Portfolio hosting

From Pin Eight
Jump to: navigation, search

Say you're looking for a job, and you want a portfolio you can show to prospective employers who "don’t interview anyone who hasn’t accomplished anything."[1] If your portfolio involves web development, you'll need hosting for your projects.

The consensus among Slashdot users as of the fourth quarter of 2012 is that WebFaction is the way to go. It supports Python and PostgreSQL in addition to PHP and MySQL, and it even supports SNI so that you can secure user credentials for users of non-obsolete web browsers. But in 2016, with WebFaction's lag in support for the Let's Encrypt CA, DreamHost is gaining on WebFaction.

Tradeoffs

HTTPS

HTTP normally allows any eavesdropper to see the entire transaction. This means that anyone with access to the packets on a network can use something like Firesheep to intercept session cookies of other users on the same subnet and then forge them to impersonate another user. To prevent this, HTTP is commonly tunneled over Transport Layer Security (TLS), formerly called Secure Sockets Layer (SSL), to form HTTPS. If your one of your projects involves user accounts, you'll need hosting that includes HTTPS so that users can't intercept others' cookies. Since the Firesheep tool began to raise awareness of cookie theft, the Electronic Frontier Foundation has been distributing an extension called HTTPS Everywhere for the Firefox and Chrome web browsers that automatically rewrites HTTP URLs to the corresponding HTTPS URLs on sites known to support HTTPS.

Web developers may consider implementing HTTPS if they want to show support for HTTPS Everywhere, want to take advantage of SEO bonuses that Google introduced in mid-2014, want to use new web platform features such as Service Workers that are available only in secure contexts, or just care about their users' credentials not getting stolen. The EFF has answered some common objections to implementing HTTPS by giving tips on how to reduce connection overhead[2] but has not yet given guidance to implement HTTPS on small sites such as blogs, forums, and wikis. The expensive part of implementing HTTPS used to be the TLS certificate from a commercial certificate authority, used to detect the presence of a man in the middle.[3][4] But that's no longer much of an obstacle since StartCom and WoSign started offering free certificates for a domain, and especially in the fourth quarter of 2015 when Let's Encrypt went live. This makes some people wonder[5] why web sites use unencrypted HTTP at all nowadays. But even with free certificates for personal sites, implementing HTTPS on a site that doesn't make money is not without its tradeoffs.

Third-party services

You may discover that your site depends on third-party services unavailable through HTTPS. For example, Google AdSense did not support HTTPS[6] until September 2013,[7] and those ad networks that do support HTTPS may pay noticeably less for each HTTPS impression.[8] The reluctance of ad exchanges to go full HTTPS[9] is one of the things that held up migration of The Guardian to HTTPS until mid-2016.[10] Or a database of browser support for web features may not support HTTPS. Placing such a widget on a page may result in warnings about "mixed content" on a page, or insecurely delivered objects that may be able to change the behavior of securely delivered objects, and some browsers present this warning as a modal alert box, disrupting the user's experience in much the same way that a pop-up does. Web site operators who depend on income from an ad network that does not support HTTPS may have to redirect anonymous visitors from HTTPS to HTTP in order to show advertisements to these viewers without the pop-up.

Periodic manual effort

The other problem with a small public site is the periodic manual work to keep the site's certificate renewed. Unlike renewing a domain and web hosting, renewing a certificate requires manual steps every year if a site's hosting provider doesn't support Let's Encrypt. Some users have tried to passive-aggressively work around this by creating a Ruby script to automatically open a support ticket to get a renewed cert installed. Or if you don't want to go through the manual dance of renewing every few months, especially on hosting environments that make certificate installation hard to automate, SSLs.com offers a 3-year Comodo certificate for $15.

Server Name Indication

TLS used to need a separate IP address for each certificate. This is no longer true since April 2014 because all supported web browsers can use Server Name Indication. So if you choose shared web hosting, make sure it offers TLS with SNI.

DNS Service Discovery

Another barrier to TLS use that affects only private sites is the lack of PKI for the .local domain used by DNS Service Discovery (DNS-SD), as CAs cannot issue certificates for sites not reachable over the Internet. No PKI means present browsers will present certificate errors for DNS-SD sites. This makes it impossible for a site discovered through DNS-SD to offer a Service Worker or other new web features that work only in secure contexts unless the browser lets the user import a device's self-signed certificate using NFC or QR codes or similar, as suggested in the minutes of an October 2015 meeting about TLS on IoT devices. Thus it would cause a problem for someone whose portfolio includes the source code of an application intended to run on a home server reachable only within the home network.

