Over the last few months I’ve been putting together my talk for the year, based on a blog post that is titled “HTTPS is Hard”. You can read the full article on the Yell blog on which it is published. There’s also an abridged version on Medium. It’s been a very long time coming, and has changed over the time I’ve been writing it, so I thought I’d get down a few reflections on the article.
It’s really long, and took a long time to write
This is firstly, the longest article I’ve written (at over four thousand words, it’s a quarter of the length of my dissertation) and it’s taken the longest time to be published. I had a 95% complete draft ready back in September, when I was supposed to be working on my Velocity talk for October but found myself much more interested in this article. Dan Applequist has repeatedly asked me to “put it in a blog post, the TAG would be very interested” – so finally, it’s here.
The truth is that I’m constantly tweaking the post. Even the day before it goes live, I’m still making modifications as final comments and notes come in from friends that I’ve been working with on this. Also, it seems like every week the technology moves on and the landscape shifts: Adobe offers certs for free, Dreamhost gives away LetsEncrypt HTTPS certs through a one-click button, Netscaler supports HTTP/2, the Washington Post write an article, Google updates advice and documentation, and on and on and on… All through this evolution, new problems emerge and the situation morphs and I come up with new ways to fix things, and as I do, they get put into the blog post. Hence, it’s almost a 20 minute read.
A special thank you to Andy Davies, Pete Gasston, Patrick Hamann and the good people at Yell; Jurga, Claire and the UI team (Andrzej, Lee and Stevie) for their feedback throughout this whole process. I’m sure they skipped to the new bits each time.
Is HTTPS really neccessary, for everyone?
Every day something silly happens. Today’s was from generally-awesome tech-friendly company Mailchimp. They originally claimed that “Hosted forms are secure on our end, so we don’t need to offer HTTPS. We get that some of our users would like this, though” (tweet has since been deleted). Thankfully, they owned up and showed CalEvans how to do secure forms.
Still, it’s this kind of naivety that puts everyone’s security at risk. A big thumbs up to Mailchimp for rectifying the situation.
If I were to have started today, would HTTPS still be hard?
Yes, though nowhere near as hard. We’d still have gone through the whole process, but it wouldn’t have taken as long (the Adobe and Netscaler bits were quite time-consuming) and the aftermath wouldn’t have gone on for anywhere near as long if I’d have realised in advance about the referrer problem.
If you’d have known about the referrer issue, would you have made the switch to HTTPS?
Honestly, I’m not sure I would have pushed so hard for it. We don’t have any solid evidence to say it’s affecting any business metrics, but I personally wouldn’t like the impression that traffic just dropped off a cliff, and it wouldn’t make me sign up as an advertiser. Is this why Yelp, TripAdvisor and others haven’t migrated over? Who can say…
This is why the education piece of HTTPS is so important, because developers can easily miss little details like referrers, and just see the goals of ranking and HTTP/2 and just go for it.
The point of the whole article is that there just isn’t the huge incentive to move to HTTPS. Having a padlock doesn’t make a difference to users unless they sign in or buy something. There needs to be something far more aggressive to convince your average developer to move their web site to HTTPS. I am fully in support of Chrome and Firefox’s efforts to mark HTTP as insecure to the user. The only comments I get around the office about HTTPS happen when a Chrome extension causes a red line to go through the protocol in the address bar – setting a negative connotation around HTTP seems to be the only thing that gets people interested.
What’s changed since you wrote the article?
I am really pleased to see the Google Transparency Report include a section on HTTPS (blog post). An organisation with the might and engineering power of Google are still working towards HTTPS, overcoming technical boundaries that make HTTPS really quite hard. It’s nice to know that it’s not just you fighting against the technology.
What about “privileged apps” – you don’t talk about that
The “Privileged Contexts” spec AKA “Powerful Features” and how to manage them is a working draft and there’s a lot of debate still to be had before they go near a browser. I like how the proposals work and how they’ve been implemented for Service Worker. I also appreciate why they’re necessary, especially for Service Worker (the whole thread of “why” can be read on github). I hope that Service Worker has an effect on HTTPS uptake, though this will only truly happen should Safari adopt the technology.
It looks like Chrome is going to turn off Geolocation from insecure origins very soon, as that part of the powerful features task list has been marked as “fixed” as of March 3rd. Give it a few months and geolocation will be the proving ground for the whole concept of powerful features – something that I’ll be watching very closely.
A short write up on the weekend
Another year, another State of The Browser – now in its fifth year, it’s a conference for the London Web development community. It’s aimed at the masses, we want it to be accessible to all and have really great speakers, and this year was no exception to those rules.
