Audacious Fox

Despite Argentina’s unceremonious departure from this year’s World Cup — following an embarrassing group stage performance — their star player Lionel Messi is still a wonder to watch on the field — particularly when he doesn’t have the ball. Bobby Gardiner for FiveThirtyEight:

Throughout his career, Messi has been criticized for walking. After an El Clasico match between Barcelona and Real Madrid in December 2017, there was widespread coverage of the fact that Messi walked 83 percent of the roughly 5 miles he covered that game. Despite this, he scored and assisted in Barca’s 3-0 trouncing. […]

The most popular explanation has been that Messi walks to conserve his energy for critical moments, like a perfectly efficient machine. But even when he’s walking, new research suggests, he’s far from idle.


Leaning against our headboard awake far later than I wish to be, my little guy nuzzles deeper into the crook of my arm he’s chosen to fall asleep in and I can’t help but feel it’s all so very much worth it; the fatigue, frustration, fear—they all melt away in these moments, and for a minute my heart knows nothing but the contentedness of a man who truly has everything, and for whom nothing else could replace this feeling.

Josh Constine, TechCrunch:

At just 573 kilobytes, Instagram Lite is 1/55th the size of Instagram’s 32 megabyte main app. It lets you filter and post photos to the feed or Stories, watch Stories, and browse the Explore page, but currently lacks the options to share videos or Direct message friends.

First, the photo-only version of Instagram was the best version. Second, what in the sweet heavens is in the current Instagram app that makes it 55x larger than Instagram Lite? Trick question — it’s always the ads, analytics, and A/B testing frameworks.

Again I say, your “lite” app should be your only app.

Derek Godin, writing about iOS developer/designer Zach Gage and his newest game, Pocket-Run Pool:

Gage specializes in taking well-worn casual game mainstays (word puzzles, chess, solitaire) and twisting them in small, clever ways. Often these are simple mechanical tweaks; Really Bad Chess gives players one king and 15 other random pieces to duke it out with, while Sage Solitaire elegantly splits the difference between classic Klondike and poker. His latest game Pocket-Run Pool is his version of an arcade-style billiards game, with rotating pocket multipliers and three lives (i.e. scratches) to clear the table.

A Zach Gage remix is the best kind of remix. Pocket-Run Pool is certainly enjoyable, but Really Bad Chess remains one of my favorite games on iOS.

One of the more thrilling announcements at WWDC 2018 is that iOS 12 will focus heavily on performance and longevity of older iOS devices. This means not only will iOS 12 support anything that currently runs iOS 11, but also those older devices should see noticeable performance increases. Apple PR:

Camera launches up to 70 percent faster, the keyboard appears up to 50 percent faster and typing is more responsive. Even when there is a lot going on across the system, apps can launch up to twice as fast. From iPhone 5s, introduced in 2013, to the most advanced iPhone ever, iPhone X, iOS 12 brings performance improvements to more devices than any previous version.

This isn’t just a new-features thing — it’s a security thing too.

Manufacturers are often playing a game of cat-and-mouse with exploits and hackers; every update eliminates any number of vulnerabilities, and the more nefarious folks need to start looking for alternative ways to compromise your device. However, once a device maker stops pushing out updates, it’s only a matter of time before your device becomes susceptible.

Update: It helps to remember — at least for me — that not everyone can afford to or desires to keep up with Apple’s yearly iPhone upgrade cycle. For folks that keep their devices for many years (iPad users in particular), this extended approach to compatibility, security, and performance is huge.

Nick Heer, Pixel Envy:

You know how you sometimes just need a quick place to jot something down — a single scrap of paper, the back of an envelope, or whatever you have laying around — and you know you won’t need to save it? Edit is like the digital version of that. It’s fast, it’s simple, and I use it all the time.

I hate how he explained Edit better in 58 words than I could in 200+.

Michael Rockwell, Initial Charge, in his review of Edit:

Overall, I think K.Q. Dreger made all the right decisions with Edit’s initial offering. Utilizing the share sheet and the select-all shortcut to eliminate the need for storing multiple documents is such a brilliant idea. I still think its a few small features away from becoming an absolute must-have. But despite that, Edit has become an important part of my writing workflow because it’s core set of features are rock-solid and the application is such a delight to use.

