Amazon’s recent leap into the world of online backups, with its new CloudDrive service, is just one of several dozen ways you can backup your files. And, as anyone with a failed hard drive can tell you, there’s no such thing as too many backups. Sadly, most of us discover the value of good backups only after tragedy strikes.
That’s why a group of Reddit fans were inspired to launch the first ever World Backup Day — today, March 31st 2011.
If you’re not an rsync master with RAID drives, tape machines and servers around the world making copies of your files, the Reddit thread that started the idea of a world backup day is well worth a read. Not only are there plenty of suggestions for automated cloud backup services like Dropbox or Backblaze, there are some great tricks and tips for making sure your files never go missing (like checking your restores — when was the last time you actually tried to recover from your backups?)
If you’ve been a bit lax in your backups, head over to WorldBackupDay.net for some discounts from online backup services and more tips for making sure that even if your computer disappears tomorrow your files won’t go with it.
You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, that’s essentially what you’re doing.
There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. But if HTTPS is more secure, why doesn’t the entire web use it?
HTTPS has been around nearly as long as the web, but it’s primarily used by sites that handle money — your bank’s website or shopping carts that capture credit card data. Even many sites that do use HTTPS use it only for the portions of their websites that need it — like shopping carts or account pages.
Web security got a shot in the arm last year when the FireSheep network-sniffing tool made it easy for anyone to detect your login info over insecure networks — your local coffeeshop’s hotspot or public Wi-Fi at the library. That prompted a number of large sites to begin offering encrypted versions of their services on HTTPS connections.
Lately even sites like Twitter (which has almost entirely public data anyway) are nevertheless offering HTTPS connections. You might not mind anyone sniffing and reading your Twitter messages en route to the server, but most people don’t want someone also reading their username and password info. That’s why Twitter recently announced a new option to force HTTPS connections (note that Twitter’s HTTPS option only works with a desktop browser, not the mobile site, which still requires manually entering the HTTPS address).
So, with the web clearly moving toward more HTTPS connections, why not just make everything HTTPS?
That’s the question I put to Yves Lafon, one of the resident experts on HTTP(s) at the W3C. There are some practical issues most web developers are probably aware of, such as the high cost of secure certificates, but obviously that’s not as much of an issue with large web services that have millions of dollars.
The real problem, according to Lafon, is that with HTTPS you lose the ability to cache. “Not really an issue when servers and clients are in the same region (meaning continent),” writes Lafon in an e-mail to Webmonkey, “but people in Australia (for example) love when something can be cached and served without a huge response time.”
Lafon also notes that there’s another small performance hit when using HTTPS, since “the SSL initial key exchange adds to the latency.” In other words, a purely security-focused, HTTPS-only web would, with today’s technology, be slower.
For sites that don’t have any reason to encrypt anything — in other words, you never log in, so there’s nothing to protect — the overhead and loss of caching that comes with HTTPS just doesn’t make sense. However, for big sites like Facebook, Google Apps or Twitter, many users might be willing to take the slight performance hit in exchange for a more-secure connection. And the fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.
Another problem with running an HTTPS site is the cost of operations. “Although servers are faster, and implementations of SSL more optimized, it still costs more than doing plain HTTP,” writes Lafon. While less of a concern for smaller sites with little traffic, HTTPS can add up, if your site suddenly becomes popular.
Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn’t work with virtual hosts. Virtual hosts, which are what the most common cheap web-hosting providers offer, allow the web host to serve multiple websites from the same physical server — hundreds of websites all with the same IP address. That works just fine with regular HTTP connections, but it doesn’t work at all with HTTPS.
There is a way to make virtual hosting and HTTPS work together — the TLS Extensions protocol — but Lafon notes that, so far, it’s only partially implemented. Of course that’s not an issue for big sites, which often have entire server farms behind them. But until that spec — or something similar — is widely used, HTTPS isn’t going to work for small, virtually hosted websites.
In the end there is no real reason the whole web couldn’t use HTTPS. There are practical reasons why it isn’t happening today, but eventually the practical hurdles will fall away. Broadband speeds will improve, which will make caching less of a concern, and improved servers will be further optimized for secure connections.
In the web of the future the main concern won’t just be how fast a site loads, but how well it safeguards you and protects your data once it does load.
Not to be outdone by Mozilla, Google has released a new add-on for its Chrome web browser that allows users to opt-out of online advertising tracking. While Mozilla’s privacy tool is still just a proposal, and involves a new HTTP header, Google’s add-on uses the more practical, cookie-based approach and works today.
