Archive for the 'Web Tech' Category

20FebOAuth is destined to fail

Over the past couple of years, a small but dedicated group of developers have been pushing a new technique for authenticating users called OAuth. While it has some benefits, it’s limitations are crippling.

The goal of OAuth is to create a more secure authentication system by limiting who has access to your username and password. By authenticating with a system external to your application, the idea is that your data is more secure. Unfortunately, OAuth was clearly developed without much regard real-world problems. Here are a few reasons why OAuth is destined to fail:

  1. Horrible User Experience - In a world where doing something as simple as changing a font or button color can create noticable changes in user behavior, asking a user to jump over the hurdles required by OAuth is just unrealistic. For web apps, it adds multiple steps to the authentication process and the experience is even worse for desktop apps. The experience also closely resembles the phising sites that we desperately warn our non-tech friends to watch out for. Also, keep in mind that the applications that poeple consider most secure (online banking, tax software, email, etc) NEVER redirect the user to a different site to enter login info.
  2. No Consideration for Desktop Applications - While web-based apps are growing in popularity, desktop apps still dominate in most industries. The OAuth experience is completely focused on web applications. Whether it’s an app on your home PC or an app on your iPhone, the OAuth experience sucks.
  3. OAuth is far from perfect - An ambitious hacker can get information via OAuth without much more effort than other athentication methods. There’s nothing to stop an application from collecting additional data in the background withour your knowledge after you’ve logged in. There’s also nothing to prevent an attack against or data breach with the OAuth provider.
  4. It takes power from vendors, but not from hackers - The main goal of OAuth is to prevent nefarious people from having your precious login credentials. However, most OAuth providers still transmit your credentials over an insecure connection. So, rather than having my app send you credentials via Basic Auth, the browser sends it via an HTTP post. In the end, the chances of a request being intercepted from a browser or an app are about the same.

While I completely understand the concept behind OAuth, it’s just never going to catch on. There is no such thing as a 100% secure system and there a plenty of approaches that are just as secure as OAuth. In the end, OAuth doesn’t solve any real security problems and shifts a lot of work onto developers. I don’t mind putting in the extra work, but OAuth is replacing a few lines of code with 1MB of dlls and a bunch of UX headaches for an illusion of security.

in Development, Opinion and Web Tech. Comments

04DecEffectively Eliminating IE6

It’s no secret that IE6 is the nemesis of pretty much every web developer or designer on the planet. It’s CSS support is garbage, it’s javascript performance and support is just as bad and it’s got a boatload of security flaws. In general, it’s everything you’d expect from a browser that was released years before Firefox and Safari hit the market. Normally a piece of software as outdated and maligned as IE6 is phased out quickly. However, IE6 continues to hang on.

While there are many various anti-IE movements, most of them have an overly aggressive and often juvenile approach to the problem. A quick look at current browser usage statistics shows that this isn’t working. In many cases, these groups are just preaching to the choir and rarely make a solid case for those entrenched in IE6.

Who Uses IE Anyway?

While using a modern browser is an obvious choice for most tech savvy individuals, for many IE6 users upgrading becomes a cost-benefit analysis. The vast majority of sites on the internet still support IE6, so there isn’t a huge drawback for many users. They don’t care about CSS support because the sites still render correctly and performance is still rarely an issue for most sites. Also consider that there are a rather large number of older applications that rely on IE6’s broken rendering. Combine these together and you get a large number of corporate IT departments that are facing a huge cost to upgrade older software with a minimal benefit to their organizations.

How to Kill IE6

The biggest thing that our industry can do to eliminate IE6 is to stop supporting it. While some major sites like YouTube and Digg have already started pulling support, these aren’t likely the sites that employees at big corporations are visiting at work. If Salesforce and Constant Contact dropped IE6 support, I wouldn’t be surprised to see a huge drop in IE6 usage almost overnight. Unfortunately, we can’t really expect these big business companies to take the risk. Hell, even 37 signals still supports IE6 for their apps and they’ve been some of the most vocal Microsoft haters out their.

The next thing that we can do as a web professionals is to make sure our clients are aware of IE6 problems. In general, I would recommend avoiding discussion about CSS and instead focus on security issues. Most clients would view CSS rendering as a tech problem and point to other sites that work fine in IE6. However, there is a huge amount of literature around regarding IE6 security flaws. Remind them that while they likely aren’t legally responsible for security flaws in their users’ browsers, people are quick to blame any issues on the site their visiting rather than their own browser. Finally, if you’re building a site that needs to be secure, consider creating a waiver of liability for issues caused by IE6 security flaws. In most cases you wouldn’t be liable anyway, but having a document that clients sign helps it sink in that this is a real concern.

