Loud ramblings of a Software Artisan

Monday 10 December 2018

Microsoft vs the web

I have been saying for a few years now that Chrome is the new IE, and the Google is the new Microsoft (Microsoft being the new IBM). This statement have been somewhat tongue in cheek, but I have always been serious about it not being a joke: history is repeating. I could got at length on all the reasons why I believe this to be true, but I’ll just talk about one new development.

Last week, Microsoft announced that they had decided to abandon EdgeHTML, their web browser engine, and move to be using Google’s Chromium as the heart of the web browser offering, Edge. [1] Whether it will be just Blink and V8 (Web rendering and JS engine respectively) or also parts of Chromium is something unclear.

The takeaway from their statement is:

  • Because web developers seem to only care about Chrome, Microsoft believe in the short term gain of using Chrome for web compatibility since EdgeHTML is lagging behind. They view web compatibility as a single web runtime, not as better and diverse standard implementation:


“1. We will move to a Chromium-compatible web platform for Microsoft Edge on the desktop. Our intent is to align the Microsoft Edge web platform simultaneously (a) with web standards and (b) with other Chromium-based browsers. This will deliver improved compatibility for everyone and create a simpler test-matrix for web developers.” [2]

  • They view their own EdgeHTML code base unportable even on their own operating system, too tightly bundled:

“We will evolve the Microsoft Edge app architecture, enabling distribution to all supported versions of Windows including Windows 7 and Windows 8, as well as Windows 10. We will also bring Microsoft Edge to other desktop platforms, such as macOS”[3]

  • EdgeHTML being too tightly coupled into Windows, baking it into Windows 10 updates, this is the self inflicted wound that prevent improvement of just that component or even security issues without updating the whole OS:


“If every Edge user were using the very latest version of Edge, it wouldn't be so bad, but that's not the case, and that's because of how Microsoft has bundled Edge with Windows 10. Most home users will end up running the latest feature update to Windows 10 within a few months of its release. But enterprise users are more diverse. This means that Edge, already a relatively small target for Web developers to think about, suffers major version fragmentation. Contrast this with Chrome, where within a few days of a new version coming out, almost the entire user base is migrated.” [4]

  • This will bring somewhat better parity with Edge on mobile platforms as the Android version of Edge is based on Chromium. (iOS remain the exception, but I’ll leave that for another day)

Microsoft recognized that they failed at reconquering the web.

One thing is clear is that Microsoft will contribute (or try) to Chromium, Blink and V8 to make these better for them. Remember Blink is a fork of WebKit because Google couldn’t work with WebKit major sponsor, Apple, so this may not be a done deal.

The other clear thing is the little marketshare Edge took away from Chrome as an alternative implementation will be aggregated into Chrome’s. Microsoft is actually helping the hegemony of Google, their competitor in several other market, like Bing, Hotmail, Azur, into controlling the web browser space, losing any leverage for web standards.

I wish they had gone the Mozilla route. Not as easy as the one they chose, but still probably way easier as their current situation, and helping Mozilla is helping the web stay relevant as an open standard.

Mozilla’s mission has become even more important than ever and if you wanted to do something useful for the future of the web, just use Firefox, and ensure, if you are a developer, that everything runs smoothly with it.

Ferdy Christant state of the web browser is a relevant read into the whole situation. So is part 2

Friday 4 December 2015

Let's encrypt all the things

Now that letsencrypt is more widely released, I took the opportunity to generate the certificates and install them manual on my hosting. In the future I will flip the switch to force HTTPS here. For now I made sure to avoid mixed-content as much as I could.

This was long overdue.

PS: I forgot to thanks @CorySolovewicz who helped in Twitter with the problem of "invalid" private key.

Friday 11 July 2014

Github tracks you by email.

That's right. Github tracks you by email. Each Github notification email contains in the HTML part a beacon. Beacons are usually one pixel images with a unique URL to know who did view the email or not - triggered by the HTML rendered downloading the image to display.

Two safeguards against that tracking:

  1. don't automatically download images in emails - lot of clients allow or default to this.
  2. view email only in plain text: impossible with some email system or client. Like K9-Android or just GMail. (by far this is what I do in Thunderbird)

Now I complain over twitter and according to Github Zach Holman:

"It’s a pretty rad feature for a ton of our users; reading a notification in one should mark the web UI as read too. We dig it."*.

