Archive for the 'Development' Category

06JulHosting is killing ASP.NET

Most of the people who know me, know that I’m a fairly dedicated Microsoft fan boy. However, most of my fellow .NET developers are quick to point out that the vast majority of my projects are in PHP. A quick look around will show that this is not an uncommon occurrence. Amplify, my former employer, and Piehead both have a staff of experienced .NET developers, but still do a lot of work in PHP. I’ve heard a variety of theories from Microsoft fans and haters, but I can summarize the phenomena in 1 word: Hosting.

My Current Situation

My primary hosting account is through Dreamhost. I pay less than $20/month and I’m hosting about 60 sites, 10 of which actually get some traffic. Almost every site has its own sub-domain and its own MySQL database. In addition, I have access to 742GB of storage and several terabytes of bandwidth, both of which increase every month.

This hosting arrangement is critical for my success as a free-lancer for several reasons:

  1. I can create lots of sub-domains and databases to create client staging sites and/or test out new things.
  2. I have enough storage and bandwidth to use my web server as a file server for client comps and other large files I need to share.
  3. It’s dirt cheap. My free-lance projects and start-up ideas have little to no margins, so cheap hosting is critical.

The Windows Hosting Dilemma

I’ve brought this issue up several times, both online and in person, with stakeholders at companies that provide windows hosting. Without fail, I receive the same handful of responses. Here are the most common responses and some reasons why they’re complete garbage:

  1. We provide better support. This may be true, but it doesn’t really matter. I contact support once or twice a year. If have to contact support more often than that, it’s not worth working with your company. I don’t want to pay extra so your support team can hand hold your other accounts.
  2. Windows licensing is expensive. This is true. However, my biggest issue is often with storage and bandwidth, which isn’t any more expensive for a Windows host than a Linux host. This could justify charging more, but it doesn’t justify the miniscule amount of storage and bandwidth most Windows hosting companies provide.
  3. We have 99.999% uptime! I don’t care and my clients don’t care. Look at Twitter’s reliability and then tell me that having ridiculously high uptime is critical to success. It’s true that my Dreamhost server goes down from time to time, but 99.9% is perfectly fine. In all honesty, there aren’t many website owners that are willing to pay $50-$200/month for those extra two 9’s.
  4. If you actually used all of that storage and bandwidth, Dreamhost would cut you off. This is the ultimate cop-out and usually comes up as a last ditch effort from the Windows hosting companies to disparage Linux hosting. The truth is that I’ve exceeded my storage and bandwidth before, and nothing bad happened. In fact, there have been a few cases where one of my Wordpress sites have gotten Digg’d and Dreamhost has stepped in to keep things running. At GiveCamp, I was putting all of the projects on my server and Dreamhost’s response was “That’s awesome, let us know if you need more space for a few weeks.”
  5. We focus on enterprise. Really? Are enterprise customers looking for shared hosting and reseller plans? Every enterprise level client I’ve worked with either has in-house IT or uses a larger company like Rackspace. Smaller Windows hosts don’t even come up.

Let’s Fix This

In the end, this situation hurts many of us. If I had a Windows hosting plan on par with my Dreamhost plan, I would be a much happier developer. Microsoft is missing out because hosting is preventing them from being a viable option for small agencies and start-ups. Hosting companies are missing out because they seem to be targeting demographics that don’t need their services. Developers miss out because we have to make technology decisions based on hosting costs rather than what technology best fulfills the client’s needs.

If Microsoft wants to be competitive with small agencies and start-ups, they need to work with their hosting partners to solve these problems. They’ve taken a big step in wooing start-ups with the Bizspark program, but without affordable hosting, start-ups will continue to flock to PHP, Ruby, and other cheaper platforms.

in Development, Opinion and Web Tech. Comments

20FebOAuth is destined to fail

Over the past couple of years, a small but dedicated group of developers have been pushing a new technique for authenticating users called OAuth. While it has some benefits, it’s limitations are crippling.

The goal of OAuth is to create a more secure authentication system by limiting who has access to your username and password. By authenticating with a system external to your application, the idea is that your data is more secure. Unfortunately, OAuth was clearly developed without much regard real-world problems. Here are a few reasons why OAuth is destined to fail:

  1. Horrible User Experience - In a world where doing something as simple as changing a font or button color can create noticable changes in user behavior, asking a user to jump over the hurdles required by OAuth is just unrealistic. For web apps, it adds multiple steps to the authentication process and the experience is even worse for desktop apps. The experience also closely resembles the phising sites that we desperately warn our non-tech friends to watch out for. Also, keep in mind that the applications that poeple consider most secure (online banking, tax software, email, etc) NEVER redirect the user to a different site to enter login info.
  2. No Consideration for Desktop Applications - While web-based apps are growing in popularity, desktop apps still dominate in most industries. The OAuth experience is completely focused on web applications. Whether it’s an app on your home PC or an app on your iPhone, the OAuth experience sucks.
  3. OAuth is far from perfect - An ambitious hacker can get information via OAuth without much more effort than other athentication methods. There’s nothing to stop an application from collecting additional data in the background withour your knowledge after you’ve logged in. There’s also nothing to prevent an attack against or data breach with the OAuth provider.
  4. It takes power from vendors, but not from hackers - The main goal of OAuth is to prevent nefarious people from having your precious login credentials. However, most OAuth providers still transmit your credentials over an insecure connection. So, rather than having my app send you credentials via Basic Auth, the browser sends it via an HTTP post. In the end, the chances of a request being intercepted from a browser or an app are about the same.

While I completely understand the concept behind OAuth, it’s just never going to catch on. There is no such thing as a 100% secure system and there a plenty of approaches that are just as secure as OAuth. In the end, OAuth doesn’t solve any real security problems and shifts a lot of work onto developers. I don’t mind putting in the extra work, but OAuth is replacing a few lines of code with 1MB of dlls and a bunch of UX headaches for an illusion of security.

in Development, Opinion and Web Tech. Comments

Blogroll

Recent Listening