The last thing, and the one I will most likely get crap for, is to recommend upgrades to IE8. I know that things would be much easier if everybody was using Webkit and Gecko browsers, but requesting that users switch “brands” often comes across as a sales pitch. If you’re really dead-set against all IE versions, at least take the time to explain how Firefox or Chrome is better. I frequently hear developers say things like “It’s just better, trust me”, but this doesn’t really provide a compelling argument to users. Tell somebody that new browsers can use transparent pngs, and they won’t care; tell them their credit card number could be ganked and they’ll be more likely to pay attention. It’s about finding the issues that are relevant to your clients and users, even if they aren’t the issues that are relevant to you.

How not to Kill IE6

Don’t expect Microsoft to make IE6 magically disappear. For the most part, everybody at Microsoft hates IE6 as much as the rest of us, but their hands are essentially tied. They can’t force people to upgrade anymore than I can randomly upgrade old client sites from PHP4 to PHP5. Most of the companies hung up on IE6 pay for some other software from Microsoft. You can’t really expect any company to risk losing paying customers by forcing them to upgrade a free product. Even with that in mind, Microsoft has had newer versions of IE listed as critical updates for years, so I doubt most IT departments really care what Microsoft says.

Don’t forget to be an adult. If you make a huge deal about spending 2 hours fixing a CSS glitch, people will just think you’re whining. Our clients and users don’t understand the issues and likely won’t be receptive to hyperbolic statements about how much time you spend fixing IE6 issues. Present your case in a professional manner and people will respect your opinion.

Feel free to post any other ideas on how to effectively eliminate IE6 in the comments.

in Browsers and Web Tech. Comments

23NovXenu Link Slueth

Man, I can’t recommend this thing enough.

Xenu Link Slueth is a great tool for checking a site for broken links and images. It also shows that a good tools can last, this thing has been out forever and I still find it to be one of my most used tools.

It rocks for several key reasons:

  1. It’s crazy fast compared to most of the web-based tools.
  2. The report it generates is incredibly detailed. It lists broken links by page, link and error code as well as providing a basic site map.
  3. It allows you to scan sites that are password protected.
  4. Above all else, it’s free.

Download it and show Tilman Hausherr some love.

in Tools. Comment

18NovIE9 looks good, but bad developers are angry

Not long ago, IE6 was the dominant browser. CSS support was lacking, security was weak and performance was bad. However, with no competition, IE6 remained on top. Then Mozilla came along and things started to change. Mozilla and later Firefox proved 2 things.

  1. We should expect better than IE6.
  2. Microsoft can’t afford to have a crappy browser anymore.

So, with the help of the wonderful Molly Holzschlag and several other web standards gurus, Microsoft started to turn things around. IE7 was much less crappy than IE6, and IE8 is actually downright ok. However, with each improvement, the IE team seemed to get more flak rather than less.

Criticism focused in 4 areas:

  1. Poor CSS support (limited to CSS3, since IE8 has better CSS2.1 support than any other major browser)
  2. Slow Javascript performance
  3. Slow page rendering 
  4. Bad text aliasing

Today, the IE team released some early details on IE9.  Based on the early builds, the team has made massive headway in all 4 areas. Clearly the masses of developers that have nothing to do but complain about IE should be happy right?

Unfortunately, almost all of the comments are negative. They even include some great references to pngs (fixed in IE7) ,  Box Model (fixed in IE8) and IE6 (already addressed here). I would love to meet these “developers”. As a web developer, I’m expected to have a basic understanding of what browsers people are using and what features they support. However, it’s clear that these web developers are somehow still employed while being completely oblivious to 70% of the users on the web.

In the end, most of the people commenting on the IE blog are completely ignorant. The IE team is busting their ass to make a quality browser, and unlike most other browser vendors, they get shit on every time they make an improvement. I know that older versions of IE are a bitch, but crucifying the very people trying to fix things isn’t going to make things better and in the end may make things worse.

In closing, I want to thank everybody on the IE Team. You guys are working everyday to make my life as a web developer easier and you should know that many of us appreciate it.

To Dean, Ali, Bruce, Justin, Tony, Chris, Eric, Dave and the rest of the crew:

Thank you for you hard work and I look forward to IE9!

NOTE: Comments on this blog are moderated. If your comment doesn’t show up instantly, please refrain from sending me hate mail. I’m not blocking your comments unless they contain excessive profanity or derogatory statements.

in Browsers. Comments

Blogroll

Recent Listening