraging people from using encryption. I mean, anybody can easily make a self-signed secure certificate for free (from our panel) and get 100% of the encryption benefits of these expensive certs.. but they don’t because browsers bring up a TERRIFYING WARNING that … oh horror of horrors … this certificate was not created by a trusted authority!

Of course, there are other reasons that people don’t use encryption (slightly slower, caching issues!) on websites, but as things are now, if you do want to do it, you’d better be ready to put up with a little extortion!

What should web browsers do?

They should give up on “trusted” certificate authorities. Only tell us that a site is encrypted or not, and then do some anti-phishing checks to see if hey, the site you’re visiting looks like it’s Bank of America, but it’s URL is Bunk of America! (.vn!)

(There are already plenty of anti-phishing technologies being built-in to browsers these days. I’m not sure if they do this or not, but what if a person has saved any login info with the browser, you warn them (heavily) when they try and submit that same login info to a different site! Because everybody uses the same throw-away login info for a ton of unimportant sites, only do this check on a list of heavily phished sites, e.g. ebay/paypal/banks/gmail/etc..)

Other than the phishing issue, what exactly is the point of verifying that the web site you’re visiting is “who they say they are”?

They may be a totally “legit” business who just doesn’t do the best job of storing their customer’s private data. They may be a “legit” company that has poor customer service policies. They may be a “legit” company who practices the best security and customer service, but their web site just looks like it was thrown together by some Vietnamese teenagers.

What can we do about it?

Well, I was thinking about offering a bounty of $1000 for a plugin for Firefox/Chrome that would make it consider any certificate signer a “trusted” certificate signer, but I figured that’d probably rile up all kinds of people and security nerds.

So, rather than trying to bring down “trusted” secure certs… we’re going to bring “trusted” secure certs down… to all kinds of people!

By offering them for just $15/year… forever!

Which, I’m pretty sure, is the cheapest price offered anywhere… by far. This offer is (currently) only good for existing DreamHost customers.. you can add your certificate from our panel’s Manage Domain area.

These certificates are exactly the same as what we used to sell for $100/year! They’re not going to cause any pop-ups in any of your site visitor browsers, and they really do encrypt the data. You can use them with us or any other web host. The reason they’re so cheap is we’re now reselling a different “trusted” certificate signer and our volume is enough that we’ve got a much much better price… and we’re not making anything on them because we feel the whole business is a scam!

Broken Browsers Part One

May 13, 2009 on 4:40 pm | In New Features, Promotions, Rants by Josh Jones | 70 Comments

Web browsers have been around for a pretty long time now.

Web browsers have been broken for a pretty long time now.

Bring on the rotten tomatoes, but I still predominantly use Internet Explorer because it is still the least broken browser when it comes to one of the most important features for me:

The Back Button!

(and forward too!)

I cannot understand why, after zillions of versions and dozens of years, no browser implements forward and back correctly.

It’s like the FIRST feature web browsers even had!

What’s Broken About It?

It’s simple really… what do you expect to happen when you click back (or forward)?

You expect the web browser to immediately display what you were looking at before your last click.

What actually happens?

Sometimes you get a “cache expired” message.

Sometimes you get a dialog window asking if you want to re-post to display the results again (ahem, Firefox).

Sometimes you get sort of what you last saw, but it takes a second while it connects to the Internet and gets updated with new content.

Sometimes everything is the same except that the big text field you had typed your blog post into is now EMPTY!

And sometimes, yes sometimes, it works exactly as it should.

Google Too

I kinda like Google’s new browser Chrome. It’s fast and lightweight. But, I also can’t stand it because it doesn’t seem to cache our web panel or intranet pages at all!

Believe it or not, every once in a while our panel is just a weeee bit slow.. and if I use my back or forward buttons as I navigate around, those teeeeeeeeeeensy delays can add up! All the unnecessary page loads probably aren’t doing us any favors on the server-side either!

Google’s apparently making a big push for Chrome soon, including TV ads etc… but before they push too hard, I wish they’d fix their back buttons!

And Here’s How

The craziest thing about all this is, fixing it would be incredibly simple! In fact, I’ve already worked it all out!

Let me demonstrate how the back and forward buttons should work. You can do this at home.

Click this link.

