Duckwizard.com

I have a serious question that I would like to ask Microsoft. Why not just throw in the towel when it comes to the web browser market? You are spending considerable resources developing Internet Explorer, but no matter what you do, it will always be inferior to Mozilla, Opera, and now even Safari on Windows. You steal the majority of market share from these superior products because your operating system users don’t know any better (didn’t you lose an antitrust suit forbidding you from bundling IE? What happened to that?). And how much revenue do you make from Internet Explorer? Considering it is a free product, my guess would have to be zero.

Mozilla is open source software. The Mozilla Public License explicitly allows you to rebrand Firefox (say, as Internet Explorer 9) and ship it. Why not just give up on IE, and take from the open source community instead? Everyone would be happier: your users would be happier that their browser experience is better, and web developers across the globe would rejoice at the better standards support that your new browser offers. And all of it would cost you exactly zero dollars. In corporate terms, that is the deal of a lifetime. So what gives? Why are you still pushing IE? Why are you spending man-years of labor at considerable expense to create another version of IE, when it will still be inferior to everything else on the market?

Please. Enough already. Focus on products that make you money, like Windows and Office. Leave the browser market to people who give a crap about web standards.

I would like to issue a pledge. If Microsoft gets rid of Internet Explorer, and starts shipping a rebranded Gecko-based browser instead, I will give $10,000 US to whomever is responsible for making this decision. That may not be a lot to you, but it is to me. I’m sure if every web developer on the planet was given the chance, they would also kick in a few bucks to this fund. So, Mr. (or Mrs.) Microsoft Big Wig, there could be hundreds of millions of dollars in it for you if you can make this happen.

I see some dumb ads on television, and what better place to complain about them? This one caught my attention recently:

The Product: Circuit City
The Ad: (YouTube Video, no audio)
[Circuit City sales associate (CCSA) is watching a scantily clad singer in a music video]
CCSA: Man, Rhianna is so…
[Girl interrupts him from behind]
Girl: (Sarcastically) …talented?
CCSA: (Sheepishly) Uh, absolutely!
Girl: (Flirtatiously) I guess she’s pretty hot too.
CCSA: Yeah, and this computer can play all your music [CCSA is startled by approach of Girl's father] uhhh, after you study, of course!
[Circuit city gives their pitch. CCSA and Girl can be seen exchanging furtive glances whilst exploring the laptop as though it represents their unspoken sexual connection]

The Hidden Message: Come to Circuit City, where your whore of a daughter will flirt with our pedophile of a sales associate right before your eyes!

Next Time: Maybe make a convincing pitch for your prices and/or service instead of making futile pop-culture references. Yeah, computers play music. We get it. Why should we get them at your store?

I hate session-based authentication. I mean, I really hate it. It’s not secure. It also disregards the HTTP standards for authentication, and goes against the intended architecture of the web.

Why isn’t it secure? Because a session uses some kind of cookie or token that identifies your session to the server, and someone can conceivably steal that token and hijack your session. Sure, you can try that “bind to IP address” workaround that a lot of sites are using, but even so – there will always be some way to overcome this, and a session-based authentication system has no guarantee that the user has provided a secret that concretely verifies their identity.

In contrast, HTTP authentication (when properly implemented) does provide this guarantee. It does this by sending the aforementioned secret in headers with each request. Over a secure connection, these headers cannot be snooped or otherwise stolen, and the secret is safe. HTTP Basic authentication goes one better – it sends the precise secret that was entered by the user, and this can be really useful; for example, an application on the server could use this credential to form authenticated credentials to other services.

Let’s look at a common example: a database-driven web application that has a public portion that displays content, and a private portion that manages that content. If the public portion could only read the database, while the private portion could read and write to it, then this would be really secure. You could use separate database credentials for the public and private portions of the application. However, as long as any credentials are stored on the server, they are not secure! If someone gets even read access to the file that stores the secret, they can wreak havoc in your application. That’s why getting the secret from the user on each request is so useful – the credential is not stored on the server, and it is guaranteed that it was provided by someone who knows that secret.

However, HTTP authentication suffers from horrible usability problems. First, the user is presented with an intimidating dialog box for login. This goes against the existing standard – which, unfortunately, is defined by applications with session-based authentication; these applications have nice, integrated web forms that are easily identified as part of the application, rather than an anomalous dialog box. Second, HTTP authentication has no mechanism for logging out, short of closing the browser.

