SitePoint Podcast #87: MeltSheep and FireRock

Episode 87 of The SitePoint Podcast is now available! This week your hosts are Patrick O’Keefe (@iFroggy), Stephan Segraves (@ssegraves), Brad Williams (@williamsba), and Kevin Yank (@sentience).

Listen in your Browser

Play this episode directly in your browser — just click the orange “play” button below:

Download this Episode

You can also download this episode as a standalone MP3 file. Here’s the link:

Subscribe to the Podcast

The SitePoint Podcast is on iTunes! Add the SitePoint Podcast to your iTunes player. Or, if you don’t use iTunes, you can subscribe to the feed directly.

Episode Summary

Here are the topics covered in this episode:

  1. Microsoft: Silverlight is Just for Windows Phones
  2. Cooks Source, the Web, and the Public Domain
  3. RockMelt: Another Attempt at the Social Browser
  4. Firesheep and the Sudden Importance of SSL

Browse the full list of links referenced in the show at http://delicious.com/sitepointpodcast/87.

Host Spotlights

Show Transcript

Kevin: November 12th, 2010. Copyright meets cooking, SSL becomes a big deal, and has Silverlight seen the light? I’m Kevin Yank and this is the SitePoint Podcast #87: MeltSheep and FireRock.

And welcome to another episode of the SitePoint Podcast, one of the top three podcasts of the year, or so it is said. I am joined by usual co-hosts; Patrick, Brad, Stephan, how’s it going?

Brad: Hello.

Stephan: It’s going good.

Patrick: It’s going well.

Kevin: It’s going well. Patrick’s a bit under the weather today. Patrick, sorry to hear about that.

Patrick: That’s okay, I caught it through travel, how these things are usually caught.

Kevin: Ah, yeah, we’ll be treated to slightly more dulcet than usual tones from Patrick today. And our first story for the show today is to do with Microsoft Silverlight. I’m not sure we’ve ever actually talked about Silverlight on this show. Can any of you guys remember talking about Silverlight?

Patrick: I definitely remember talking about Flash. (laughs)

Brad: A lot of Flash; I don’t know that we’ve talked Silverlight though.

Kevin: Silverlight—Microsoft Flash I suppose you could call it. Have you installed the Microsoft Silverlight plugin in your browser, and if so what was it that made you install it? Because this seems to be like a story that every web developer has that, oh, you know, I didn’t want to install it but then one day I was forced to. What forced you to install Silverlight or are you still holding out?

Brad: Yeah, I have it installed, and for me I think it was what a lot of people with the Olympics, 2008 Summer Olympics, and basically Microsoft had the exclusive agreement with NBC that all of the online media would be streamed via Silverlight, and I think that kind of forced a lot of people. I was reading some stats, they were doing eight to ten million downloads of Silverlight a day throughout the Olympic event, so that really kind of put a spotlight on Silverlight especially for those that had never heard of it.

Patrick: I have it installed but I don’t have the faintest idea why that is.

Kevin: Stephan?

Stephan: Don’t have it, no.

Kevin: Don’t have it!

Stephan: Don’t have it.

Kevin: Oh, well, you may just be getting off easy because according to Mary Jo Foley’s All About Microsoft blog on ZDNet—and Ms. Foley has been blogging about Microsoft for a long time. According to a story, a scoop she seems to have, Microsoft’s strategy around Silverlight seems to be shifting. It seems like with the pending release of Internet Explorer 9 Microsoft has really stopped talking about Silverlight as the technology platform for the next generation web and started talking about HTML5; it seems suddenly with IE9 everything is about HTML5; HTML5 is what you need to be excited about as a developer. And this prompted her to ask for a quote, as you do, and she asked her contacts at Microsoft, well, what happened to Silverlight? And according to Bob Muglia, the Microsoft president in charge of the company’s server and tools businesses, he says, “Silverlight is our development platform for Windows Phone,” he said. He also said it had some, “sweet spots,” in media and line of business applications, so especially rich web experiences can sometimes be better with Silverlight than with competing technologies—(Cough) Flash—and line of business I suppose that is corporate dashboards for corporate portals written in dot net technologies from end to end. “But when it comes to touting Silverlight,” Ms. Foley says, “as Microsoft’s vehicle for delivering a cross-platform runtime, ‘Our strategy has shifted,’ says Muglia.” So it sounds like Microsoft is giving up on Silverlight as a competitor to Flash in the mainstream, and we have a poll about this up on sitepoint.com at the moment asking whether people think Silverlight is dead. What do you think guys, is Microsoft waving the white flag?

Brad: I think companies, Microsoft and others, are starting to get smart about this and they’re realizing that Silverlight and Flash may not be the way of the future, and HTML5 really is. Like you said, Microsoft’s putting a big push behind Internet Explorer 9 and how well it works with HTML5, so they realize that this is where the industry is going, this is where it’s going to get. So if they don’t jump on early enough they’re going to get passed like they have in a lot of different areas and I especially don’t think they want that to happen on the Web. So I think it’s very smart of Microsoft to jump in early; if they have to change their strategy now would probably be the time to do it before it’s too late.

Kevin: Well, I suppose if a Summer Olympics doesn’t get you mass adoption nothing will.

The thing that finally got me to install Silverlight was we have a Microsoft Action Pack Subscription here at SitePoint, and if you’re not familiar with that, that’s this thing you can sign up for, last time I checked it’s roughly $700.00 a year. You sign up to Microsoft’s Partner Program and then you can pay this annual fee to part of the Microsoft Action Pack program, and that gives you a bunch of licenses to Microsoft software so you get roughly 10 Windows 7 licenses, 10 Microsoft Office licenses and access to whole bunch of support materials so that if you are selling or promoting Microsoft solutions to your customers or business partners you have all of these glossy sheets of paper describing all the different Microsoft products and that will help you I suppose be a better Microsoft business partner. For a business like SitePoint’s where we do a lot of client work and we are often asked about our opinions on Microsoft solutions it makes sense for us to have access to that, and to be honest 10 office licenses, 10 Windows licenses, there are much more expensive ways to get those things than pay for an Action Pack license so that’s what we do. But lately Microsoft is requiring anyone who subscribes or renews to an Action Pack to take an online course on the Microsoft Partner Program website and then pass a test proving that you absorbed the knowledge of that course. And the course I decided to take was about WPF, Windows Presentation Foundation, and specifically the APIs that are inside of Silverlight. And so in order to view those materials, in order to take that test, it was all done in Silverlight and so I needed to install it for that. I don’t think I’ve needed it for anything off of a Microsoft domain; I suppose maybe I was not as much of an Olympics fan as you Brad.

Brad: Yeah, I mean it’s tough because most people out there have Flash, it’s what, 99% adopted or something like that, and Silverlight isn’t anywhere near that, so it’s definitely tough; if you’re going to build an application you want to build it in a technology that’s going to be used by the most amount of people that you can possibly have. So, to build it on something that only 20%, I don’t know the number, 20, 30% have installed seems kind of silly; you would probably want to do it in Flash and then maybe also offer a Silverlight version which wouldn’t make a lot of sense either, so I mean I can certainly see why it hasn’t really been adopted.