Overall, this is the sentiment I’ve been seeing. It’s humbling how much Edit is resonating with people. A few weeks ago, it was just my little app.

Mr. Rockwell has a few points of criticism that — as the sole developer and designer — I really enjoyed reading. One of his main call-outs is the lack of iCloud syncing, or the inability to start a note on your iPhone and finish writing on your iPad.

I get the draw, really. I don’t have an iPad, so this particular pain was probably lost on me as I fiddled with the Xcode simulators, but enough people have asked about it that I am actively working on figuring out a solution. Ideally, I can use your iCloud accounts to sync the current sheet back and forth, but I have speed concerns that I haven’t been able to test yet. I’ve long thought that a syncing service should be fast enough that all changes are committed and sent to the server by the time a user can close the app or shut their laptop lid/smart cover. If CloudKit isn’t able to provide that sort of performance, I might need to look at a few other options. Whatever I end up doing though, it’ll be totally seamless for the users; you’ll turn it on, and it’ll just work.

Just over a year ago, I started working on a small iOS app for writers. I was tired of not having a focused, single-purpose place for drafting and editing important messages, emails, and text. I hated doing those things in Messages or Mail, and I avoided Notes because what I was writing didn’t need to be stored anywhere. All I wanted was a tasteful place to write.

Well, I’ve finished, and next week I’m excited to ship Edit for iOS.

Edit has several neat features (dark mode, pinch-to-zoom text size, word and character count), but I think the most interesting one is that Edit doesn’t store multiple notes. You get one page, and whatever you leave there will be there when you come back. Because of this, I’ve found that Edit complements many of the other great writing and note taking apps out there instead of competing with them. You can quickly drop a thought in Edit, let it sit, come back later, punch it up, and then export what you’ve written to anywhere in iOS. Over the past year, I’ve used Edit to jot down journal entries, tweak tweets, or as a place of reference for important information I need throughout the day. I use it almost every single day, and I’m really happy with how this single page scratchpad fits into my life.

Edit is available as a pre-order on the App Store for $1.99, and it also comes with a 10-year good faith guarantee, which basically means I’ll work hard to keep Edit available for your next decade of iOS devices. Cool, no?

(Typography fun: I’m using the system standard San Francisco, but I’ve enabled a few alternative characters and numbers to give Edit a familiar but unique feel.)

Check out Edit on the App Store or enjoy the micro-marketing page I put together. I hope you like Edit as much as I enjoyed making it.

Happy writing.

Fun bit of trivia regarding those “click on all the squares with street signs in them” prompts you tend to see on a login or sign up page:

reCAPTCHA’s verification uses several factors to determine the chances that a user is a human, not just the answer provided. We allow true humans to make mistakes in solving the challenge, while punishing bad bots even if they submit a correct answer.

It is expected that, if the system determines you’re likely a human, it accepts your answer despite knowing that it’s an invalid one. In fact, this feature is necessary to be able to combat spam effectively - if we always require a correct answer, it would be easier to create an automated solution to bypass reCAPTCHA challenges. By accepting invalid answers (and sometimes rejecting valid ones!), creating such a bypass gets much more complicated for spammers.

As game designer Jennifer Scheurle was prepared to speak at the 2018 Game Develoeprs Conference, she asked her Twitter followers for examples of “brilliant mechanics in games that are hidden from the player to get across a certain feeling.” There were hundreds of replies, many from the game developers themselves, and the insight was fascinating. The original thread is a lot of fun to read through, but here are some of my favorites:

Charlie Butler:

Not sure if it was mentioned, but the tutorial in Halo 2 asked player to look up. Their input determined whether y-axis would be inverted.

Matt Cox:

In Scribblenauts, we used synonyms liberally to spawn the same object, but that object kept the name you spelled, making it seem unique!

Ms. Scheurle:

Assassin’s Creed and Doom value the last bit of health as more hit points than the rest of it to encourage a feeling of JUST surviving.

