This is Glyph's Typepad Profile.
Join Typepad and start following Glyph's activity
Join Now!
Already a member? Sign In
Glyph
Recent Activity
I honestly have no idea what you're talking about. PHP is terrible, but why do you need to consider it? I've never had the slightest bit of trouble finding hosting for other languages and tools. You can deploy a Python or Ruby or JavaScript web application to Heroku in like five seconds; if you get some cloud hosting from Rackspace or Dreamhost or EC2 it might take you as long as fifteen minutes. This "available everywhere" thing is just a fallacy. I can't think of a single platform that has PHP that doesn't also have both Python and Ruby and a trivial way to get all your dependencies installed. And in fact, as much as the Python packaging ecosystem needs an overhaul, installing and configuring PHP dependencies for any non-trivial application is an enormous nightmare, especially if you want to install more than one thing on your web server! In Python it's just virtualenv, pip install, and you're done. Maybe some hosting providers offer PHP but not other things, but you know what? Just don't use those providers. There's a huge, highly competitive market of hosting out there, and every part of it that I can see has excellent support for reasonable tools. Heck, you can deploy on Heroku for free. Didn't your parents ever tell you that if all your friends jump off a bridge, you shouldn't jump off of it too? Well, PHP is that bridge. Don't do drugs, Jeff.
Toggle Commented Jun 29, 2012 on The PHP Singularity at Coding Horror
HTTPS is not "overkill". In fact, given the somewhat broken certificate authority model that browsers impose, it's a bit underkill. First of all, it's not too slow. See the links here - http://twitter.com/glyph/status/2958424706916352 - so there's no real reason to consider it 'overkill' if it's not taking up an unreasonable amount of resources. Second of all, any "better" identity solution must necessarily involve crypto. So, why go to the massive amount of trouble to create a new cryptographic standard when the existing one is adequate? Keep in mind that if the stuff other than your "identity" isn't protected, your identity isn't really protected either. Active attacks aren't significantly harder than passive attacks on unencrypted traffic; if your authentication is encrypted but the commands you're performing aren't, an attacker could just as trivially capture your outgoing commands and modify them rather than modify your authentication. Or, alternately, if you are concerned about people being able to masquerade as you, and you're using authenticated, encrypted connections, but the people reading your activity aren't, then the attackers can just spoof them instead of you. So, turn on https on stackoverflow, please, and stop advocating for some mythical broken solution when a very real, working one already exists. The biggest problem here is that everyone thinks they understand the problem but very few people really do. So, while "Use HTTPS" is an oversimplification, it's the only message that is going to get through: if you say "Use HTTPS because there's nothing better but we should really come up with some better thing" then lots of people are going to take away "Oh, I should wait until there's a better thing, until then I'll just use HTTP and ignore the problem".
Toggle Commented Nov 14, 2010 on Breaking the Web's Cookie Jar at Coding Horror
Glyph is now following The Typepad Team
Nov 14, 2010