Kevin: There’s barely room for Flash on the Web these days let alone Flash and a competitor. But certainly from developers who embraced Flash wholeheartedly I’m sure you’d hear a lot of good things about the technology, I certainly heard that playing video and doing really intense multimedia sort of stuff was more efficient, less CPU intensive on Silverlight than it was on Flash. So, I suppose it was built more recently, it probably has less of a legacy to maintain, but as nice a technology as Silverlight was maybe there just wasn’t the demand for it or the place for it. According to the poll on SitePoint’s home page, which I think it has one day to go, the poll asks, “Is Microsoft Silverlight dead?” and the results are: 10% say it’s dead; 17% say it’s definitely not dead; 22% say it won’t live long; and 51% say it was never alive to begin with. So there you go.

Patrick: This is our audience. (Laughter)

Brad: Ouch.

Kevin: Moving on! We’re going to talk about a spectacular case, and if you’ve been online for the past week I suppose you probably couldn’t have escaped hearing about it, right Patrick?

Patrick: Right. So, Jonathan Bailey at Plagiarism Today has a detailed report on what’s being referred to as the Cooks Source Plagiarism Case. Essentially Cooks Source is a free newspaper type magazine that focuses on food in Western New England of the United States. Author Monica Gaudio found that one of her articles had been included in the latest issue of the magazine, in full, and was attributed to her but her permission had not been asked for. So, she reached out to the publication and she called them on the phone, she sent them a note on their website and she asked them what happened, how they did get the article, maybe this is some sort of mix-up. After a couple of emails the editor from the magazine asked her what did she want, she said that she would like an apology on Facebook, a printed apology in the magazine and a $130.00 donation which is about ten cents per word of her original article to be given to the Columbia School of Journalism.

Here’s a piece of the response that she received: “I’ve been doing this for three decades having been an editor at The Voice, Housitonic Home and Connecticut Woman Magazine. I do know about copyright laws, it was my bad indeed, and as the magazine is put together in long sessions tired eyes and minds sometimes forget to do these things. But honestly, Monica, the Web is considered public domain, and you should be happy we just didn’t lift your whole article and put someone else’s name on it. It happens a lot, clearly more than you are aware of, especially on college campuses and the workplace. If you took offense and are unhappy I am sorry, but you as a professional should know that the article we used written by you was in very bad need of editing and is much better now than it was originally. Now it will work well for your portfolio. For that reason I have a bit of a difficult time with your request for monetary gain, albeit for such a fine and very wealthy institution, we put some time into rewrites, you should compensate me. I never charge young writers for advice or rewriting poorly written pieces and have many who write for me always for free,” and I’ll pause there; thoughts so far?

Kevin: Wow, that’s a way more complete quote than I’ve seen quoted about this story around the Web a lot. The coverage has been focusing very much on the “the Web is public domain; you’re lucky we just didn’t lift it and publish it under someone else’s name.”

Stephan: That entire quote sounds so bad it could be a Nigerian scam email (Laughter).

Kevin: Oh, wow!

Stephan: That’s how bad it sounds. It’s ludicrous! This is ridiculous; this whole thing is ridiculous.

Patrick: Maybe that’s her previous writing experience.

Stephan: Could be, that’s how bad it was written, badly. Oh, I’m sorry, maybe she’ll edit me.

Kevin: According to this story on Plagiarism Today, and I consider that site a friend of the show because they have a good friend of ours on their podcast as a regular co-host—Patrick, ahem.

Patrick: Yeah, our good friend Patrick.

Kevin: According to the coverage the Cooks Source site went down in the aftermath of this scandal, and I don’t know if it’s back up now; I should check, but at least when the Plagiarism Today story was published their site was still down under the load, and their Facebook site is carnage!

Patrick: Right, it is, and the incident drew a lot of big, huge media attention, not just the Internets, so to speak, or the major geeky hangouts, like Boing Boing which is where I think it got some good airplay, but also MSNBC, The Guardian, L.A. Times, The Boston Globe, etcetera, even Wil Wheaton and Neil Gaiman re-tweeted it or shared it on their Twitter pages, so definitely a lot of attention was being given to it, and so their Facebook page was inundated with just a lot of comments, especially after she shared the email which is really when it took off; it wasn’t really a major issue until she received this nasty email that insulted her, and I just read a piece of it so you know what I’m talking about. And then they picked it up and their Facebook page went crazy and there’s actually a statement on the cookssource.com website, which is now just a single page, and it’s a long statement so I won’t read much from it, but essentially it says that they’ve “cancelled” their website as their advertisers were listed on it and the harassment that has taken place on Facebook was unsafe for them, in the Cooks Source words, Cook Source says they won’t be on Facebook again in the future because, “Hacking is too prevalent and apparently too easily been performed by disreputable people.” They also say the abuse that their advertisers have faced as a good example, “it’s hurtful to those people who are innocent of this issue and can ill afford the abuse either emotionally or financially,” I’m just paraphrasing there, and they say that if you should see any such abuse to report it to Facebook at a certain link and also to certain corporate numbers. They say that it took four people a number of days to track down these two Facebook phone numbers, so these must be highly valuable phone numbers, right? (Laughter) It took four people a number of days to find two numbers to Facebook. So, anyway, they do apologize to the original author, but once again it’s always in this kind of backhanded way, right, they say, “It was an oversight of a small, overworked staff.” Okay, so it was a mistake, but again, it was just a small overworked staff that did it and they say that they’ve gone ahead and made the donation she requested as well as making a donation to a Western New England food bank and they have also paid her as well, they don’t say how much that request was, and furthermore they go on to say that they’re establishing some actual policies for receiving articles. It seemed weird to me to read this, but they say they will now request that all articles and informational pieces have been made with written consent of the writers, the book publishers and/or their agents or distributors, chefs and business owners. Maybe it’s just me but it seems like that that kind of thing should have been taken care of before.

Kevin: Yeah.

Patrick: It’s kind of strange, but at least one of the sponsors of the Web magazine has apparently turned this around into some good press. Second Street Baking Co. has received some coverage on Boing Boing, among other places, for number one pulling out of advertising on the paper, and doing it in a quick manner and updating their Facebook page to kind of confront the messages that they were receiving to say, hey, we’re not associated with this, we cancelled our ad dollars, and they’ve also said that they encourage everyone to donate to the Food Bank of Western Massachusetts because they had people offering to send them money or buy products that they don’t actually ship, just this like local baking company in Turner’s Falls Massachusetts. So, they have turned it around and received some positive press as well.

Kevin: It’s amazing. I think the actual story of what was done and the initial response from the editor at the magazine pales in comparison to the meta-story, the huge swell of response that we’ve seen on the Web. It shows that I guess the Web as a whole is especially sensitive to copyright issues.

It was widely publicized as an issue of plagiarism and I think we can probably all agree that this wasn’t a case of plagiarism per se but copyright infringement.

Patrick: Right, yeah.

Kevin: Would you agree with that?

Patrick: Yeah, that’s kind of a pet peeve of Jonathan’s also is when people refer to trademark issues as copyright issues or plagiarism issues that are actually copyright, this is definitely a copyright issue. In the piece Jonathan actually explains that plagiarism is when someone else takes credit for it; she was actually attributed. The problem is that, again, they didn’t ask for permission, they just took the article from the Web and pasted it into their magazine. And interestingly enough, a website, edrants.com, Edward Champion has also gone through various issues of the magazine and pointed out where they have taken from other authors as well, and authors have apparently showed up in the comments to acknowledge that their work has been taken, so this does not appear to be a once-off, which I guess isn’t a shock to anyone, but this does not appear to be a once-off issue but the continuation of a trend of them taking content from the Web and elsewhere.