Paul Hellquist:

In Bioshock if you would have taken your last pt of dmg you instead were invuln for abt 1-2 sec so you get more “barely survived” moments.

Ken Levine:

First shots from an enemy against you in BioShock always missed…that was the design, think it got fully implemented. No “out of blue!”

Matt Ditton:

In Jak and Dexter the player would “for no reason” trip and fall to give enough time to load the next section off disc. […] In the era of open world and “no load screens” you needed to stop the player going too fast. Disc load time was a nightmare.

Tom Forsyth:

HL1 [Half-Life 1] - if facing more than two enemies, only two would actually attack. The rest would run to random locations and bark lies e.g. “flanking”

And finally, James Parker:

Most (good) platform games allow you a small window after you run off the edge of a platform to initiate a jump

If only Wile E. Coyote had such luck.

Some of these might leave you feeling like Dorothy when Oz is revealed, but I love seeing how and when a developer might deploy a cheat on the player’s behalf. And, although I enjoyed reading through the various game mechanics, some of the best replies were from players who never realized what was happening.

Jessica Conditt, Engadget:

The Xbox Adaptive Controller is the first of its kind. It’s a plug-and-play option for people with disabilities – it connects to the Xbox One or Windows 10 PC via Bluetooth and powers on just like the Elite. The controller itself is a clean white rectangle, about 11 inches long and 6 inches wide, with two large black buttons on its face. The buttons aren’t touchpads, but they are light-touch enabled, clicking down with the softest of taps so players can roll their palm between the two or otherwise click them without exerting much force. Each button makes a slightly different noise as well, offering an extra layer of sensory input. […]

Some of the controller’s most impressive features are on back of the rectangle. Nineteen 3.5mm ports line the backside, one for each button on the traditional Xbox gamepad. This allows players to plug in their existing accessibility tools, such as air-powered input methods, big buttons or small clickers, and have them instantly mapped to the proper function. If a particular set-up isn’t working out for any reason, players or their caregivers can quickly change ports to manually remap their controller, all without pausing the game.

This is my new go-to example of a product with “good” design. The number of non-obvious considerations that went into the XAC’s design, in my opinion, set a new bar for accessibility and consumer hardware. Additionally, let’s be clear, no accessibility hardware looks this good. It would be laudable for Microsoft to create this controller at all, but I’m surprised at how nice the aesthetics are.

There’s an oft-quoted saying from Steve Jobs along the lines of: design isn’t just how it looks, it’s how it works. With the XAC, Microsoft has created a device that succeeds on both fronts to a stunning degree, and they did it for a community of users that are often forgotten. More of this, please.

From the Medium Help Center:

Medium is no longer offering new custom domains as a feature. If you already have a custom domain on Medium, nothing will change for you for the foreseeable future, and your domain will continue to work as expected.

As best I can tell, this decision is a change from January (courtesy of the Internet Archive), when the help page for custom domains read that Medium was “pausing” offering the service. It would now seem they don’t offer the setting at all.

I wonder if current custom domain users find the “for the foreseeable future” bit at all reassuring. I wouldn’t. Using your own domain was one of the few meaningful ways you could separate your Medium-hosted blog from all the others. Anyone signing up today will be stuck using whatever publication names (medium.com/publication) are still available to register, making Medium more akin to a long-form Twitter than a place to keep a blog. Lame.

Oliver Roeder, FiveThirtyEight, was one of 15 people who were recently invited to the United Nations for the chance to play chess against Norwegian chess grandmaster—and currently the world’s number 1 ranked player—Magnus Carlsen. The result, while unsurprising, was nonetheless entertaining to read. Mr. Roeder (slight language warning):

The event was a “clock simul,” short for “simultaneous exhibition with clocks,” in which each of us “challengers” sat at our own boards while Carlsen, the “exhibitor,” darted around the room, rarely taking more than a few seconds to make any move before moving on to his next victim. We each had 30 minutes to make all our moves, but Carlsen’s clocks constantly ticked away at every board, putting him at a nominal disadvantage. […]

In retrospect, I blundered — unbeknownst to me at the time — on my 12th, 13th and 17th moves. Others too, I’m sure.

