We’re quiet, but we’re still here, doing the work!

This year we launched a beautiful new website for Community Board 5. But mostly, we’ve been working on adding new features to existing sites and databases, for organizations like SHARE, CRE, and FCNY.

Google recently announced changes to their mobile search algorithm, which now favors "mobile friendly sites" in search listings. All other things being equal, websites that are optimized for mobile devices get preference in mobile searches.

Many of our clients have received scary spam email in the last few weeks along the lines of "we looked at your site and it isn't mobile friendly, Google is going to remove you from their listings!" Hogwash. 

Having a mobile-friendly or responsive website is important, especially if you do any email marketing. People read email on their phones, and that's where they click links. Your board members probably view your website on tablets. At the other end of the spectrum, a lot of folks using desktop computers now have very large HD displays, and your site may look like it's floating off to the side of their browser window. Responsive is the only way to build a new website.

It's also costly. It takes at least three times as long to design and build a responsive website, which means it costs at least three times as much. In some cases, an existing website design can be modified to become more or less responsive, but even that can take a significant amount of time. Simply put, every change we make must now be tested at six or more different sizes.

Also, many of the values in a responsive website's stylesheet are now relative to each other, rather than fixed values, because they have to change with the screen size. The code is harder to write, and changes to one element can have implications for other elements, which makes testing at all those different screen sizes that much more important.

So, yes, the spam is at least partially true: you do want a responsive website. And if you're concerned about being competitive in mobile search results with other sites that do what you do, then, yes, you need to upgrade your site. But if not, don't worry about it for now. But be prepared: your next website is probably going to cost more than your current one did, because responsive sites are not as easy to design and build.

I'm really excited about the new web editor we're working on.  Here's a prototype:

It's based on TinyMCE 4.1, which rocks. It is a very solid editor, and produces beautiful code. And things just work: I haven't been able to confuse it yet.

We'll start testing it on a few sites in October. I can't wait to enable it everywhere.

Google announced recently that sites using HTTPS (secure web connections, aka SSL) may be given preferential search rankings, and there is a general widespread call to use HTTPS everywhere. Gandi.net is offering a free security certificate with every new domain registration, and presumably other registrars will follow suit.

But the big bottleneck to HTTPS adoption for smaller sites is that it is not easy to use with the most common kind of virtual hosting: name-based virtual hosting. That’s where you have many different sites on one server, and they all share the same IP address.

In name-based virtual hosting, when the server receives a request for a web page, it checks to see what domain name is being asked-for and then serves up the correct page. Unfortunately, with HTTPS, the domain name is encrypted along with the rest of the request, so the encrypted connection must be set up, with the correct certificate, before the name can be determined by the server. It’s a classic chicken and egg problem.

There are two ways around this, neither of which scales very well:

1) Use a different IP address for each domain.
2) Use a single certificate that is valid for multiple domain names.

Number 1 doesn’t scale because IPv4 addresses are a finite resource. ISPs and cloud providers are already getting antsy about handing them out.

And number 2 doesn’t scale because certificate authorities limit the number of alternate names you can add to any one certificate. 20 is a common limit. There is also an administrative burden of matching websites to certificates to configurations as customers sign up and leave, which is a bit like playing Tetris.

Switching (finally!) to IPv6 would solve the scarcity problem and allow us to assign a unique IP address to each website, which in turn allows each customer to bring their own TLS certificate to the table. 

I hope that our evolving common understanding of Internet security and the need for HTTPS connections everywhere (which is constantly being reinforced!) will give end-user ISPs the push they finally need to implement end-to-end IPv6.

The good news is that until mid-March, we were using a version of OpenSSL that was not vulnerable to the HeartBleed bug.

However, in March we started migrating sites to a newer server OS that included the infected version. So for about 20 days, until our OpenSSL was updated on April 9, our sites were vulnerable.

As of April 11, we have re-keyed all of our SSL Certificates, and changed important passwords related to our domains and infrastructure.

Should you change your password?

Given the relatively small window of opportunity for attackers to exploit the bug on our servers, and the availability of much more prominent sites to attack, we are not requiring you to change your password.

If you logged in to your website in the last 3 weeks, there is a chance that attackers may have been able to capture your password or other private information during that time. You should go ahead and change your password.

If your website password is the same as one you use on other vulnerable sites, such as GMail, Dropbox, Yahoo, or GoDaddy, then you should change your password. Attackers have almost certainly used this bug against prominent web services in the last 2-3 years.

If you have any questions or concerns about this issue, please contact me.

Chxo.com started in 1999, as a developer of open source website software. We built the Berylium content management system, and Fotola.com, and a few long-gone websites for commercial clients such as Lifetime Television and Lightswitch. But I wanted to do more than just create websites.

For the last 10 years, I had the honor of being Director of the Center for Internet Innovation at the Fund for the City of New York. There, my colleagues and I built some really amazing things, and I got to work with a lot of really great people who are doing their best to improve the quality of our lives — all of us, not just people with lots of money or access to the latest, greatest technology. 

But the world changes, and organizations change, and it’s time for me to re-start Chxo.com as a software development company. I want to provide friendly web services to individuals, families, and small organizations. It’s what I love to do, and I’m very much looking forward to doing it here.

There will be a new website. And new services. And a bunch of useful web apps. Stay tuned, as we used to say…