Kevin: The sentence that stuck out for me from that initial editor’s response is where she suggested that following the editing work they did that this article would now be a valuable addition to the author’s portfolio. Would not reacquiring the edited article for use in her portfolio again be a compounding of the copyright infringement that had occurred? It was like, well, we stole from you, you might as well steal back from us and we’ll call it a day, right?

Patrick: Right, right. (Laughter) Personally I think it was probably the editor’s attempt to appear as someone who has a lot of experience and kind of bully someone who’s just on the Web saying this is how it goes in the real world, you’re lucky we mentioned your name at all, and then hope she gets scared and goes away which unfortunately for the magazine at least and the editor didn’t happen in this case.

Stephan: Or it was someone who has no idea what they’re talking about, that’s kind of how it came across to me. Like the ignorance that was stated in that, that there’s no — you’re lucky we gave it, we’re editing it; come on, give me a break, like who says that? If someone said that to your face would you not start laughing? I mean, really. If someone stole something from you in front of you would you not start laughing about them trying to give it back to you because they modified it, I mean come on, it’s a joke!

Kevin: They seem to be implying, despite the fact that they have had to cancel their Facebook account and their own website, that they are going to continue publishing. I don’t know, if a magazine doesn’t have a website does it still exist? Certainly the Google results, if you Google Cooks Source, and I don’t recommend doing this if you are at work, even the Google results have been … let’s say sullied by the response from the Web. There’s some definitely not safe for work content there under the name Cooks Source, it seems like everyone has pulled out all the tricks to damage the good name of Cooks Source out there. Wow. I’ll be interested to see if they ever have another issue. If they do, maybe if they do, there’s the old argument there’s no such thing as bad press; this will be the ultimate test of that.

Patrick: If you believe them their Facebook page has, and I don’t know, the hacking thing to me comes across as, again, part of that backhanded stuff like oh we’re leaving the Internet because it’s this place of nasty people, which I’m sure they received some backlash, but there is a Facebook page up for Cooks Source, and if you believe them it’s run by someone else, what might have happened is they cancelled the page and then someone else signed up and took the name, I don’t know, that I found it looked like it had over 5,000 people liking it, and obviously it was filled with a lot of displeased individuals.

Kevin: From a disgraced magazine to a new browser. Brad, tell us about RockMelt.

Brad: Yep, there’s a new browser on the market, and I know browsers are Patrick’s favorite topic so I wanted to make sure we talked about this because we don’t talk about browsers enough, right?

Patrick: Awesome, yay! Not at all.

Brad: At least this one’s new and it’s different.

Kevin: I just got this email from Facebook, it’s from Patrick, and I hope no one has hacked your account, Patrick. It says, “You’ve been invited to use RockMelt,” “Kevin, I’ve been using RockMelt, a cool new browser, I think you’ll like it.”

Patrick: I didn’t write that.

Kevin: (Laughs) Well, tell us about it.

Brad: So, RockMelt is a new browser, it’s out in private beta, which as Kevin hinted to the only way to currently get a copy of it is to join their Facebook page or to connect via Facebook and then you can send an invite through Facebook, so that’s the only way to actually get an invite is if you connect via Facebook and then that puts you on the beta list. But it’s a pretty interesting browser, the main hype over it is it kind of integrates all the social network features that we’re used to and that we all use on a daily basis right into your browser. Obviously that’s not revolutionary because it’s been done a few times, there’s other browsers like Flock out there, but this browser got an obscene amount of press I would say, I’d never heard of RockMelt up until two days ago when it seemed like it was popping up everywhere in my feed reader, so the press around this thing was insane considering it’s a private beta.

Kevin: They’re doing a good job of marketing it, I will give them that.

Brad: They certainly are. And I think a lot of it has to do with it it’s backed by Mark Anderson, the founder of Netscape; they do have some funding behind it which always helps. But essentially it has a lot of the social network integration, so as you’re browsing the Web whatever site you’re on you can easily send it over to Facebook and share it through Twitter and pull images into Flickr and pass messages back and forth. There’s a really cool kind of demo video you can watch that show a lot of the features, and another big feature which is actually getting a little bit more of the press is the search previews feature. So basically they’ve kind of integrated, they’ve kind of taken that Google Instant Search and kicked it up a notch, so as you’re typing your search it will bring results and it will actually preload the result or the pages for each one of those results, so as you hover over the result it will show you what that page looks like so you can determine if it’s kind of the way you want to go for your search. And the reason that’s kind of gotten a little bit more press is because a day or two after RockMelt was announced Google announced a very similar feature called Google Instant Previews which is essentially the same thing but it’s through Google, so a lot of people are kind of comparing that. But it’s definitely an interesting browser, it’s something to keep an eye on, it is Chromium based so a lot of it functions pretty much just like the latest version of Chrome would, so it’s very familiar if you use Chrome quite a bit. Did you guys get a chance, or get an invite for that matter, I know Kevin you just got yours but…

Patrick: Yeah, I did, I played around with it a little bit. According to Wikipedia it was developed by Tim Howes and Eric Bashera and Wikipedia says Tim Howes is the co-inventor of the Lightweight Directory Access Protocol, LDAP, I’m not sure if that will impress the techies in our audience or not because I have no idea what that is, but yeah.

Kevin: LDAP’s cool, I like LDAP.

Brad: That’s impressive, yeah.

Patrick: So that may not impress some of you techie guys out there, but anyway, I did play around with it and I think it is pretty slick. I do remember Flock, I remember playing around with Flock, but Flock doesn’t seem to have — didn’t seem to be as slick as this; I don’t know if that’s my memory or whatnot.

Kevin: Flock was built on the Firefox platform.

Patrick: Firefox, right, and this is Chromium.

Kevin: And according to their blog their last update was on August 6th and their last blog post was on September 14th of this year, so they’re still alive but I’m not sure you’d say they’re kicking.

Patrick: Right. And RockMelt’s based on Chromium which is the open-sourced code that Google Chrome pulls from. But like I was saying, it is really slick and it looks nice and it’s really Facebook, a lot of it is Facebook tied. On the left there’s a list of chat icons for people that are online on Facebook; right now there’s nothing I can see that would suggest any integration with any other instant messengers so right now it’s just Facebook Chat, so I don’t know if that’s coming or whatever or if they just plan to stick with Facebook, but that left side is basically Facebook users who are online, and the right side is your Facebook page updates and you can add RSS feeds in there from your websites you visit. One thing that I noticed that I found kind of strange was that its Twitter integration doesn’t use OpenAuth, it asks for email and password, and as such it doesn’t work or I couldn’t get it to work. Brad, did it work for you?

Brad: No, I actually didn’t get my invite in time, so I got my invite about 10 minutes before the show.

Kevin: But same as you, Patrick, I think I’ve seen a few reports of the Twitter support not working because of that reason.