Languages and databases

While you're at it, try to find a hosting provider that offers PostgreSQL if you can. Some people have reported problems with the fundamental design of PHP and MySQL or with the default settings of PHP and MySQL that a lot of popular web applications rely on. And a disturbing number of shared web hosts don't offer any language but PHP on their cheapest plans, and they don't offer PostgreSQL on anything below a virtual private server (VPS). Even what they do offer may be a years-old outdated version because an upgrade could break other customers' existing sites hosted on the same server that depend on deprecated features, and shared hosts don't always make it easy to move an account to a new server with new versions of the language and database.

Approaches

Home hosting

Some Internet service providers in some countries allow running a server at home. This gives control comparable to a virtual private server but requires you to leave a PC turned on at all times, and it may need to send periodic messages to the DNS provider to update your home computer's IP address.

There are three drawbacks. First, it doesn't work in all countries. ISPs in some countries without a large allocation of IPv4 addresses put all customers behind a transparent HTTP proxy or a big NAT, where one public IP address represents hundreds or thousands of customers. Use of a carrier-grade NAT was reported as early as 2005.[20] Second, check your acceptable use policy: some ISPs consider running a server on a home SLA as grounds for disconnection, and some enforce it by blocking inbound ports or the HTTP or TLS handshake. Third, leaving a computer powered on takes electric power and causes heat and noise unless you host it on a cheap, passively cooled device like this $25 USB stick or a Raspberry Pi board.

Shared hosting

Type budget ssl hosting into Google and you might be able to find plans under $120 per year. Most of these will be similar to the HTTP-only shared hosting that you may have used in the past. Most are SNI-based instead of name-based so that each site can have its own SSL certificate. A few use a certificate owned by the hosting company that lists multiple sites in Subject Alternative Name fields. However, shared hosting is less likely to support the Let's Encrypt certificate authority.

Past searches have returned results like the following:

  • WebFaction, as mentioned above, offers SNI and claims to offer a dedicated IP through trouble tickets for those customers who require Android 2 or IE/XP compatibility.
  • DreamHost offers TLS hosting with Let's Encrypt.
  • Domain Ledger: "Economy Plan" for $5.95 per month plus $29.95 per year for SSL (which includes their certificate), but use of Perl, Python, or Ruby costs extra.
  • HostGator offers web hosting with "shared SSL" for under $8 per month.

Virtual private server

Some hosts offer a virtual private server (VPS), also called a virtual dedicated server (VDS), for $120 per year or less. A VPS is a virtual machine, run on a server in a datacenter. The customer has privileges equivalent to those of the administrator of a dedicated server, including the ability to customize the operating system. A VPS is far more likely to have its own public IP address than a shared hosting account, allowing it to run several HTTPS sites on separate ports, or even several HTTPS sites on the standard port 443 for those visitors whose browser supports SNI. The 2010s brought plenty of competition in this so-called "cloud" space.

  • Directspace [21]
  • prgmr.com[22]
  • Inception Hosting[23]
  • Digital Ocean[24][25]
  • A list at LowEndBox[26]
  • Elastic Compute Cloud (EC2) by Amazon Web Services supports LAMP (Amazon Linux, Apache, MySQL, and PHP)[1]
  • Not yet sorted [2]
  • By mid-2014, shared hosting was widely available at the $10 per month price point[3]
  • Atlantic.Net has been advertising a $5/mo plan on Twitter.
  • BitFolk[27]
  • Joe's Datacenter[28]
  • Someone brags about $1/mo but won't say who[29]
  • ChicagoVPS is $1/mo[30]
  • OVH[31]
  • Vultr.com[32][33]
  • VPSDime[34]

No user accounts

You might try designing your web application to use OpenID so that your site never sees passwords. Users would log in with their AOL, Google, LiveJournal, Ubuntu One, WordPress.com, or Yahoo! account, and these well-known identity providers would take care of all the SSL. But then you'd have the same problem as web sites that run only their login page through HTTPS and immediately drop back to HTTP: though the password is encrypted, the session cookie is not, and that can still be sniffed and cloned. And now that OpenID Connect has replaced OpenID 2.0, other practical problems with OpenID Connect complicate this.

So design your application to be completely stateless or otherwise anonymous. All information submitted to the site is either immediately visible to the public, without any form of authentication or authorization, or deleted after the page finishes loading. This can work for applications where you are demonstrating only the client side, such as graphic design of CSS, or a game written in JavaScript that saves its state to the local storage. Such a fully static site can be stored in Simple Storage Service (S3) by Amazon Web Services.

One Slashdot user suggests[35] that anyone seeking a web development position ought to have developed a bank interest/mortgage/retirement calculator written in PHP, Perl, Python, Java, Ruby, etc. that calculates on the server, one written in JavaScript that calculates on the client, a video game written in JavaScript or Flash, a news aggregator that combines a fixed set of Atom feeds, and an anonymous imageboard with a spam filter. Another recommends a regex tester or a currency converter.[36] They appear to claim that web applications can be made sticky even without storing preferences in a user account or session cookie.

