Duckwizard.com

I don’t know about you, but I’ve been waiting for this for years. One of the best PC games ever, Quest For Glory 2, has been remade by Anonymous Game Developers Interactive, in stunning VGA graphics! This was a monumental effort by their team, with little to no financial reward. Hats off to all involved.

Find out more and download the game for FREE at their website: http://www.agdinteractive.com/homepage/homepage.html

After that last post, I had an idea for a possible solution. If every geek were to install Firefox on every Windows computer that they are ever asked to fix, eventually we will have Firefox on every computer.

Of course, that won’t guarantee that people will use it - after all, given the choice between “Internet Explorer” and “Mozilla Firefox”, which do you think Joe Schmoe is going to choose when he wants to explore the internet? To him, “Mozilla” and “Firefox” are just gibberish. That is just bad marketing.

Let’s make a re-branded version of Firefox, called something like “The Internet”. With a neat, internety-looking icon. Then we’ll install it on every Windows computer in the world. And people will use it, because it’s called “The Internet”. What should I do to look at my hotmail? Ah! I’ll just open “The Internet”! Easy peasy.

Then, maybe Internet Explorer will finally go away.

I have a serious question that I would like to ask Microsoft. Why not just throw in the towel when it comes to the web browser market? You are spending considerable resources developing Internet Explorer, but no matter what you do, it will always be inferior to Mozilla, Opera, and now even Safari on Windows. You steal the majority of market share from these superior products because your operating system users don’t know any better (didn’t you lose an antitrust suit forbidding you from bundling IE? What happened to that?). And how much revenue do you make from Internet Explorer? Considering it is a free product, my guess would have to be zero.

Mozilla is open source software. The Mozilla Public License explicitly allows you to rebrand Firefox (say, as Internet Explorer 9) and ship it. Why not just give up on IE, and take from the open source community instead? Everyone would be happier: your users would be happier that their browser experience is better, and web developers across the globe would rejoice at the better standards support that your new browser offers. And all of it would cost you exactly zero dollars. In corporate terms, that is the deal of a lifetime. So what gives? Why are you still pushing IE? Why are you spending man-years of labor at considerable expense to create another version of IE, when it will still be inferior to everything else on the market?

Please. Enough already. Focus on products that make you money, like Windows and Office. Leave the browser market to people who give a crap about web standards.

I would like to issue a pledge. If Microsoft gets rid of Internet Explorer, and starts shipping a rebranded Gecko-based browser instead, I will give $10,000 US to whomever is responsible for making this decision. That may not be a lot to you, but it is to me. I’m sure if every web developer on the planet was given the chance, they would also kick in a few bucks to this fund. So, Mr. (or Mrs.) Microsoft Big Wig, there could be hundreds of millions of dollars in it for you if you can make this happen.

I see some dumb ads on television, and what better place to complain about them? This one caught my attention recently:

The Product: Circuit City
The Ad: (YouTube Video, no audio)
[Circuit City sales associate (CCSA) is watching a scantily clad singer in a music video]
CCSA: Man, Rhianna is so…
[Girl interrupts him from behind]
Girl: (Sarcastically) …talented?
CCSA: (Sheepishly) Uh, absolutely!
Girl: (Flirtatiously) I guess she’s pretty hot too.
CCSA: Yeah, and this computer can play all your music [CCSA is startled by approach of Girl's father] uhhh, after you study, of course!
[Circuit city gives their pitch. CCSA and Girl can be seen exchanging furtive glances whilst exploring the laptop as though it represents their unspoken sexual connection]

The Hidden Message: Come to Circuit City, where your whore of a daughter will flirt with our pedophile of a sales associate right before your eyes!

Next Time: Maybe make a convincing pitch for your prices and/or service instead of making futile pop-culture references. Yeah, computers play music. We get it. Why should we get them at your store?

I hate session-based authentication. I mean, I really hate it. It’s not secure. It also disregards the HTTP standards for authentication, and goes against the intended architecture of the web.

Why isn’t it secure? Because a session uses some kind of cookie or token that identifies your session to the server, and someone can conceivably steal that token and hijack your session. Sure, you can try that “bind to IP address” workaround that a lot of sites are using, but even so - there will always be some way to overcome this, and a session-based authentication system has no guarantee that the user has provided a secret that concretely verifies their identity.

In contrast, HTTP authentication (when properly implemented) does provide this guarantee. It does this by sending the aforementioned secret in headers with each request. Over a secure connection, these headers cannot be snooped or otherwise stolen, and the secret is safe. HTTP Basic authentication goes one better - it sends the precise secret that was entered by the user, and this can be really useful; for example, an application on the server could use this credential to form authenticated credentials to other services.

Let’s look at a common example: a database-driven web application that has a public portion that displays content, and a private portion that manages that content. If the public portion could only read the database, while the private portion could read and write to it, then this would be really secure. You could use separate database credentials for the public and private portions of the application. However, as long as any credentials are stored on the server, they are not secure! If someone gets even read access to the file that stores the secret, they can wreak havoc in your application. That’s why getting the secret from the user on each request is so useful - the credential is not stored on the server, and it is guaranteed that it was provided by someone who knows that secret.

However, HTTP authentication suffers from horrible usability problems. First, the user is presented with an intimidating dialog box for login. This goes against the existing standard - which, unfortunately, is defined by applications with session-based authentication; these applications have nice, integrated web forms that are easily identified as part of the application, rather than an anomalous dialog box. Second, HTTP authentication has no mechanism for logging out, short of closing the browser.

This presents me, the web developer, with something of a dilemma. My users want a nice looking form and the ability to log off. I want my application to be secure, and I want to conform to HTTP specifications. I cannot simply tell my users to deal with the usability issues; sure, I could explain to them about the dialog box and how they must close their browser to log off - but they won’t understand why they must do this, and will see it as an annoyance. This will put my application at a competitive disadvantage. I have seen some attempts at workarounds using XMLHttpRequest to perform HTTP login via a nice form, and even to attempt to logout - but these are far from seamless, and not robust enough for a production web app. In the end, I am obliged to give my users what they want, and this means giving in to session-based authentication; my users don’t understand security enough to care about it, so it becomes a secondary concern. And this is unfortunate.

So this is a call to the W3C: we need better HTTP authentication. We need both HTML and HTTP to be changed in order to accomplish this.

First, we need to be able to submit HTTP authentication information from something like an HTML <form> element. I like the <authform> idea specified in this W3C note, but unfortunately I’ve seen no evidence of this even being considered for adoption.

Second, we need an alternative or alteration to the WWW-Authenticate header that specifies that the authentication prompt will be presented in the response body, and should not be displayed as a UA dialog box. This could be an extra parameter to WWW-Authenticate, or an additional header - either way would allow legacy UA’s to fall back on the UA dialog and still successfully authenticate.

Third, we need a mechanism for instructing the UA to discard its authentication credentials. I personally think that the UA should do this when it receives a 403 in a realm for which it currently has credentials. However, specification does not dictate this, and while most UA’s do this, some (Safari) don’t. Therefore, I suggest a more specific approach: something like a WWW-Deauthenticate, or some such header; upon receiving this header, the UA would discard the authentication credentials and stop transmitting them with each request.

This is also a call to UA developers. We need HTTP authentication to be fixed. Please fast-track this and give authentication a REST.