Patrick: Yeah, and it’s obviously not a finished product so obviously anything I mention is just of this pre-release build or whatever, but that aside it strikes me as a browser that is good for people who are good with dealing with distractions because there’s a lot going on here with your Facebook Fan Page number changing, I could see your Twitter saying new Tweets, new friends, new profile updates, and there is hide edges, and if you hide edges those things go away and go to the side, but otherwise you’ve got this ever changing list of chatters, your ever-updating status updates, and there’s just a lot going on.

Kevin: Browser not distracting enough? Try RockMelt!

Patrick: Yeah, I mean it is definitely social, definitely social, but I just wonder like what is the revenue model with browsers, right?

Kevin: Hmm, I’ve seen a lot of cynicism around RockMelt, which I suppose comes with any announcement on the Web that makes a big splash, you get a lot of cynicism, but it seems like I’ve only seen cynicism, I haven’t seen anyone say actually this is kind of cool. I’ve seen Merlin Mann point out that the RockMelt’s blog is hosted on Tumblr and the only thing they’re following on Tumblr is the official Tumblr Staff Blog, and so that’s not a big statement for the social nature of this group if they’re choosing a social blogging platform and not actually being social with it. I’ve seen people cynically saying, oh, RockMelt is seeking to solve the problem of Chrome’s distraction-free user interface. And, you know what just occurs to me is I think everyone kind of agreed that Flock was an interesting experiment but it seems to have been a failed experiment; if what people wanted was a browser with social integration, Flock had two runs at it. They had a red-hot try with their first release, and then they took a step back and thought well maybe we didn’t get the user interface quite right, we’re going to redesign and they did a second big release that had a whole different design, and still no great swell of support for it. So what is RockMelt doing differently? It seems like all they’re betting on is that Flock was too early and that they’re going to come at the right time.

Patrick: Oddly enough it seems to me like right now anyway because of the feature set it’s almost like a Facebook web browser, but the thing is if Facebook came out with a web browser what would it be, top five, top four in a few weeks just because of what Facebook could do to put it out there. So, it kind of feels like that and not to say there’s not an audience out there for this, but obviously they’ll have to find it and will that audience provide the money needed to pay a staff and recoup investors? I guess that’s the real question.

Kevin: That’s a really good point, Patrick, that if there were a need for a Facebook browser, and even if that need weren’t recognized and RockMelt proved that there were a need for a Facebook browser, what’s gonna happen? Facebook’s gonna go, oh, there’s a need for a Facebook browser, let’s make one, and RockMelt will be out of business.

Patrick: Exactly. Just like Twitter did with its website.

Kevin: Yeah.

Patrick: Exactly. And I did want to say, though, that I downloaded RockMelt before I downloaded Google Chrome.

Kevin: Oh? (Laughs) I’m surprised it worked, I thought maybe they were betting on no one having actually done that and so Chrome might have been a dependency, but good, you’re a unique test case, Patrick, you should email them to tell them that. So, I’m not hearing a lot of love for RockMelt.

Brad: I’m kind of of the same mindset, I like the social features of it, but I like to keep that social stuff separate. I have TweetDeck, I like TweetDeck, but I also like to be able to turn it off if I need to. I like to keep it separate, I don’t have Facebook Chat open 24/7 for people to talk to me, especially not when I’m in my browser because as a developer typically during the day if I’m in the browser I’m working on something. So like Patrick said, I mean those distractions, they would be tough to deal with. It is nice you can turn it off quickly and easily, but I think that’s kind of the whole point of the thing so if you’re turning that off then you’re basically right back in Chrome so why are you even using it in the first place. So, for me I don’t think it’s something I would use, but it will be interesting to see how it evolves.

Kevin: On our last panel show we were talking about Opera and how they were trying to go for the feature-rich look. I wonder if Opera should implement a hide edges feature like RockMelt has, that might be cool.

We had a comment in response to that last episode saying that the one thing that Opera should do to improve their market share is change their name, that the Opera name is holding them back. Who wants to, you know, Opera, no one gets excited about Opera, that’s the thing you go and pay a lot of money to fall asleep in, right?

Stephan: What’s a RockMelt though? (Laughter)

Kevin: Come on, RockMelt! The icon’s pretty cool; it looks like the planet earth splitting apart.

Patrick: When it comes to factual names Internet Explorer is the well-named browser in the land.

Kevin: (Laughs) That’s true, yeah.

Patrick: What’s a Firefox? What would we rename Opera to, I think that’s maybe a competition for the comments then: what should Opera be renamed, how about Awesome, download the new browser Awesome.

Kevin: Awesome browser! Opera should buy RockMelt’s name.

I’m just looking up who made that comment because it was a good one; it was Matt Magain, our very own Matt Magain here at SitePoint. He said, “Seriously, Opera? What does your common layman think when they hear this word, expensive tickets for people old people to listen to performers in tights and wigs wail for hours; Firefox, now that’s a marketable name.”

Patrick: Maybe they should call it AutoTune.

Kevin: Speaking of Firefox, our last big story for the show today is about Firesheep, a plugin, an extension for Firefox that is casting a harsh light on the security of the Web, and some of the assumptions that people, web developers like us make about security on the Web. We had an all hands meeting here at SitePoint for all the developers to discuss Firesheep because it is big news.

This extension essentially let’s you have a sidebar in your Firefox browser that monitors the Wi-Fi network that you’re on, assuming you are on an open Wi-Fi network with no password or encryption. It lets you monitor that network and anyone else who is active on that network who signs in to a well known site like Facebook or Twitter or Google or others that it supports, GitHub out of the box it supported for example, anyone who signs in to one of those sites their browser receives a session cookie, and that cookie is meant to be temporary and it allows them to continue accessing that site without having to re-enter their password for every page that they view. So they enter their username and password, the site sends them a cookie and then their browser holds on to that cookie for as long as it’s open or until that cookie expires, and it sends that cookie with every page request. And this Firesheep extension monitors your network for those cookies flying back and forth and says, hey look, Kevin signed in to Twitter, hey look, Patrick signed in to Facebook, and it pops up in a sidebar the people’s names, their photos, their account, and here’s where it gets really scary, if you click on one of those it takes over their session, it hijacks their session by capturing that session cookie that was spotted on the network and using it in your own Firefox browser to impersonate that person and log into that site as if you were them, as if you were taking part in the session that they entered their username and password for. So this is scary stuff. It was covered in one of Melbourne’s daily newspapers, The Age, so this is not only — not only does it make this sort of security exploit easier than ever before but it is also getting massive mainstream news coverage. There’s no hiding from this, it seems like session cookies are in big trouble. What do you think, guys?

Stephan: I mean this is basic packet sniffing, right? This is just a GUI for it.

Kevin: Right.

Stephan: So it’s not like this is new, it’s not like it’s a new problem, it’s just made it available for…

Brad: The noobs.

Stephan: …normal Joe Schmo.

Patrick: Which is the problem.

Stephan: Yeah, which is the problem, right, but that’s not true necessarily, Patrick. I think the problem really is the lack of SSL, right, because simply using SSL on a web server would solve this problem.

