Activating HTTPS for Apple II Bits

June 24th, 2019 12:29 PM
by
Filed under Musings;
no comments yet.

In 2016, I mused how the Web's move toward encryption — specifically, free Let's Encrypt SSL certificates — was leaving retrocomputers behind.

In 2017, I installed a Let's Encrypt certificate on this website, but configured the domain to be a "dual front-end", accessible via both HTTP and HTTPS. Other than some issues when trying to submit comments — issues that stumped even my host's tech support — this arrangement has worked well.

Then, in 2018, I started working at Automattic. As a technical account engineer (TAE), I assist enterprise clients in migrating their websites to our WordPress VIP hosting platform. I've collaborated with many large news organizations around the world, some of whom come to us because their previous hosts' service or features didn't meet their needs. From learning those histories, and in my own experience as a webmaster, I've seen and heard horror stories about exploited users, passwords, code, infrastructure.

Any site and any CMS can get hacked, as I learned seven years ago with WordPress. Those hard lessons taught me to use security plugins, strong passwords, and other best practices. This mindset has served me well as a TAE, as a platform is only as secure as the software you put on it and the clients who use it.

Now I need to practice what I preach — not to be consistent, but to be secure. One of WordPress VIP's key features is security, which includes free, auto-renewing SSL certificates from Let's Encrypt, with additional HSTS headers to prevent man-in-the-middle attacks. I want that VIP level of security for myself, not because I think someone is out to get me or the Apple II, but because bots and spiders don't discriminate when seeking vulnerabilities.

But if I transition this website fully to HTTPS, what about the Apple II users that'll be excluded? In my annual report of this site's statistics, one granular detail I omit is web browser usage. In the first nine years of Apple II Bits, the most popular browsers were, unsurprisingly, Chrome, Safari, Firefox, and Internet Explorer, constituting a combined 92.44% of all traffic. The remaining 69 browsers each constitute no more than 1.3% of my traffic. There are plenty of browsers I've never heard of, like Rockmelt, Maxthon, Puffin, and Dolfin; several game consoles, including Sony's PlayStation 3 and Vita and Nintendo's 3DS; and mobile devices, from Nokia and BlackBerry.

In very last place on that list is "APPLE ][" with a single visit: on January 20, 2017, someone spent 45:52 reading seven pages on this site.

Maintaining compatibility between this site and its target audience was always more about principle; now, armed with WordPress experience and Google Analytics, I lean more toward the practical. Maintaining an insecure website isn't the best way to support the Apple II; better ways are to attend KansasFest, read/write for Juiced.GS, develop hardware and software, sell merchandise — and build secure websites.

In the march toward those goals, I offer my condolences to the one user from 2.5 years ago who I may never see again in that fashion. I value the appearance you made, and your singular place in my logs shall forever stand.

Installing optional SSL

October 9th, 2017 11:48 AM
by
Filed under Musings;
Comments Off on Installing optional SSL

A year ago this month, I added SSL certificates to all my websites. Be it the ease and affordability of doing via Let's Encrypt, the paranoia of avoiding unencrypted communications inspired by Snowden, or the improvement to search-engine ranking provided by Google, it was an effortless and valuable addition all my sites.

Except this one. I spoke on the Retro Computing Roundtable and wrote on this blog about how evolving Web standards sometimes mean older technology is no longer grandfathered. In this case, no Apple II computer or browser currently supports (or may even be capable of accessing) SSL-encrypted websites. Even though my Google Analytics showed no such machines were accessing Apple II Bits, I was hesitant to disconnect this blog from the computer that inspired it.

Since then, Google stepped up its incentive to offer HTTPS encryption: starting later this month, any page or site with a text field — be it a contact form or a search box — that isn't encrypted will display a warning in Google Chrome. Whether this decision is reasonable or proper can be debated, but I can't ignore its consequences. Among visitors to this site, Chrome is the most popular, constituting 45% of sessions. For thousands of users to have a negative experience so I can accommodate a potential or even nonexistent audience is foolhardy.

Fortunately, as reader mmphosis commented, it's not an either/or proposition: a website can be configured to support both HTTP and HTTPS. This weekend, that's exactly the change I made to Apple II Bits' configuration. The canonical default for this website is still HTTP, but if you type HTTPS into your browser window (or have the EFF's excellent HTTPS Everywhere browser plugin enabled), you can now access the site via HTTPS as well.

In the future, I may investigate reversing those roles and making HTTPS the default but HTTP an option. In the meantime, I hope this compromise between old and new technologies is successful at serving a modern audience of retrocomputing enthusiasts.

Encrypting the web for retrocomputers

October 24th, 2016 11:53 AM
by
Filed under Musings;
4 comments.

Earlier this month, for only the second time ever, I took the helm as host of the Retro Computing Roundtable podcast.

Whoever hosts an episode of RCR must come to the table with an opening topic: some issue that the co-hosts can debate and articulate in the show's first ten minutes. For this episode, I raised an issue inspired by this very website: should we support emerging web standards at the cost of backward compatibility with retrocomputers?

This matter landed on my radar when my two web hosts, DreamHost and WP Engine, started supporting Let's Encrypt, a source for free Secure Socket Layer certificates that would otherwise cost tens or hundreds of dollars per domain per year. SSL ensures that a user's online experience was secure, which historically has been important for sites trading in e-commerce, healthcare, and other confidential consumer data. But now, Google is giving a search engine ranking boost to any website that uses SSL, whether or not the site's contents and transactions would benefit from it. Since SSL certificates are now free and every site benefits from having one, there was nothing stopping me from applying them to all my WordPress blogs.
Let's Encrypt
I stopped short on Apple II Bits, though. This is a website about 8-bit and 16-bit computers, and the only browsers I know of for those machines — Contiki and Spectrum Internet Suite — support only websites that begin with HTTP, only HTTPS. Enabling SSL on Apple II Bits would mean that the website would no longer be accessible by the very computer the website is about.

How much should this concern me? Very little, suggested the hosts of RCR, arguing that few people surf the Web from their Apple II computers except as an amusement. Google Analytics supports this notion: examining the list of browsers used to access this website in the last year, I see 28 different browsers, from Chrome, Firefox, and Safari down to BlackBerry, Nintendo, PlayStation 3, Sony Vita, Amazon Silk, and even Cốc Cốc. But out of 13,520 sessions, I don't see a single one from a browser that identifies itself as running on an Apple II.

Besides, content can be intended for Apple II users without being accessible from an Apple II. The Retro Computing Roundtable is distributed as an MP3, and Juiced.GS is published in hardcopy; neither can be downloaded and consumed using an Apple II.

The World Wide Web is an evolving medium with emerging standards; thanks to the W3C, we rest assured that most modern browsers will comply with these standards, producing a uniform user experience. If webmasters make their best effort to comply with these standards, then we mustn't put the onus on them to accommodate browsers that do not or cannot meet these standards. Sadly, that may mean excluding the Apple II; fortunately, it's a price to be paid by no one visiting this site.