The Keep My Opt-Outs add-on works like a very persistant cookie, but this one is working in your favor. The add-on uses Chrome’s internal cookie APIs to set the opt-out flag for each advertising network that participates in the opt-out program created by the ad industry. Not only is it easier than setting those cookies yourself, the add-on ensures that, even if you clear the rest of your cookies, the opt-out cookies remain intact.
While it works, Google’s approach is something of a hack. The add-on intercepts and rewrites cookies, which is not exactly an ideal solution. Still, if you’re a Chrome user and you’ve been looking for a way to stop advertising cookies today, the Keep My Opt-Outs add-on has you covered.
Keep My Opt-Outs also makes a viable alternative to ad-blockers, particularly for those concerned that ad-blocking add-ons are denying their favorite sites much needed revenue. Provided you don’t mind a few advertisements here and there, using the new add-on in conjunction with some smart cookie settings, you can support your favorite sites without forfeiting your privacy. And for those that do use ad blockers, keep in mind that just because the ad is not shown, doesn’t always mean it can’t set cookies.
In the long term, Mozilla’s header-based approach to stopping cookie-based tracking is a better solution, and we expect, if the idea catches on, Chrome and other browsers will support it as well. For those who want something that works today, Google’s new add-on fits the bill.
Behavioral advertising, as such tracking is known, is becoming increasingly common on the web. Advertisers use cookies to follow you around the web, tracking which sites you visit, what you buy and even, in the case of mobile browsers, where you go. The U.S. Federal Trade Commission has already outlined a Do Not Track mechanism (PDF link), which would work much like the FTC’s Do Not Call list, offering a way to opt-out of online tracking.
The proposed do-not-track HTTP header is one of several ways Mozilla plans to implement the FTC’s suggestions. While the header idea has been around for a while — the Do Not Track Firefox add-on from the Stanford Law School is one example — currently most online opt-out schemes use cookies to set user preferences. Mozilla believes “the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.”
While the new header is just a proposal at the moment, Mozilla already has some code ready and is considering adding the feature to future versions of Firefox. The current plan is to create a new preferences option that would allow you to opt-out from tracking. Check the box in the preferences and Firefox will start sending the do-not-track header each time you request a new page.
Interestingly, the header Mozilla proposes is not the same as the “X-Do-Not-Track” proposal, which is already implemented in Firefox add-ons NoScript and Adblock Plus. For more details on how Mozilla’s new HTTP header will work, see Mozilla developer Sid Stamm’s blog post.
Like Mozilla’s proposed privacy icons, the problem with the new header is getting third-party ad sites to obey it. Mozilla calls it a “chicken and egg” problem and hopes to jumpstart the idea by including the header in future releases of Firefox. At that point it would be up to third party websites to support the header and, as Mozilla puts it, “honor people’s privacy choices.”
When it comes to erasing your tracks on the web, nothing is more pernicious and difficult to delete than the Flash-based cookie. Technically known as “local shared objects,” Flash cookies don’t go away when you clear your browser-based cookies. Instead they hang around, potentially collecting data without your knowledge or consent.
To delete Flash cookies you have to navigate through the Flash Player settings dialog. Unfortunately most users don’t know how to do that and Adobe has, until now, put very little effort into simplifying the process (it has at least made Flash respect the “private browsing” mode in modern browsers).
Now Adobe is finally taking some steps toward simplifying the process of deleting Flash cookies. The company has announced it is working on a new API that will allow your browser to delete Flash cookies along with the rest of your cookies. For now only Mozilla and Google are working on the API with Adobe, but presumably Adobe is talking to Microsoft and Apple as well.
While there’s no shipping code at this point, if the API were to make it into Firefox and Chrome it would give users an easy-to-find menu for quickly clearly Flash cookies. Adobe’s blog post says users can expect to see the changes “in the first half of the year.”
The move would no doubt by a small boon to privacy, but as Ars Technica points out, Flash cookies aren’t the only source of hard-to-defeat, persistant online tracking. For instance, the dreaded “evercookie” stores data in no less than 13 places and is nearly impossible for the average user to delete.
Still, for those annoyed at the complexities of deleting Flash cookies, things may soon, thankfully, get a bit simpler.
Miniature Food photo by Stéphanie Kilgast/Flickr/CC
Browse Our Tutorials
Cheat Sheets
Color Charts
Cut & Paste Code