Kevin: That is the, yeah, the instant cure-all; if every site that required people to login with a username and password used SSL (Secure Socket Layer), whenever you’re on a site with ‘https’ at the start of the URL instead of ‘http’ your browser’s communicating with it over an encrypted channel, and so if you sign in using that not only are your username and password encrypted, but the session cookie that comes back to your browser is also encrypted and if the developers of that website did the right thing and marked that cookie as secure, which means the browser will only send that session cookie with encrypted requests, then that session cookie is safe, it’s encrypted and it cannot be hijacked by a tool like Firesheep.

So Eric Butler, the author of Fire Sheep, posted a blog post 24 hours after he released his tool, and he seems to think “mission accomplished”, that the point he was trying to make, as you say Stephan, this isn’t a new thing; these security holes in sites like Facebook and Twitter and Google, these security holes have existed for years. And just because there hasn’t been a tool that anyone can install if they know how to install Firefox extensions doesn’t mean that this sort of security vulnerability didn’t exist. Anyone with the rudimentary knowledge it takes to use a TCP/IP packet sniffer on a Wi-Fi network, and I know that sounds technical, but really if you had a reason to do it and you had a week to read up on it, I think anyone who’s a relatively confident computer user could figure out how to do it.

Patrick: I think 99% of the downloads are for script kiddies.

Kevin: Yeah. The point is that now there is no ignoring this problem, whereas before the problem did exist and someone who had a motive to compromise your Twitter account or your Facebook account could do it, but you didn’t necessarily know that they could because this problem was swept under the rug and ignored by web developers.

Patrick: Now, speaking realistically though, if we look at SSL certificates and we recognize that doing that incurs additional expense, small as it may be…

Kevin: Sure does. Sure does.

Patrick: …if you make money from the Web I mean conventional wisdom is that if you took credit cards you had an SSL cert, otherwise if you were like a forum, for example, you didn’t need that. So, I mean the reality is that the big guys and the big companies will pretty easily adapt to this, but I think the people that are going to need a lot of help are the average website owner, the average forum owner who we all use software that is good software, vBulletin and phpBB, etcetera, that we have for these user accounts and we don’t have an SSL cert because conventional wisdom and knowledge has always told us we didn’t need it. So, now the cost of running a website if this is to be believed as a requirement for all cookies or account management online, goes up a little bit, and I think that’s where we’re going to see a problem here maybe isn’t so much with Facebook who can change it relatively easily, relatively quickly, I know they have a lot of things to take into account but they also have developer resource, and I just don’t know how small webmasters and owners are going to be able to deal with this except that the more savvy ones will probably follow tutorials that will soon be posted by all the software vendors.

Kevin: Mmm-hmm. I think if anything you’re understating this, Patrick, I think this increases the price a lot for people who own small websites. I mean what is the base level webhosting here? You might spend for a DreamHost account a couple of hundred dollars a year to host a site, and you’re going to pay a similar amount for a year’s SSL certificate, so this could easily double someone’s hosting bill.

Stephan: Not to mention the time involved with setting up the cert and monitoring the cert and all that junk.

Kevin: Yeah.

Stephan: I mean SSL certs, they’re intimidating, they’re intimidating to me; when you look at the requirements to set them up it’s a lot of work.

Kevin: It’s a lot of work and the sites that sell these certificates are really badly designed. I’ve had to buy these certificates before, and you end up at a form that says do you want this type of certificate, this type of certificate, or this type of certificate, and none of the three options sound like what you want, they all refer to Microsoft server technologies from the mid 1990s, and you’re like, well, what do I want? And you contact the company and you get an auto reply pointing to their frequently asked questions which is equally cryptic. I suppose this is an opportunity for someone to come and maybe this is what makes SSL certificates a mainstream enough product that someone with some real quality customer service can afford to start a business selling these things.

Brad: Yeah, look at VeriSign, I think they have six, eight, ten different levels of SSL certificates, and if you don’t know what you’re doing how do you know which one to buy? I mean they have the standard but they make it sound like it’s the worst thing in the world and you shouldn’t use it because it’s not as encrypted as something that costs three times as much.

Patrick: It’s funny you should say that because I typed in the SSL cert and I went and the first thing that came up for me was godaddy.com’s page, and godaddy.com offers a “standard SSL” and a “premium SSL that is ideal for ecommerce.” And I asked what’s the difference, I didn’t know you could have a million different SSL types but I guess that’s possible; I thought there was just one cert.

Kevin: Yeah, there’s all sorts of things, how many bits of encryption are in the certificate— well, how large the certificate is in bits, how many certificates are in the chain which affects the performance of the certificate; it’s a whole black art that, yeah, the vast majority of web developers—

Brad: If you want the address bar to be green?

Kevin: Yeah! Do you want the green one or the not green one?

Brad: If you don’t buy the pro then it doesn’t go green, I mean that’s like what? (Laughter)

Kevin: My browser, Safari, basically treats the standard SSL certificates, it virtually ignores them, like you go to a site with https and it doesn’t actually show any level of security, there’s no lock icon, there’s nothing; you really have to have one of those green ones for the browser to go, oh yeah, you should trust this site.

Brad: I like Firesheep, I think it’s a great thing because it has us talking about it and it has, even these smaller sites, they’re eventually going to start hearing about this and what they can do to kind of lock down their site, so it’s definitely put a focus on the entire topic which I mean it sounds like that was kind of the point of it anyway. This could certainly have been released as more of a malicious, hey, let’s attack everybody that we can, and it was moreso like, hey, let’s get the conversation started and talk about it. I mean I could see in a few years from now it being the default that any site with a login has to run https, almost like when we go to a checkout at ecommerce, I mean everyone from us up to our parents and grandparents know to look for https because that’s what we’ve been taught since we first started buying stuff online, I think eventually it will get to that point with logins.

Kevin: We rag on Internet Explorer a lot on this show, but if you think back you’ll probably remember that Internet Explorer was one of the few browsers that had a warning message when you submitted a form on a non-https site by default. This was one of these messages that you usually encountered in the first ten minutes of using any Windows computer that was set up from scratch, the browser would go “You’re submitting a form over non-secure channels, are you sure you want to allow this?”, and invariably you would tick the box that said “Never tell me about this again, what are you paranoid?”, and you would submit the form. But it seems like we may be seeing a return of that error message without that check box because, yeah, like you said, Brad, we may be entering a brave new world where really users don’t trust a form that you have to submit without https even if all you’re submitting is a mundane blog comment.

Patrick: And as I kind of expressed, I see how this is a good thing, but I don’t know, I see this tool mostly being used maliciously and I guess that’s the point, but also just for the expense point I think you’re going to scare a lot of people away from running a social website at all, and I don’t think that’s a good thing. I know you referenced the comment from Matt about being a layman, as a layman here, the resident layman, just in my mind is there something that can be done on the browser side to cut this off? Is there something that web hosts can do as an industry to make this easier for small webmasters? I don’t know, maybe it’s not possible, maybe that’s not how the Web is built, but I’d be curious to see if there was some solution that could be found other than making every webmaster in the world that has a login buy an SSL cert.

Kevin: Yep. There’s a conversation to be had about unencrypted Wi-Fi networks because that is a requirement for this Firesheep tool to work; if you’re on a Wi-Fi network that requires a password to login even if it’s very simple encryption it’s going to trip it up. I’m not saying there’s no way to hack that, but certainly it’s going to make it a lot more difficult to implement this kind of attack. But there are plenty of hotel Wi-Fi’s and airport Wi-Fi’s that they are unencrypted networks that once you connect to them they prompt you for a password or credit card details in order to actually use the thing. So one of the things this tool is highlighting is the insecurity of those kind of networks, that Wi-Fi encryption was invented for a reason, and as inconvenient as it might make it to charge for access to a wireless network using an unencrypted network is risky because you’re effectively sharing all of your network traffic or at least your non-encrypted network traffic with everyone else who’s on that network.