Sorry, but there is no optout to tracking. Holman also said:

"you can just disable images. It’s the same functionality in the email as on the web, though. We’re not spying on anything."*

and

"[...] It’s just in this case there’s zero additional information trading hands."*.

Note that recent events showed me I couldn't trust Github ethics anyway, so I'd rather have them not have the info that them claiming it never change hands.

This wouldn't be important if Mozilla didn't mostly require Github to contribute to certain projects including. I filed bug 1031899. While I can understand the feature, I believe user privacy should be paramount, therefor not being able to disable tracking is a serious ethics issue.

Tuesday 29 April 2014

Fixing deprecations

Also, I updated the PHP version on the hosting side (the hosting company did, I just clicked on the button in the panel). This cause some glitches with the antispam and the rest when commenting. Sorry about that.

I addressed the known issues, related to deprecated PHP functions. This is still easier than upgrading to the newer version of Dotclear that break the URLs.

Sunday 9 February 2014

The open content

Open content is content that is also available openly.

The short: people claiming they don't blog anymore but write lengthy on the closed Google+, a platform that is closed (does not allow to pull the content of RSS), discriminate on names, and in the end just represent the Google black hole as it seems only Google fanboys and employees use it.

This also applies to Facebook, Twitter (to a lesser extent, just because of the 140 char limits) and so on.

Sorry this is not the Internet I want. It is 2014, time to take it back.

Monday 1 July 2013

Your next mobile app should be web based

There is no question about that.

I just switched from an Android phablet made by Samsung, device I came to hate for many reasons, to a Firefox OS Geeksphone Keon. That was my second Android phone, I switched because I got it for free[1], needed a carrier that worked better than the failure that is WIND Mobile on which I was using my Nexus One[2] and said Nexus One was just abandoned in OS upgrade by HTC AND Google after 22 month. I have to admit I missed the Nexus One, still, as Samsung didn't make Android better, quite the opposite.

Back to the point. I got that Geeksphone Keon, provided by my employer: Mozilla.

This is not a review of the phone, BTW, and all of this also applies to the just released Firefox OS phone in Spain.

On my Android phablet[3] I used 4 applications: the web browser, a twitter client (not Twitter's own though), Instagram and Foursquare.

On my Firefox OS phone, I had to scrap the last two. Why? Because despite requiring an internet connection and having some sort of web interface, their are unusable on the web.

Web browser

On Android I used Firefox for Android as my web browser. It is currently the best solution for web browsing is designed to protect your privacy and to run on more devices than Google's own Chrome. Call me biased if you want but truth is I have been using Firefox on the desktop too.

Firefox OS web browser is basically the same thing.

Twitter

Twitter is a bit hurtfull. It is designed from the ground up to be used as a web application. Twitter has a mobile version that is meant to work well on small screen. They even have a packaged version for the Firefox OS Marketplace. Where it hurts is that Twitter web UI remains awful, either deliberately (given that the iOS client is awfull too) or because we got spoiled by third-party clients. On Android I was using Twicca (no source code) or Twidere (broke a bit at one point), but it should be noted that Twitter gave the finger to third parties when they added restriction on the development of client ; as well as bickering with Instagram to not show their content inline.

They get almost full marks for being a web app and treating it as first class.

Foursquare

On the desktop, if you go to Foursquare you get a decent web application, albeit you can do the major feature that Foursquare calls for: check-in.

On mobile, if I visit the website on Firefox for Android I get prompted to download an app.

On Firefox OS it is worse. Looks like their detection fail and they offer the desktop website that is mostly unusable on such a small screen. I filed bug 878132 for our tech evangelism to eventually have a look at.

Seems like they didn't go all the way to make it relevant on mobile web. Sadly. What was an experiment I started by the end of last year when I signed up for the service stopped here right at Firefox OS. It seems that I don't need it. They lost a user.

Instagram

This one is the worst of the worst. First and foremost their web interface for desktop is very limited. Secondly, it doesn't scale at all on mobile - some content scale better than other. Third, they bickered with Twitter so that their content is not viewable inline.

Why does that last one matter? Try viewing the instagram content in the Twitter mobile web client.

I give a F as a mark.

Conclusion

Simply make your mobile app web based. It will run on iOS, Android, Firefox OS, Blackberry, etc. and people will be able to follow when they change phone and you won't need to spend a lot of resources for each platforms.