Another option is to provide a stand-alone program designed for PCs running Windows (.msi), PCs running GNU/Linux (.deb), or Android-powered devices (.apk). Since 2011, Android phones have been available on prepaid carriers, and both the Nexus 7 by ASUS and the Kindle Fire by Amazon are affordable Android tablets.

Warn the user

Stick with HTTP-only shared hosting at any entry-level provider that doesn't completely suck,[37] but put prominent warnings on the site that the connection is not secure because this is a demonstration site, and that users should not submit any valuable information or use the same password as on other sites. This will provide evidence of web application programming ability,[38] even if it is not as valuable to an interviewer as the experience of having run a production web site.

Pin Eight has chosen to combine shared hosting with SNI with this approach. Users logging in insecurely are presented with a warning and given an option to switch to HTTPS, followed by a disclaimer about IE on XP.

References

  1. Jon Evans. "Why The New Guy Can't Code". TechCrunch, May 7, 2011.
  2. Chris Palmer. "How to Deploy HTTPS Correctly". Electronic Frontier Foundation. 2010-11-15. Accessed 2012-06-25.
  3. Kayla et al. "Bug 460374 - All certificates show not trusted - get error code (MITM in-the-wild)". Bugzilla@Mozilla, 2008-10-16. Accessed 2015-02-03.
  4. Tarek et al. "I can't access websites that use HTTPS, instead getting the message 'your connection is not private'!". Information Security Stack Exchange, 2015-02-02. Accessed 2015-02-03.
  5. Slashdot comment by adolf
  6. SSL version of AdSense ad code Accessed 2015-10-30. Compare Internet Archive snapshot from 2013-04-12.
  7. HTTPS compatible ad code for AdSense. 2013-09-16. Accessed 2013-09-25.
  8. Michael Cameron. "HTTPS Results in 7% Google AdX Revenue Drop". Rome2Rio Blog, 2016-04-18. Accessed 2016-06-06. "Additional comments on Hacker News.
  9. rrees. "Why don’t online publishers use https?" Echo One, 2014-04-27. Accessed 2016-11-29.
  10. Mariot Chauvin and Huma Islam. "The Guardian has moved to HTTPS". The Guardian, 2016-11-29. Accessed 2016-11-29.
  11. 2.37% from Android Browser on Android 2.x and 7.46% from IE 8 or earlier per "Can I use" usage table Accessed 2013-07-28. IE and Safari use SChannel, the built-in TLS stack of Windows, which didn't support SNI until Windows Vista. IE 6-8 is used as a proxy for IE and Safari on Windows XP. The number of Windows Vista users who have not yet upgraded to IE 9 is probably negligible, as is the number of users of Safari on Windows XP.
  12. Eric Law. "Understanding Certificate Name Mismatches". IEInternals, 2009-12-07. Accessed 2012-11-25.
  13. "Can I use" usage table Accessed 2015-07-09.
  14. Unlike UNIX, which uses the shebang line to determine which interpreter to use with a program Windows determines this by the program's "extension", the part of the name after the final dot. Python 2 and Python 3 programs both use .py extensions. Until Python 3.3 implemented its own shebang line processor per PEP 397, Python had no way to determine whether a double-clicked .py file was written in Python 2 or 3, which held back adoption of Python 3. Python 3.3 was the first to allow coexistence of Python 2 and 3 on Windows.
  15. unrtst
  16. Lennie. "EFF Tool Offers New Protection Against 'Firesheep'". LWN, 2010-11-24. Accessed 2012-10-21.
  17. Adam Langley. "Still not computationally expensive". 2011-02-06. Accessed 2013-07-09.
  18. Ali Ebrahim. "Server Name Indication (SNI)". inside aebrahim's head, 2006-02-21. Accessed 2012-11-25.
  19. "Windows XP End of Support" Accessed 2016-05-06.
  20. Gandorf et al. "ISP allow incoming connections?". Boards.ie, 2005-03-03. Accessed 2015-05-08.
  21. thanks Compaqt
  22. thanks Short Circuit
  23. thanks icebraining
  24. thanks scrote-ma-hote
  25. thanks Anonymous Coward
  26. thanks Anonymous Coward
  27. thanks AC
  28. thanks NormalVisual
  29. what a tease drinkypoo
  30. thanks Bushytail on EFnet
  31. thanks raynet
  32. thanks oddware
  33. thanks koitsu
  34. thanks Anonymous Coward
  35. zeroshade
  36. Fjandr
  37. Alternatives to GoDaddy recommended by Slashdot users
  38. thanks Compaqt