This was always going to happen. But as I sat shroudless, Carlsen did break my heart. By move 12, he’d pushed a pawn down his right flank, which caused me all sorts of problems, and my king was the equivalent of a sitting duck on the opening day of hunting season. But my own pawn, my little pawn that could, was on the march. My pawn made it two squares from the end of the board, where it could become a queen. And it would soon defend my extant queen, which on the next move fled down the board to put Carlsen in check — I put Magnus Carlsen in check! I confess that for precisely 1.5 seconds I thought, “I am going to fucking win.”

Carlsen then easily defended, parried … and destroyed me.

(Hat tip, CBD)

Nellie Bowles, New York Times, reporting on the increasing popularity of esports, and the businesses springing up to capitalize on the fervor:

Across North America this year, companies are turning malls, movie theaters, storefronts and parking garages into neighborhood esports arenas. […]

“The movie theater!” said Ann Hand, the C.E.O. of Super League Gaming, which converts movie theaters into esports arenas, and has raised $32 million from investors. “It has that thunderous sound, and it’s empty a lot of the time.”

For the Super League Gamers, the events can accompany or replace traditional sports. It’s a new Little League and Minor League for today’s athletes. Each city plays together as a branded team — there’s the Chicago Force, the New York Fury, the San Francisco Ionics. So far, there are 50,000 players.

Parents accompany younger players, and the real-life experience opens their eyes. “The most common piece of feedback was that they knew their son or daughter loved this game, but they had no way to understand the game or know if they were any good at it,” Ms. Hand said. “Like, ‘I didn’t know my son or daughter was that competitive.’”

By 2019, she expects to be in 500 venues.

I like watching streamers play games like Fortnite or Overwatch in the same way I enjoy watching Liverpool play on Saturdays. At the end of the day, it’s all entertainment.

However, what’s particularly interesting about esports is that the competitive scene isn’t limited by geography in the same way that physical sports are; this allows esports players to improve more quickly because they’re able to go against a worldwide pool of talent from the start. That said, part of what makes physical sports so popular is their regionality. It’ll be curious if esports benefit from these revamped local venues (remember how popular the arcade scene was?) or if the malls and theaters are empty again in a year’s time.

Zach Schonbrun, Bloomberg, has written a fascinating profile about the pigment research of Mas Subramanian, a materials science professor at Oregon State University. Mr. Subramanian is best known for his accidental creation of YInMn—a striking blue pigment with the ability to generate many other hues. However, although YInMn is widely lauded, Mr. Subramanian has yet to find a way to coax his pigment into a resilient, radiant red; a color that could be worth hundred of millions of dollars. Mr. Schonbrun:

The world lacks a great all-around red. Always has. We’ve made do with alternatives that could be toxic or plain gross. The gladiators smeared their faces with mercury-based vermilion. Titian painted with an arsenic-based mineral called realgar. The British army’s red coats were infused with crushed cochineal beetles. For decades, red Lego bricks contained cadmium, a carcinogen.

More than 200 natural and synthetic red pigments exist today, but each has issues with safety, stability, chromaticity, and/or opacity. Red 254, aka Ferrari red, for example, is safe and popular, but it’s also carbon-based, leaving it susceptible to fading in the rain or the heat. […]

Subramanian, more scientist than chief executive, is now hunting for a similarly safe, inorganic red derivative of YInMn—something that could put Ferrari red, which is worth an estimated $300 million annually, well in its rearview mirror. Mark Ryan, marketing manager at Shepherd Color Co. in Cincinnati, says whoever finds such a red “wouldn’t have to come into work the next day.”

Color me fascinated.

Over at The Sweet Setup, I spent a few thousand words exploring some of the best text editors available for MacOS. Few topics start such heated debates as those about why one text editor might be better than another, but I don’t think you can go wrong with any of the apps on our list.

Also, if you’re not reading The Sweet Setup or Tools and Toys already, you really should—they’re great publications, backed by a fantastic team.