Stephan: That’s the amazing thing, and that’s kind of one of the things I wanted to talk about, Kevin, was you know a lot of people call for open Wi-Fi, they want Wi-Fi in their city or they want Wi-Fi in their airport, whatever; but think about that, think about the airport Wi-Fi, at any major airport, and everyone is using it and people are browsing Facebook, people are browsing whatever, and these people are having their stuff basically snatched out of the air, their sessions snatched out of the air, and they don’t even know it. And it’s because they’re just, oh, I’m just going to flip on my phone and use the Wi-Fi; I’d much rather have either pay or some kind of password protection and know that people — even then, though, how do you trust the people on the paid network, I mean you don’t. I don’t think that’s actually a solvable—

Brad: Trust no one.

Stephan: Exactly. Trust no one.

Kevin: I suppose the proper way to do that today would be that you have an unencrypted network that people can connect to in order to sign up for access to the paid one or all it does is host a web page that says the password for the protected network is this and then you go and connect to the protected network. It’s a sorry state of affairs; really just Wi-Fi was not architected for public access I suppose.

But coming back to how this affects web developers, I want to talk a bit about some of the fallout; the response from some of these major sites, like the response from Facebook has not been encouraging. They said, yes, we agree Firesheep has exposed a big vulnerability in the way that we handle sessions and we’re getting right to work on it, we agree we need to switch to SSL, but it’s going to take us about six months to do so. And if Facebook can’t afford to switch to SSL overnight with all of the talented engineers they likely have, I mean obviously that’s offset by the complexity of their website and their platform and the application providers that they need to integrate with, but nevertheless six months is a lot of time in Facebook time. Whereas a smaller player like GitHub, who I mentioned before were included, and it’s funny, if you’re not familiar with GitHub it’s kind of the modern day SourceForge; it’s where all the cool kids host their open source project code, it’s a social environment for hosting Git repositories, Git being a distributed version control system. And the source code to Firesheep is hosted on GitHub, and yet Firesheep compromises GitHub accounts by design. So, you know, you really got to hand it to GitHub, their initial reaction could’ve very easily been canceling Firesheep’s account and throwing away that code because they were hosting the code to hack GitHub on GitHub. But rather they stuck to their ideals and they said, you know what, this guy has a point and within the first 24 hours they had switched GitHub over to SSL, to https, which was previously a feature of their premium paid accounts. Now all of GitHub traffic is done over https because as Eric Butler, the author of Firesheep pointed out, basic security and privacy should not be a premium feature on the Web, so they switched it over. And even then, like these are talented developers who work at GitHub, they had to have a couple of cracks at it to get it right; initially they did switch all of their URLs over to https, but they forgot to as I mention mark their session cookie as secure. And so people who type github.com into their browser, what the browser would do is go to github.com just http://github.com, the non-secure URL, and when it made that request it would send the session cookie unencrypted and Firesheep would catch it, even though the site would respond by saying sorry that URL is no longer valid we’re redirecting you to the secure version of the site, so they were still leaking their session cookies. So if talented, clued-in developers like the people at GitHub who do web development professionally day-in and day-out can make that sort of mistake I think it will be a while before we see “mom and pop” blog sites being able to successfully not only buy an SSL certificate but implement it securely.

Brad: I think it’s also good to note that a lot of really large sites do support SSL and they just don’t really announce it; they don’t tell you. Like if you go to Twitter and you go to https://twitter.com it works, it will log you in and you’ll stay on https the entire time you’re there. Same with like wordpress.com, I mean there are a lot of sites that support it they just don’t actively promote that it’s available so it’s always if you’re ever curious just try it; if you’re on a site you use a lot type in https and see if they’re set up and see if it’s functional with SSL encryption.

Stephan: I don’t get the green thing with Twitter, though; I don’t get the green bar. They didn’t buy the premium service.

Kevin: No, no. They got a basic one.

Patrick: If Twitter doesn’t supply me with identity information, I’m not sure I should trust them anymore.

Kevin: (Laughs) Uh, yeah. Invariably one of the leaders in this sort of stuff, you know, where technology should be going, is Google; and if you look at what Google’s doing with SSL, well, they earlier this year announced Secure Search option, so you can go to encrypted.google.com, which is the https version of Google Search, and you can perform Google searches on an SSL protected website, and their blog post on the subject really talks about this in terms of the protection, the privacy it affords you over what you’re searching for. So, if you don’t want other people on your network or the Internet to be able to spy on what search terms you’re typing into Google this is what you should use, that’s what the blog post says. But in the light of Firesheep we’re really thinking in terms of our Google accounts because for many people your Google account is possibly one of your most valuable username and password combinations that you use on the Web, probably second only to your online banking account. Because it not only protects your Google Search history but also often your Gmail account, possibly your Google Documents which could be full of all sorts of work sensitive stuff or personal documents; it’s a big worry if this account gets out there, and your Google account is definitely one of those things that Firesheep is going to be spying for if you’re on an open Wi-Fi network. So, Google is definitely making moves towards embracing SSL; Gmail went all https earlier this year I think it was, so there is no way to access Gmail over a non-encrypted connection, but in order to get that Google session cookie, that thing that keeps you logged into Google as you go about your business throughout the day, in order to make that thing only transmitted over SSL, Google is going to have to convert all of their websites to SSL only. There’s just no way around it, it is kind of an all or nothing proposition; Google can still serve non-SSL protected pages but those pages will not be able to see your session cookie and therefore cannot give you user specific information. And Google is having trouble getting this SSL stuff deployed, obviously they’ve got tons of services to get it across, but even something as arguably simple as their search service they’ve had some pushback from some clients in schools. They posted a blog post on the official Google Enterprise Blog entitled “An Update on Encrypted Web Search in Schools.”

I don’t know; is this a meme at the moment that any blog post with bad news the title has to start with ‘An Update on blah’? Have you guys noticed this? I think when the bookmarking service was going down it was like ‘An Update on our Business’ and it’s like our business is shutting down, that’s the update.

Patrick: There will be no further updates.

Kevin: (Laughs) When Google Wave was cancelled Google said, “An Update on Google Wave,” and it’s like, yeah, the bad news is it’s cancelled. So, their update on encrypted web search is we think it’s a good idea for people to be able to protect their searches with SSL, but schools, a lot of schools have content filters on their networks that need to protect students from being able to make objectionable searches and seeing objectionable search results, and in order for that technology to work, well, those filters need to be able to spy on the traffic on the Google Search site, and since they’re not able to Google said, oh okay, well we’re going to make our encrypted search optional, we’re going to put it on a separate domain, encrypted.google.com instead of just google.com, and if a school has a problem with their students doing encrypted web searches that they can’t filter well they can block encrypted.google.com. I don’t know how much longer they can do this. If non-SSL traffic is very quickly becoming insecure these filters might be out of business and in a real hurry.