In its inception, SOTB was a chance for the browser manufacturers to get together and talk about the latest and greatest things in their browsers to a wide audience. A lot of this mandate is being done (very, very well) by Edge conference, organised by our friends at London Web Performance. So, this year, we went back to our roots, the community that LWS is built upon, for talks about the browser, new browsers, new technology, and new ways of working. I’m really pleased with how it worked out, and we had a really high quality of submissions (my fellow organiser Morena Fiore-Kirby covers this really well in her write-up) it’s a shame we couldn’t fit more in.
This also meant that we could feature more new speakers and I’m really happy that we did. LWS has a long history of being the place where great speakers have done their first gigs (Pete Gasston, Laura Kalbag, and apparently Jake Archibald did a talk in the very early days – to just name a few) and I hope this tradition will continue. We were very pleased to welcome Martin Jakl (@JaklMartin) and Laura Elizabeth (@laurium) to the stage, mentored by Pete and Solé, they both did a great job with their talks. They’ve both got bright futures so watch out for them.
I’m very happy to say that my surprise of the weekend was Chris Heilmann. Other than his incredible generosity in giving away 10 years worth of tech swag (see below) he gave the best talk that I’ve ever had the pleasure to hear him give. He seemed truly passionate about his new product, Edge, and the people that he works with to make the web better, fixing not just the web that you and I see, but also internal websites, massive SAP systems and changing web standards culture in huge corporations. If I hadn’t already been standing, I’d have stood up to applaud him and what the Edge development team have done. Thank you.
Thanks to everyone who came along and were such a friendly bunch of people. We got lots of great feedback, and I can’t wait to do it again next year!
Check out the photo gallery for the event on Google Photos
For more on the event, check out these articles:
p.s. The whole event was live-streamed, and we have videos of the whole event too – the first half is already up on the @webstandards Vimeo page with the rest to follow shortly. A massive thank you to our live events team Pete Wood and company who always do an amazing job. Thank you!
I’ve been off the speaking circuit for a while now. After a successful 2012 and 2013, I let my public speaking take a backseat to focus on my new role at Yell. I’m really happy to have got to a point in this role where I can begin to talk at the work that I’m doing here, and there’s a lot that I’m really proud of.
Recently I got back up on the stage at Oxford Geek Night to do Yell’s first technology talk in a very long time. It was a five minute slot, nothing grand, but it was to a room full of people I didn’t know, though many who I recognised from their Twitter profiles but was too nervous to say “hello, I really like what you do”. I was far more nervous before the talk than I’d been in a very long time, the kind of dancing nerves that make you triple-check the order of the slides, even though I’d been through them twenty times. Then, just as I stepped onto the stage there was this serene moment where all the nerves dropped away, I plugged my laptop in, took up the remote and started talking.
And everyone was awesome
I couldn’t have wished for a better crowd – twangs of nostalgia for the brand, laughter in all of the right places, and people listening to the message, which was fantastic. I have no idea if it was even useful for people, but I am so pleased that I did it – and the buzz that goes with it is like nothing else.
So, I’m going to do it again. I’ve expanded the talk so that I can actually go into some detail, and I can’t wait to give it again. I’ve got another date in my diary already which I’ll share soon. Until then, the short version of the slides are embedded below.
I was lucky enough to be asked to speak at Remy Sharp’s Side View conference in Brighton this weekend, a part of the full frontal conference event. I tried to give an overview of the state of the web on TVs and how our current attitude to responsive web design works, or rather doesn’t work, on big screens. Here’s the slides and abstract.
The Responsive Web Design trend was triggered by the need to make the web presentable on small, handheld devices. Now, the Internet is encroaching on every aspect of our lives, and it won’t be long before it takes over large screens too.
How much of manufacturers’ internet TVs claims are true? Will the next generation of consoles bring the Internet to the living room, or will Chromecast be the gateway to the large screen future, and where do web developers fit in?
Lets make a web site that is suitable for the sofa
Update: The video is now online via Remy’s YouTube channel and is embedded below. I’ve also written about this topic for the 12 devs of Xmas, if you want to read through the talk rather than watch it.
The most common question I got after the talk was, “What inspired you to do the talk, did a client ask you to do some TV work or something else?” The answer is simple, I just wanted to know how it was and tell people about it. I know that members of the Opera developer relations team have done much of the research into the web TV for the opera web TV product, and I’ve always wanted to hear them talk about this subject and wondered why they didn’t do those talks – the technology to make it happen exists. So I did my own research into the problems, and now I understand why they don’t talk about it much. The whole web on TV experience is a mess, the technology promises a great user experience that doesn’t live up to expectations, and almost actively discourages the browser usage in favour of pre-loaded app experiences.
Now that the research is done, I an going to look for better answers. Luke Wroblewski is doing this, as is Ethan Marcotte, and in this industry, when heavyweights like those start to investigate, there is clearly a problem to solve, and probably a mindset change to happen to enable our industry to grow and embrace this technology.
I hope you like the talk, let me know what you think on Twitter and in the comments