Post on 14-Apr-2017
What I learned at the
Security, SSL & HTTPS
HTTPS has issues.
SecurityTheatre
The Padlock is a broken metaphor for online security
We’ve been training users to trust the wrong things
What does HTTPS mean?Protection against man-in-the-middle attacks*Encrypted connection
The server hasn’t been compromisedThe company is legitimateThe database is secure, encrypted and safe from future intrusionYour machine isn’t compromisedThe connection isn’t wiretappedThe security keys aren’t compromised
The problems with HTTPS1. Users have been trained to associate them with a level of
trustworthiness which they can not represent
2. SSL certificates:a. cost money and time to obtainb. are difficult to configure on a server
Encouraging HTTPS● Change the messaging from positive to negative
● Make it faster than HTTP
● Only enable new HTML features to HTTPS websites
● Make it free and easy
HTTPS ALL THE THINGS!
Front End Data
What about Front End Data?● Local caching, and control of data caching
● Background workers
● Functional offline applications
● Browser support, limitations & time-to-adoption
● Data Persistence
Client-side caches● Local caches are always faster than server callbacks
● Lots of technologies available, with different features
● Store flat or structured data, or file blobs
● Can be queried like a database, or treated as a key-value store
● Polyfils and libraries abstract away browser support issues and awkward low-level APIs
Websites that work Offline● ServiceWorker is a programmable network proxy - a
background script with the ability to intercept and modify any request to the website
● Combined with a scriptable cache, we can control how the website behaves without access to the internet
http://nolanlawson.github.io/edgeconf-2015/
Progressive Enhancement
Graceful Degradation
Quotas & Storage management● Data persistence and reliability is a concern for many people
● No standard for managing syncs between servers and clients
● Browser vendors which have implemented this have yet to make quotas and storage consumption/management transparent to users
Encouraging HTTPS● Change the messaging from positive to negative
● Make it faster than HTTP
● Only enable new HTML features to HTTPS websites
● Make it free and easy
ServiceWorker is one of these
Performance
Convincing people that #perfmatters● Nobody is convinced by stats or case studies from Amazon
● Personalised comparisons against the competition works best
● Filmstrip views from WebPageTest are great because they’re visual
● Filmstrip functionality is coming in DevTools soon(?)
● https://speedcurve.com/ is a paid-for, client-centric version of WebPageTest
What does even mean?● The ‘load indicator’ currently represents network activity - but should it
indicate content interactivity instead?
● Would it help or hinder developers, and would it be beneficial for users?
● Would it make the browser seem faster or slower?
● To whom does the user attribute blame for janky content, stutters and poor performance?
and the rest…
Components & Modules● More options around than 3 years ago (the first Edge Conference), but no
closer to general adoption outside of specific frameworks.
● [Browser vendors] can’t agree on standards to implement, which requires extensive libraries to support, and each of them has to reinvent the wheel with a virtual DOM
● Frankly, it’s still too underexplored for a standard to emerge yet - many implementations are too specialised to be generally useful
Progressive Enhancement● It’s a term so ambiguous we can’t even agree what it means and have a
focussed discussion on it without repeatedly trying to define it
● It’s not just about ‘making it work without JavaScript’
● It’s not about accessible content (or is it?)
● What’s the starting point? Is the lowest common denominator too low?