Patrick: I guess why is the Web is built like this, right? I think that’s the question right now is the Web needs to slowly change to be built like this, and if it’s going to happen on a mass basis obviously, or I think anyway, that SSL certificates as we’ve kind of discussed are going to have to get cheaper and easier to install. And so as an SSL provider is that a good thing or is it a bad thing; if everyone owns one then how much, I don’t know, I guess it has to be a good thing overall, but if they’re going to be driven down in price by more competition then I guess what we know as SSLs now, which is mainly a business tool, that’s going to change if every website that exchanges information in this manner which is most websites we visit in this day and age have some sort of account feature, it’s going to change how we think of it. I don’t even own an SSL cert for anything because I don’t sell any products, so I don’t know.

Kevin: Yeah, ditto.

Patrick: I’m not looking forward to the expense of it. I’m not rushing to do it right now, I mean obviously I, myself, kind of a small time webmaster, one-man operation, I’ll be like most of the people in that space probably waiting to see what the fallout on this is and how it becomes easier for us to take advantage of it, because as it is right now I won’t do it and I really am not sure how to integrate it with phpBB at the moment.

Kevin: Yeah, it’s tough. At SitePoint we got flippa.com which is I suppose the site that is doing the most “real money” sort of transactions on it, we got that ported over to SSL in the first 24 hours after Fire Sheep was brought to our attention, so flippa.com is all SSL now as a direct result of this story. Sites like 99designs.com are probably going to have to come very close after, and certainly new sites that we’re building like learnable.com, they’re being designed with SSL encryption from day one just because I don’t think we can afford to keep doing it the old way.

But, yeah, massive sites like the SitePoint Forums, adapting that for SSL and doing it in an airtight, blanket way it’s going to be hard to do, and I wish we had the engineers that Facebook had, but I think we’ll be lucky to do it in six months as well, it’s really tough. Just before we move on this story I just want to point out that there’s a great blog post at ImperialViolet, and this is by Adam Langley, it’s his personal blog, he’s a software engineer at Google who works on their SSL stuff, so this blog post, Overclocking SSL, it dispels some great myths about SSL, there’s this commonly held belief among developers that’s been passed down as conventional wisdom over the years that SSL is a slow and performance expensive technology that any request that’s done over SSL takes a lot of CPU power, not only from your servers but also from your client’s web browser as well. They’ve done the experiments and they say that is no longer the case, modern computers and modern servers have no problem keeping up with SSL. Where SSL is expensive is in the additional handshaking that needs to go back and forth between the browser and the server for each request in order to do the encryption involved, and this blog post has some great advice if you really want to drill into that technology and see how you can improve the performance of an SSL protected site. Honestly it’s over my head in places, but if you get SSL on your site and then you notice a performance impact, or if like Google every millisecond counts, they’re doing some great work, in some cases experimental work adding features to the Chrome browser that speed up SSL that no other browser has.

So, we’re getting on, we’re nearly at the one hour mark in this podcast, there was a lot to discuss, but let’s move on to our host spotlights. And since it’s related I’m going to lead off: my host spotlight is BlackSheep. We’ve just been talking about Fire Sheep for the past 20 minutes, and BlackSheep is kind of a fork of Firesheep but it’s the good version. BlackSheep, it’s an extension you install on your Firefox and what it does is warn you if anyone on your network is using Firesheep. I’ll pause just to let you wrap your head around that for a moment. But, yeah, so like I said, Firesheep has this sidebar and shows the user avatars and the names of the accounts that people are using on the network, well, in order to get that information Firesheep is going to connect to those Twitters and Facebooks to get the information about those accounts, and BlackSheep monitors that traffic. So if you are right now in the unfortunate position where you are forced to use an unencrypted Wi-Fi network I recommend using Firefox with this BlackSheep tool because it will warn you if your account is at risk of being hijacked.

Brad: Is that so you can stand up in the middle of Starbucks and start screaming who’s stealing my data?

Kevin: Hey! Stop it! Everyone close your laptops.

Patrick: Is there a reason that something like this couldn’t be instituted by browsers in general, that’s what I was wondering?

Kevin: Yeah, I think it’s worth doing. I think part of the problem is that every site has its own little format for session cookies, and because of that these tools need to add support for all the major sites, but certainly I think we can all agree that sites like Google and Twitter and Facebook are important ones to protect your credentials against, and so, yeah, I wouldn’t be surprised to see browsers starting to add these sorts of protections built in.

Brad: We’re going to have as many extensions and add-ons to block things as we are to actually give us, I mean you got this, you have the Chrome Disconnect, I mean what’s next?

Kevin: Yeah. Well, yeah. You can find out about BlackSheep at zscaler.com/blacksheep.html. Brad, what have you got for us?

Brad: Yeah, I have a cool — it was a presentation at the Adobe Max Conference which was a few weeks ago in Los Angeles, and it’s Rick Cabanier of Adobe, he was showing off an early version of a new Flash to HTML5 conversion tool that’s actually going to be included in Flash Professional. And the video’s pretty amazing, I mean he literally — it’s not the greatest quality because it’s a presentation and it’s somebody holding a camera, but you can see what’s going on. So basically he opens up a Flash file, a .fla file and hits convert and it spits out a fully formed HTML5 version of the exact same file. It will spit out any warnings and things that can’t convert like filters and blending and certain things that it can’t currently convert into HTML5 but it will do its best. And the video, the demo is pretty amazing, they use this kind of banner graphic and it takes maybe 10 seconds, 15 seconds to convert, and all of a sudden the window opens up and it’s HTML5 the exact same thing. And that’s just part of it, the second half is you can actually pull out specific elements from the Flash files, so in the example they show there’s a bunch of kind of dancing stop signs and trees and things, and he actually exports one dancing stop sign and includes that as the HTML5 version in his website and all of a sudden he has just this single dancing stop sign in the background. So for a demo just showing what’s coming up I mean it’s pretty amazing, and I think it couldn’t be smarter of Adobe to kind of go this route and make it as easy as possible for people to do this.

Kevin: Yeah, you might count out Flash but don’t count out Adobe; they’re a smart company and they’ve been around for a long time. Stephan, what have you got?

Stephan: So for our Mac users I have a little application, it’s $9.99, called Contents, it’s from fuelcollective.com, and it basically looks at all your apps, everything that you have on your computer, and if you have it in your Library it can tell you where it is, if you need to delete something and install something it’ll uninstall it; it’s kind of like a catchall program for if you need to install something, if you need to uninstall something, if you want to clean up something, backup things, it’s a cool little well-designed application. I started using it because my computer’s getting kind of old and I needed to clean up things that I haven’t used in a long time and I was having a hard time finding stuff, just ran this and it told me all the stuff that I haven’t been using and started deleting things, so it’s been useful.

Kevin: Yeah, there’s a few utilities in this area on the Mac, like it’s easy to sell the simplicity of installing apps on the Mac just by dragging their icon onto your desktop or into your Applications folder, that’s all there is to installing an app, it’s so simple anyone can do it, and when you want to uninstall it you just drag that app to the trash, that’s all there is to it, right? There’s no step two. But, yeah, what is left unsaid is that all of the support files these apps create stay around and so there are all sorts of tools, uninstallers, that automatically clean things up when you remove apps. I use one called Hazel that lets you set all sorts of rules on your folders to clean up or move files around or run scripts on files based on different conditions. And one of the things it does is detect when you delete an app and offer to clean up the files from your Library folder, but it costs a lot more than this Contents, and this Contents tool does a lot more as well, it’s really cool. One of the things that impressed me was this backup feature, Stephan.