“Whenever you click on a link, send an email, open a mobile app, often one of the first things that has to happen is your device needs to look up the address of a domain.” That’s Matthew Prince, CEO and co-founder of Cloudflare, in his company’s blog post announcing their new public DNS service,

What is this? is a DNS service. A DNS service lets you visit websites by entering word-based domain names like audaciousfox.net instead of an obscure (and changing) IP address. Technically, you can get to a site by typing in the domain or IP address, but the domain name is far easier to remember

Why does it matter?

  • New competition to existing, core Internet infrastructure is a really healthy thing to have; especially when the new product is more privacy conscientious than the incumbents.
  • Cloudflare’s network operates on a global scale with nearly 150 data centers around the world; which means they have the support and experience to run this type of service.
  • Cloudflare has a track record of supporting encryption and protecting their users; two things you definitely want in a DNS provider.

It might surprise you to know that you even have a choice in DNS providers. Most people probably use their ISP’s default DNS service without knowing it. For why this isn’t the best idea, we’ll go back to Mr. Prince:

What many Internet users don’t realize is that even if you’re visiting a website that is encrypted — has the little green lock in your browser — that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them.

Network operators have been licking their chops for some time over the idea of taking their users’ browsing data and finding a way to monetize it. In the United States, that got easier a year ago when the Senate voted to eliminate rules that restricted ISPs from selling their users’ browsing data. With all the concern over the data that companies like Facebook and Google are collecting on you, it worries us to now add ISPs like Comcast, Time Warner, and AT&T to the list. And, make no mistake, this isn’t a US-only problem — ISPs around the world see the same privacy-invading opportunity.

If you’ve never switched your DNS resolver before, it’s really easy to do, and Cloudflare has quick, two minute tutorials for all of your devices — phone, computer, and router. And if the privacy benefits aren’t a compelling enough reason to switch, there are speed advantages too. currently sits at, ahem, #1 for fastest worldwide DNS resolvers. As of today, Cloudflare’s DNS is already 28% faster than Cisco’s OpenDNS and around 60% more quick than Google’s own

You’ve heard the adage that “when the service is free, you’re the product being sold,” and that’s been true for a long time. But it becomes dangerous when whatever free service you’re using is the only comparable option available. That’s how we end up with Facebook’s monopoly on social networking or Google’s hold on search and video. Having good, privacy focused alternatives to our standard, core digital and social infrastructure — whether DNS resolves or social networks — is phenomenally important. And when an alternative is both more private and faster than what’s already out there, then it’s simply phenomenal.

If you have a few hundred dollars, a recent MacBook, and a desire to play modern video games at a decent frame rate, you can now buy an external graphics card to give your laptop a performance boost. There are, however, some asterisks. Jacob Kastrenakes, The Verge:

For one, only select models are officially supported. And, surprise, Apple is only supporting some of AMD’s Radeon cards, which it already includes in select Macs. That doesn’t strictly mean a GeForce card won’t work — people have gotten some to work while the feature was in beta — but it means you’re gambling a bit around whether it’ll continue to work.

You also won’t be able to use external GPUs on Windows through Boot Camp. And just because you have an external GPU plugged into your computer when it’s running macOS doesn’t mean it’s going to be doing anything, either; developers have to enable support for it. Finally, you’ll also need to have a new enough Mac, since external GPUs rely on the super-fast speeds provided by Thunderbolt 3. That includes 2016 and 2017 MacBook Pros, 2017 iMacs, and the iMac Pro.

For now, the list of caveats with external GPUs is perhaps longer than the list of things you’re able to do with them, but this is certainly a look at the future. Imagine all the benefits of today’s portable machines, but without sacrificing the ability to do intensive video editing or high-end gaming. Additionally, this should make it easier to upgrade your graphics card — something video editors or gamers will do every couple of years —  as you won’t need to open your main machine or send it somewhere to do so.

Gennie Gebhart for the Electronic Frontier Foundation:

You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.

Facebook’s Platform API is what allows third-party applications to access your Facebook data. Disabling this will also disable your ability to “log in” with Facebook, but if you’re looking for a way to tighten down your account without deleting it, this is worth considering.