This presents me, the web developer, with something of a dilemma. My users want a nice looking form and the ability to log off. I want my application to be secure, and I want to conform to HTTP specifications. I cannot simply tell my users to deal with the usability issues; sure, I could explain to them about the dialog box and how they must close their browser to log off – but they won’t understand why they must do this, and will see it as an annoyance. This will put my application at a competitive disadvantage. I have seen some attempts at workarounds using XMLHttpRequest to perform HTTP login via a nice form, and even to attempt to logout – but these are far from seamless, and not robust enough for a production web app. In the end, I am obliged to give my users what they want, and this means giving in to session-based authentication; my users don’t understand security enough to care about it, so it becomes a secondary concern. And this is unfortunate.

So this is a call to the W3C: we need better HTTP authentication. We need both HTML and HTTP to be changed in order to accomplish this.

First, we need to be able to submit HTTP authentication information from something like an HTML <form> element. I like the <authform> idea specified in this W3C note, but unfortunately I’ve seen no evidence of this even being considered for adoption.

Second, we need an alternative or alteration to the WWW-Authenticate header that specifies that the authentication prompt will be presented in the response body, and should not be displayed as a UA dialog box. This could be an extra parameter to WWW-Authenticate, or an additional header – either way would allow legacy UA’s to fall back on the UA dialog and still successfully authenticate.

Third, we need a mechanism for instructing the UA to discard its authentication credentials. I personally think that the UA should do this when it receives a 403 in a realm for which it currently has credentials. However, specification does not dictate this, and while most UA’s do this, some (Safari) don’t. Therefore, I suggest a more specific approach: something like a WWW-Deauthenticate, or some such header; upon receiving this header, the UA would discard the authentication credentials and stop transmitting them with each request.

This is also a call to UA developers. We need HTTP authentication to be fixed. Please fast-track this and give authentication a REST.

Like most Americans, I have been outraged at the merciless rise of gasoline prices. Oil companies get richer while working Americans get poorer, right? Naturally, when congress began introducing bills to grab huge chunks of oil companies’ record profits, it seemed like a good idea to me. Why should they get to gouge me?

Then I started to think about the oil companies’ shareholders. These are not just a bunch of fat cats who are pocketing your gas money. Many of them are middle-class Americans who invested smartly and are counting on the success of their mutual funds for their retirement efforts. If the government decides they can take “excess profits” from the oil companies, they are artificially turning these people’s successful investments into mediocre or poor ones, as oil futures plummet in response.

Nevertheless, the price of gasoline is hurting anyone who has to commute – which is most working Americans. What can the government do? The legalization of new drilling would ease speculation while maintaining the growth of oil stocks. But this would come at the cost of the environment – so I don’t see this as the solution. Instead, there are some existing legal measures that could be used to help solve this crisis, without the federal government “stealing” people’s investment value:

First: if the oil companies are, in fact, colluding to artificially inflate the price at the pump – as some have alleged – then they are acting illegally and should be slapped with an antitrust suit. Sure, this would hurt their stock prices – but in this case, it’s all part of the free market, and nothing unfair is taking place.

Next: full-time employees in the U.S. are forbidden from including gasoline used to commute as an itemized expense. For some braindead reason, only the self-employed (i.e. freelancers) with a “home office” are able to deduct the cost of their commute. The IRS should recognize that the purpose of deductions is that only available income is taxed. Any income that goes directly and non-optionally to maintaining employment is not available income, and it should be allowed to be deducted. This might hurt tax revenues, but since the U.S. Government is content to waste trillions in Iraq, I must conclude that they have too much money anyhow. I think this would be a pretty good measure – it doesn’t encourage commuting and polluting, but gives a break to those who must.

Of course, in a free market, the price of gasoline must have a de-facto cap. At some point, alternatives will be more cost-effective, and there will be vast amounts of money to be made in manufacturing and supplying them. Necessity is the mother of invention, and there are smart people out there figuring out how to turn unwanted turkey parts into fuel. Once there is a widely available alternative to keep the oil companies in check, gas prices won’t be a problem anymore. So hang in there. Personally, I’m cutting my commute by moving to sunny San Clemente, near my office. What a shame; I’ll have to live by the beach and bike to work. Because of gas prices.

A while back, I decided that running a podunk little blog that nobody reads just wasn’t worth it. I was getting flooded with comment and trackback spam and I just didn’t feel like dealing with it. So I disabled comments entirely, threw my hands up, and started worrying about more important things.

Well, technology has advanced, so I’m going to give it another shot. I’m putting my faith in Askimet to protect me from evil spammers. Hopefully, it will work (or all spammers will be viciously killed. Either way is cool with me). I switched my template to a standard wordpress one, because I had destroyed all ability to comment in my previous template (based on my “minimal” CSS template) and I just really don’t have a lot of time to spend on my wordpress template. If you like the template, there’s a link to the original in the footer.

I do some things that might be interesting or useful to some people. Maybe one of them is you! Feel free to comment, if you’re a real person.