Also if you really want to have a packaged app, remember there are technologies like PhoneGap whose purpose is exactly that.

Notes

[1] minus the money I had to spend for unlocking it, thanks to consumer protections that don't exist in Canada

[2] first and foremost I didn't have service at the office downtown. second I was in the process of moving to Montréal where they don't have service anyway

[3] in case you didn't realize I call it phablet because it is a small tablet that one can use as a phone. Too big for your pocket, too small to be a good tablet, the worst of both worlds. It would never have been my choice ; but one doesn't simply look into the gifted horse's mouth.

Tuesday 2 April 2013

Mozilla is 15

Mozilla is 15 and that's 15 years of fighting for the open web. I remember the source code release, I built it on in Pentium 166 with 64MB of RAM - a Debian box. I maybe less RAM than that, I forgot. It was huge.

Since, the web has gone forward big times, and Firefox helped users to take back the web by bringing down the IE supremacy and focusing on a standardized web technology.

I have great hopes for the future of the free web.

Wednesday 20 March 2013

The importance of RSS and friends

Google did shutdown Reader, their feed aggregator. Speculation is that it is to promote the use of the proprietary publishing silo that is Google+, and I'm not saying as a Google+ grudge I might hold, I actually believe it might be one of the considerations.

Imagine a second if all the content was pushed exclusively to a popular silo like Twitter, Facebook and Google+: it would be confined to these environments and people wouldn't be able to aggregate elsewhere. Now what if one of these hugely popular silos disappeared. It has happened, it can happen again, I have numerous examples. And I am still look for the Google+ or Facebook feeds, while it is clear that Twitter already removed them.

With RSS[1] all we need is a different aggregator to pull the feed. It would still work. And that's what happening with Google Reader user base: they are moving to other platforms that offer the same feature, either web based, or using desktop software.

Let's have this a learning step and continue to focusing on open standards for publishing. Let's continue to provide feeds. Let's continue to request feeds. And more importantly, us software hackers, let's continue to provide awesome libre software to do the job and on which we can reliably build upon.

Notes

[1] this include ATOM and other variation of feed publishing based on open standards

Wednesday 26 September 2012

Bad security

Broken Lock
Broken Lock by lyudagreen, on Flickr

A big North American online travel booking system still store passwords in plain text. Worse: they claim they take your security seriously. Here is the excerpt of the confirmation email you get when you register:

USERNAME: USER@EMAIL.DOMAIN
PASSWORD:  We're serious about security. Since your
password is confidential, we won't repeat it here. However, if you ever
forget your password, you can always request a reminder

Yes, the email has been capitalized.

The other day I wanted to book some airline tickets, so I returned to the website. I had forgotten the password. No biggie, I follow the "lost password procedure" and chose the "email" instead of the still idiotic "security question".

Guess what? I didn't get a link to reset my password, or a temporary password. No. I got my password sent in plain text. Worse. It was in UPPERCASE and the passwords are case insensitive in the system. Wow. Just wow.

PS: this is not the corporate travel booking system we use at Mozilla.

Saturday 30 June 2012

YouTube HTML5 error message decoding

One thing puzzling with YouTube HTML5 support is the message "this video is currently unavailable" which could mean a lot of things. The actual translation is "we need to show you ads and you need Flash for that".

If should be noted that there is no problem on mobile platform, Android or iOS, the video is shown.

Wednesday 6 June 2012

Deleted my LinkedIn account

Yep, I deleted my LinkedIn account. Despite the fact that I got no value from it, the leak of 6.5M unsalted password hashes was just the icing on the cake. For so long they had a deficient SSL support, they ask to decrypt a captcha to login and lot of other stupidities. And their mobile app steal or leak personal info like your iPhone calendar.

I should have done that a long time ago. When they asked a reason I typed in "too dumb with security"

You know where you can find me.

Monday 9 April 2012

On Facebook buying Instagram

This morning we learned that Facebook bought Instagram, and that Facebook paid something like 1B$. I'll skip the part where I find that this acquisition is highly overpriced, and I'll leave the speculation of who might have participated into a bidding to the analyst.