Dave Morin, former CEO and co-founder of private social networking app, Path:

Overwhelmed by requests to rebuild a better @Path. Considering doing it. If you are interested in working on such an idea, DM me. Let’s see if a passionate team forms. If so, we’ll do it.

Path, if you’ve never heard of it, was one of the many social networks launched in the late 2000’s, but it had a unique twist: a 50-person network limit. I only used Path for a year or so — it shared a lot of similarities to Instagram in the early days, minus the whole discovery part — but I found it simple and enjoyable. The 50-person limit ended up being a healthy limitation, because when your only connections are current friends and family, there’s a real sense of authenticity and calm. Unfortunately, privacy and friend limits don’t necessarily help grow a social networking company, and in 2015 Path was sold to Korean company Daum Kakao, as the team doubled down on maintaining their traction in the Asian market.

Path’s still available today, but they’ve lifted their network size limit and haven’t done much to the core product since the sale. It’s not the same experience that it was in 2010. It’s also worth remembering that Path wasn’t perfect. Before iOS required apps to request address book permissions, Path was caught quietly uploading all of your address book contacts to their servers, and then spamming those numbers as a way to help you make more connections. Scummy.

Still, I think there’s room for a mobile-first, affordable (as in paid, because otherwise we’ll be right back to the data-selling square one we’re in right now with Facebook), limited social network. Mr. Morin’s tweet generated a lot of enthusiastic replies from investors, developers, and designers all interested in helping get such a project off the ground, but if Facebook’s shown us anything, it’s that there’s a chasm between showing support for a cause on social media and actually doing anything practical.

With Mr. Morin, though, creating a new, better Path could be a real possibility — it just might take a while. Mr. Morin, an ex-Facebooker himself, is currently helping run the venture capital firm he co-founded, Slow Ventures. Slow’s modus operandi, if the name didn’t give it away, is that “the most powerful ideas, companies, and industries aren’t created overnight.”

At this point though, it’s not about our hypothetical, private social network becoming as powerful as Facebook — it’s about having an alternative. A well designed, private, sustainable alternative. In 2010, Path’s features and limitations were interesting — today, they’re downright compelling.

Paul Ford, for Bloomberg Businessweek, on the United States’ need for an agency dedicated to regulating companies that handle large amounts of personal, sensitive data:

The activist and internet entrepreneur Maciej Ceglowski once described big data as “a bunch of radioactive, toxic sludge that we don’t know how to handle.” Maybe we should think about Google and Facebook as the new polluters. Their imperative is to grow! They create jobs! They pay taxes, sort of! In the meantime, they’re dumping trillions of units of toxic brain poison into our public-thinking reservoir. Then they mop it up with Wikipedia or send out a message that reads, “We take your privacy seriously.”

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

Whether it’s through laws or a separate agency, the U.S. needs a new approach to better supervise and safeguard the enormous amount of personal user data in the hands of today’s companies. At the moment, I don’t have much hope in law-based protection, given that Congress has largely failed to punish Equifax for their compromising of more than 140 million Americans’ personal data. However, an independent, empowered, and funded agency could be a promising first step, even if it takes years to realize its potential.

Megan Farokhmanesh, The Verge, with an excellent feature on the rapid rise and subsequent crash of Telltale Games:

When Telltale released the first episode of The Walking Dead in April 2012, even some of the people who worked on the game were surprised by how positive the audience reaction was. By January 2013, the game had sold more than 8.5 million copies — or episodes — raking in more than $40 million in sales. In October 2013, the company claimed to have sold more than 21 million different episodes individually across all of its platforms. Telltale started to expand, signing partnerships with Gearbox Software, HBO, and Mojang and transitioning from a small studio to a midlevel company with multiple licensed properties.

The culture of the company changed dramatically as a result. Former employees describe Telltale in its early days as a small, tight-knit group with a strong sense of camaraderie. New hires trickled in slowly. Upper management had been much less involved in the day-to-day, and developers were given more freedom to do their jobs as they saw best. But the success of The Walking Dead spurred the company to expand rapidly: in order to suit both its growing ambitions and keep investors happy, it became a company that many long-standing employees no longer recognized. “We went from a small and scrappy team to kind of a giant studio full of 300-plus people,” says former Telltale programmer and designer Andrew Langley, who worked at the studio from 2008 to 2015. “You walk around the office, and you don’t really recognize anybody anymore.”