Stephan: Backup your dashboard widgets or your desktop or your address book.

Kevin: Yeah, or your settings. If you want to uninstall an app and throw away its settings or get it off your computer you can still keep a backup of those if you change your mind later on, it’s pretty neat.

Stephan: Yeah, it’s a cool little tool, and I’ve really liked it so far so I’m happy with it.

Kevin: Thanks. Patrick?

Patrick: Well, as usual you guys have all well-on topic spotlights, and as usual I don’t.

Kevin: This is why I save you for last, Patrick, because you break the monotony.

Patrick: Well, thank you, Kevin. I can’t top Back to the Future, but my spotlight this week is called Freezer Burns, freezerburns.com, it is the Internet’s only frozen food review show. It is on episode 381 now…

Kevin: Wow!

Patrick: …and the host is Gregory Ng, I met Greg a few times and we’ve shared a panel together and chatted online and he’s a great guy and does a great job on this video show, and if you like frozen food or just like to be entertained it’s a great, well-produced show. He’s doing great things with web video in general, and if you’re interested in kind of the web video space, not just entertainment in general, which is enough to watch the show, it’s worthwhile to check it out just for that alone to see how he’s building his audience in this space and how he goes about cultivating what is a very popular video show. So I enjoy it and he just recently held a 24 hour live episode of the show to benefit Movember…

Kevin: Hhhwow!

Patrick: …which is a charity or an effort to donate money for prostate cancer, and so, yeah, definitely check it out, freezerburns.com, even if you don’t like frozen food.

Kevin: He’s a great example of picking a niche, and if you can really own a niche, the Internet will provide an audience.

Patrick: Yeah, definitely. And something he’s said that’s interesting to me and I’ve learned from if I ever do start a video show of some kind is that when he came out he said he wanted to do it five days a week for like a year and a half at least, and so he recorded all these shows in the can. The reason he wanted to do that was if anyone else saw him doing the show and thought, oh, that’s a great idea, I want to do that, they’d see he does it every day five days a week and be scared off of competing with him or jumping into that niche themselves. And like I said, 381 episodes, almost 10,000 feed subscribers later he’s been really successful.

Kevin: Smart strategy. And that brings the show to an end, a marathon show once again. Guys, I think we’re just finding too much to talk about, the Web is just too exciting a place for once every two weeks it seems.

You can follow me on Twitter @sentience and SitePoint @sitepointdotcom, Visit us at sitepoint.com/podcast to leave comments on this show and to subscribe to get every show automatically. The SitePoint podcast is produced by Carl Longnecker and I’m Kevin Yank. Thanks for listening. Bye.

Theme music by Mike Mella.

Thanks for listening! Feel free to let us know how we’re doing, or to continue the discussion, using the comments field below.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.mikehealy.com.au cranial-bore

    What of SSL and limited IPv4 addresses? SSL Certs require a dedicated IP address (per domain), which could be a problem if demand for SSL goes way up.

    • http://www.optimalworks.net/ Craig Buckler

      Interesting thought. We’re already below the last 10% of available IP4 addresses. However, I doubt we’ll see a significant switch to SSL. The vast majority of websites have no log-in functionality — it’s only apps storing personal data which definitely should consider SSL.

  • joezim007

    I’m never using coffee house wifi with something like Firesheep flying around.

  • mdedmon

    I believe that there is some confusion between network encryption and session encryption. Wireless network encryption only encrypts the packets between the host and the wireless access point. Anyone that is authenticated to that wireless network still has access to all traffic from any user on that wireless network. Wireless networks (for the most part) are still shared/bridged technology. So, just because you’re connected to wireless network with an encryption key, doesn’t really make a difference for this issue. If you’re connected to a shared network, you can see each other’s traffic.
    SSL encryption secures the session. That is the right technology for this problem, but don’t rely on the wireless encryption. That is not the same thing.
    Most wired networks are switched these days, so they’re less of an issue. Only broadcast information is seen by other users, not individual sessions.
    I also wonder, can the website just encrypt the cookies that are stored on the local machine without SSL? If you can’t read the cookie information, then that would be a step closer to deflecting the snoops.

  • http://driverdan.com ExpertDan

    A lot of your statements about SSL in this episode are completely false. You can buy a cert for $10. There is no reason to spend hundreds. The added cost is insignificant for most sites. It does require a dedicated IP which most hosts will provide for a few dollars per month (if not, switch to a better host).

    Once you know how to set them up it’s easy, especially if you’re using a control panel. It’s only complicated for large services like FB because of how custom their setup is. Your average website running on common server setup isn’t hard. There are tons of tutorials on the web on how to do it. I setup at least one or two per week. I do it completely manually and it takes me less than 5 minutes. If a small web service needs one installed I’m sure they can find a freelancer to do it for less than $100.

  • goldfidget

    Reading the apology on Cooks Source I can’t help but feel rather sorry for them…

  • goldfidget

    Just finished listening to this, thanks again for an epic podcast, I like the longer format!

    On the theme of hacking, my Google account was hacked a few years back. My password was an 8 digit random alphanumeric string so this was possibly due to packet sniffing, I guess I’ll never know. The hacker set up £1600 per day worth of google adwords for an American casino site. Google were great, I spoke to a representative and they refunded the money without a problem, but I still lost about £100 in bank charges.

    I’d second your caution against logging into non-encrypted sites on open access wifi networks.

    • http://www.ifroggy.com Patrick O’Keefe

      Thanks for the feedback, goldfidget! Glad to hear that you liked the format!

  • http://www.dunkirksystems.com zivo

    I just listened to the podcast and want to respond to the comments on SSL certificates. Today, I advise all my clients that have any forms or collect any information – whether it’s an eCommerce site or not – to use an SSL certificate.

    Many times Web visitors will enter sensitive information on a Web form, e.g. driver’s license number, social security number in the US. etc. This information needs to be protected on the way to the Web server, on the Web server and how it is transmitted. This includes protecting the Web form, any CMS or admin site that displays the information, and as well encrypting the data in the database and not emailing it via an autorespond message when the form is submitted.

    As for the cost and hassle – I concur with ExpertDan that the cost and effort is minimal. You can get them as low as US$10, or via other more expensive vendors like Verisign and their other brands. Having an SSL certificate not only encrypts the data in transmission to and from the Web server, but it can also lend credibility to the Web site and verify its ownership. These later features are not to be dismissed either. This is a small level of effort for a great gain. Plus any competent Web host should have automated and straightforward ways to manage SSL certificates.

    The thought that everything on the Web should be free or cheap may work for inexperienced people, but if this is what you do for a living, you need to educate your clients and customers of what is needed. If they don’t want to pay more than 99 cents a month for hosting, then you need new clients! I think this topic would make a great area for SitePoint blogs to explore more.

    mp/m

  • goldfidget

    Just a thought, because an HTTPS secured site needs a static IP, this is going to accelerate IPv4 address exhaustion and hasten the need for the IPV6 switchover.