But one thing I'm sure is that they didn't buy Instagram for its revenue. What is being said is that Facebook paid 33$ per user, and quite a number of users. But what will they do with that? Simple. Monetize. And this might by the solution to my criticism of Instagram: adding a web frontend to it. A web frontend is IMHO the easiest way for Facebook to track their users. In the announcement Facebook promised to keep Instagram a separate entity, but even the owe anybody but themselves to hold that promise, they can do that and track users using a web based frontend, like all the "Like" buttons to all over the Internet. Similarly I don't see why they should remove the function to Tweet the picture. Quite the opposite, keep it, people click to view the picture, "leave" Twitter to go to that Instagram page, and voila. Checked in.

In the end, it will be a bit more like the Hotel California: you can check out anytime, but you can never leave.

If you don't like that, you can still go and request your account to be removed.

Mandatory Instagram. Deep Cove, BC.

Thursday 5 April 2012

On Instagram

Instagram just released the Android version of their application. Instagram allows you to take pictures with your phone, apply some filters, upload it to their service and then have user that follow you comment or favorite them. A sort of Twitter for images.

This led me to rethink why I dislike Instagram.

I dislike Instagram not because of the photographic aspect of applying random filter to random pictures to try to let them look cool, not because it is (was) an exclusive club for iOS users, users that are self entitled and angry[1] as there are also plenty of talented people whose work I have a lot of respect for. No, it is not about that ; well it could be but that would be a very opiniated rant that would make me look like a hater. It is about the technical aspect: it is not the web.

Let's see.

If I go to the main website of Instagram, I get offered to download the app for iPhone, for Android, and beside info about them, their blog, their jobs, all I can do is edit my account. Yes you got that: it is about taking and posting picture, and from there I can't even view anything. WAT?

Now when people share their Instagram picture on twitter, you get a link like this http://instagr.am/p/JAqNexzGZr/. At that URL, you can see the picture, the comments if any, and that's it. You can not decide to start following the person even if you have an account nor can you browse through the other pictures. And to get that URL I had to "share" the image view e-mail or Twitter. There was no other way to get it.

That's exactly where my issue is. One has to use the app on your phone (previously only iPhone - even though it worked with other iOS devices including iPad) to view the pictures and the people. It is not a web application, it is Instagram. Imagine if Facebook or Twitter was like that? It is not like technology is missing. All the browsing and social features can be done as a web application, and modern browser today would allow even the editing part of the picture, and soon the taking a picture part.

And, yes I have an Instagram account, yes I have posted a few pictures from my iPad and from my Nexus One, one having a better camera than the other. Suddenly I got a surge in follower with the Android version released. But what if I wanted to use it from b2g[2]? Even Flickr I can.

Mandatory Instagram:

Notes

[1] read the twitter stream of @AndroidAGram, what he re-tweets is priceless

[2] non-withstanding that the camera capture isn't functional yet on b2g

Monday 14 November 2011

YouTube HTML5 - part 2

I may I sort-of praised Youtube and HTML5, allowing me to view some of the YouTube content without having Flash, and in Firefox since Google supports WebM, to some extent.

Here come the time to give some tips.

Enabling HTML5

Given the how buggy is the HTML5 implementation of YouTube, particularly with playlist and users, it is a two step process.

First, you have enable the HTML5 beta: the page will tell you the status. If it is enabled or not, what are the capabilities. If you use Firefox, you need Firefox 4 that supports the new WebM open format.

Second, to fix the UI issues, you have to use Cosmic Panda, the new UI. You enable it from that page.

At anytime you can return to these pages and revert your selection. Also you have to do that per browser - to be honest, since I'm not logged in, I can't really be sure if it sticks for the user.

Embedding

If you are embedding Youtube video with <embed>, then you are doing it wrong. This is unfortunately what a lot of plugins for CMS to. You need to use the new <iframe>. For that, when you go to the video page, click share, then embed and you'll have the snippet of HTML to paste. This will embed the video properly, using HTML5 if the viewer supports it, with the fallbacks to the usual way if needed.

Thursday 18 August 2011

Dear Google,

Dear Google,

Who are you to tell me how I should write my name?

You could have managed than one swiftly. You didn't. You got feedback, you answered with worse policy. Your policy is so bad that it won't even be enforceable fairly, as you still have you own employees with fake profile, or exempt celebrities.

You created some great product and in that case you f***ed it up real hard.

You disable my profile, goodbye[1].

PS: Get a clue: read My name is me

PPS: even people using their real names get rejected - language warning over there.

Notes

[1] as of now I'm still on notice. Not changing it