Within Telltale’s portfolio are some truly excellent examples of how strong writing and simple mechanics can create a thoroughly compelling video game. It’s a risky thing, making a game that relies so heavily on dialogue driven by user choice, but Telltale made it engaging, challenging, and authentic. Here’s to hoping they can do it again.

HTTPS and the Secure Web

Should every page you visit on the Internet be served over HTTPS? For banks and online stores, the answer is an obvious yes. But what about blogs, decades old web archives, and other bland online data? Do these documents deserve secured connections?


However, for the past few weeks, spurred on by Google’s move to mark HTTP-only sites as “Not Secure” in Chrome, Dave Winer has asked a similar question, and argued — among other things — that this is a move by Google to seize control of the web:

So now Google points a gun at the web and says “Do as we say or we’ll tell users your site is not secure.” What they’re saying doesn’t stand up to a basic bullshit-test. There’s nothing insecure about my site. Okay I suppose it’s possible you could get hurt using it, I’ll grant you that. But I could get hurt getting up out of my chair and going into the kitchen to refill my coffee cup. Life is insecure. When Google says my old site is insecure what they really mean is “This is our platform now, and you do as we say or your site won’t work.” I don’t believe for a minute that Google’s motivation is protecting users. They seem to believe they can confuse users (they can) and that means they can do anything to the web they like. I suppose they can do that too. But it doesn’t mean the web will cooperate. Imho, it won’t.

Mr. Winer, again, earlier this month:

The web is not safe. That is correct. We don’t want every place to be safe. So people can be wild and experiment and try out new ideas. It’s why the web has been the proving ground for so much incredible stuff over its history.

Lots of things aren’t safe. Skiing. Bike riding in Manhattan. We do them anyway. You can’t be safe all the time. Life itself isn’t safe.

If Google succeeds in making the web controlled and bland, we’ll just have to reinvent the web outside of Google’s sphere. Let’s save some time, and create the new web out of the web itself.

PS: Of course we want parts of the web to be safe. Banking websites, for example. But my blog archive from 2001? Really there’s no need for special provisions there.

We’ve got two arguments here: 1.) Google’s change in Chrome to display “Not Secure” on sites that don’t have HTTPS is the first in what could be a series of steps that eventually lead to HTTP sites being automatically blocked by Chrome, effectively killing the HTTP protocol; and 2.) the world isn’t safe, HTTPS isn’t a silver bullet, and there are simply some types of content that provide no risk and don’t deserve to be called out as insecure.

There’s an additional argument, tangential and articulated by Nick Heer:

I also agree with Winer on another key point: enforcing a pseudo-mandatory policy on HTTPS makes it that much harder for someone new to this stuff to even begin to understand it. As Frank Chimero recently wrote, building stuff for the web has become vastly more complicated since even five years ago. I’m happy to keep learning new skills and growing my understanding of what the web can do, but I don’t know where to begin on this modern web. I don’t intend to hold myself up as a barometer of the complexities of modern web programming or anything — I just don’t know what’s going on any more. I’ve been doing this stuff for nearly twenty years. I don’t know how someone who is eight years old could start digging into React, or Node.js, or any of the other modern JavaScript-based ways of writing <h1>hello world</h1>.

Which brings us 3.) raising the barrier to entry (e.g. requiring someone understand how to set up HTTPS before they can get a site online) harms the approachability of creating something new online.

I disagree on all three arguments, but I don’t think they come from unfounded places. I also have great respect for Mr. Winer’s contribution to the web. When Mr. Winer writes, which he does a lot, I read.

However, the last few weeks have left me scratching my head. I don’t disagree with Mr. Winer’s general distrust of Google — I’m skeptical of Google’s motives when it comes to Chrome’s ad-filter or the likes of AMP — but his recent articles leave me feeling that we’ve missed the forest for the trees; that we’re overlooking the importance of encryption because we’re hung up on our sites being labeled insecure, which, truthfully, they are.