That should have opened in a new window (or tab) for you. And if you’re back here now, you’ve switched windows or tabs, correct?

Ta da!

That’s it! That’s exactly how the back/forward buttons should work! See how FAST it was to get back to this page? See how you were scrolled to EXACTLY the same place you were before? See how you didn’t even have to be on the NETWORK to continue reading this post? See how you didn’t get any pop up warnings or expired CACHE messages? See how you could switch back to that other window (like going FORWARD) just as easily?

Internally, every time you click a link, the browser should handle it exactly the same no matter if you are opening a new tab, a new window, or staying in the same window.

The only difference when you click a link “normally” is it shouldn’t add a “new tab” to the interface … it should put that “new tab” in your back history!

I’d even say the reason tabbed browsing is so popular nowadays is actually because back and forward are broken!

Internet Explorer has always done the best (though not perfect) job with this; it’s probably why they were the last to add tabs.

It’s the main reason why I still use it… honestly, I’d switch away if there were a single browser (or a browser plugin?) that handled it right.

In fact, if somebody can either fix an open source browser to behave like this (or make a working plugin), DreamHost will pay them $1000!

More formally:

The first person to release a plugin for firefox or chrome that does this should post their submission in the comments.

The plugin should make it so that when you click “back” or “forward”, it behaves EXACTLY as though you just switched to an open tab/window with that content in it (though of course visually you stay in the same tab/window).

As for how many pages to keep “open” in the back/forward history, it should be as many as it can, dropping them out in order of oldest to newest as it needs to due to memory constraints.

(Oh yeah, you know what browser would benefit the most from this? Safari on the iPhone! It seemingly does NO caching, even though because of its slow connection/processor it needs it the most! You can’t even fake it with tabs because there’s no way (that I know of?) to “open link in new tab”. It supports tabs though (up to eight), so it should be able to keep at least eight back/forward history pages in memory too!)

Speaking of Prizes

Just a quick reminder that our API contest is still going strong with a due date for contest entries of May 31st!

The prizes are as follows:

Grand Prize: $5,000
1st Place: $2,500
2nd Place: $1,250
3rd Place: $500
4th Place: $750

All the entries so far are up on the wiki, and the winner of the April 30th “early-bird” contest ($2000 to the best app done by April 30th) is…

ChirpBot!

It’s a Twitter interface to the DreamHost API!

It’s simple, it works, it looks nice, and it has the whole CRAZY INSANE SUPER HYPE BANDWAGON going for it to boot!

But don’t worry everybody else, there’s a lot more prizes to be won, and it’s still not too late to enter now!

We’ve recently added a test account and lots of new functions, so check out our API documentation and submit your entries over here!

Tuz Tatz

May 11, 2009 on 10:52 am | In Insider View, Promotions, Tech News by Josh Jones | 16 Comments

Way back in March, one of our sysadmins Terri attended the Australian linux conference to give a talk about sysadminning at DreamHost as well as the open source distributed file system Sage’s been working on called Ceph!

Blah blah blah, on to the IMPORTANT stuff.

Apparently there’s some country or island or state or something next to Australia called “Tasmania”. And just like Australia, they’ve got totally fake animals and plants growing all over. The place is just lousy with them.

ALSO apparently, one of those crazy fauna known as the “Tasmanian Devil” has started getting FACE CANCER and is now totally endangered!

When Linus Torvlads heard about this, he was so ENRAGED he decided to do something about it. In linux-speak, that means he shaved the beard off some nerd.

He also irrationally and temporarily changed the linux logo from tux to “tuz” for kernel release

This had the unintended and unfortunate side-effect of raising awareness for the SAVE THE TASMANIAN DEVIL fund.

Not to be outdone, Terri and another one of our resident nerds, Jeremy, decided to show their RAGE as well; by getting “tuz” tattoos.

They also forced me to make this blog post about it as well as change the charity that we match donations to to be that same SAVE THE TASMANIAN DEVIL fund.

I said fine, but I’m waiting a couple months so it’s not so topical. And to see if those tattoos really are permanent.

They were. So far. So, they also made me make a special sale where anybody who signs up with the promo code SAVETHEDEVIL gets $50 off PLUS we donate another $50 to save these disgusting little beasties!

I’m enraged.