Regardless of what Chrome, Firefox, or Safari do, HTTPS is good for the web, and more sites should enable it for their content. Another way to put it: HTTPS is like fluoride. Fluoride is a proven, safe chemical that we add to water to help prevent cavities. Do you need it, if you consistently brush and floss twice a day? Ostensibly, no, but if there’s a way to help protect your teeth in spite of what is otherwise entirely reliant on your own self discipline and understanding of the risks, why wouldn’t you take advantage of it? The World Wide Web is different today than it was when Mr. Winer first created the content he now is struggling to find reason to provide over HTTPS, but that’s not the visitor’s fault. It’s not even his — yet.

Unfortunately, the world wide landscape today desperately calls for us to encrypt what we can. We, as creators on the web, are obliged to help protect the privacy and security of our readers. Enabling HTTPS on a domain doesn’t hurt existing content, but it does provide your visitors with a little more protection, and — critically — it doesn’t require a change in their behavior. They get to keep just using the web.

Not requiring a change in user behavior is important, because most users won’t change. Recently we had some friends going on a mission trip, and we wanted to give them some money to help cover the costs. They sent us the link to the organization’s site, but when I pulled it up and navigated to the donation page, it was still being served over HTTP. Yet, the page had all the trappings of a secure location. Little lock symbols near the form, a NORTON SECURE sticker — everything but the HTTPS. To someone not scrutinizing the location field for the missinghttps://, every other visual indicator suggested that one could safely submit their credit card information. A large “Not Secure” label would have made the actual page security (or lack thereof) immediately apparent.

As for Google’s motives here, this change in Chrome doesn’t set off red flags for me quite yet. They’re doing what their peers are — trying to educate and protect a vulnerable population. I think a more secure web is good for everyone, and if Google wants to start calling out sites that don’t use HTTPS, that’s their prerogative. And unlike Chrome’s built-in ad filtering, Google doesn’t make tens of billions based on whether or not a website uses HTTPS.

The web is a dangerous place to be sure, but in contrast with skiing or bike riding in Manhattan, the consequences of an unsecured web often aren’t immediately felt. If I break my leg while skiing, I’m damn aware that it’s broken — the cause and effect are instantly apparent. But if I’m inadvertently tricked into submitting sensitive content on a site that’s not secure, I may not know about it until months later. Additionally, depending on what sort of information was compromised, it could affect parts of my life not related to the original incident. If someone gets access to my email or collects enough metadata on the content I’m visiting, it could damage me (or others) in ways I can’t even imagine. It’d be like waking up one day, months after a skiing trip to find your ankle is now sprained, but having no idea when or where it happened.

Finally, regarding HTTPS as contributing to the barrier preventing newcomers from getting started on the web — I think that’s a temporary problem. There used to be a time when I wouldn’t have recommended WordPress to someone starting out in web publishing. It took too much time to configure a server, create the database, and manage the updates. But today, you can go to any web host, pay them $5 a month, click one button, and have a WordPress site up and running in minutes. Eventually, enabling HTTPS on a domain could be equally as easy. Some web hosts are already offering free, one-click HTTPS, and with services like Let’s Encrypt, the technology to make HTTPS easy and accessible is rapidly improving. In short, the overhead required to get a site secure is quickly diminishing, and in a few years, it may well be one of the simplest parts of creating your next new thing.

Publishing to the web should be easy, accessible, and extremely affordable. But the content you publish should also be made available through a secure connection, even if you don’t think the content warrants being encrypted in transit. I think providing an HTTPS connection to your content will be as much a moral duty to web developers in the future as making accessible, open, and fast webpages are today. And although the browser vendors need to be kept in check, I don’t think their efforts to call out insecure sites are nefarious — rather, our world has changed, and our experience using world wide web needs to change with it. The more we can help push forward a fully secured web, the faster it will get here, and the easier it will be to maintain.

Thanks for reading. Check out more in the archive.

Copyright © The Audacious Company LLC.