Site Changes

Knowing how the cookie crumbles

by
Screenshot of the privacy policy page

I’ve made two minor changes to the site today:

  1. There is now a privacy policy available to view
  2. The first time you visit this site from today, you will be asked for permission to store cookies on your computer

These come about because of my participation with Google AdSense – all EU sites must obtain user consent for cookies with effect from the end of September. This is the so-called ‘EU Cookie Directive’.

As you may guess from my tone, I’m not particularly happy about this. I accept the need for a privacy policy and I should have probably had one already, but I hate the popup cookie consent messages that sites use. There’s a lack of consistency, they offer a particularly poor user experience to mobile users (obstructing a large part of the page) and I bet almost nobody actually reads the privacy policies anyway.

The privacy policy is adapted from this example, and I’m using the Cookie Law Info WordPress plugin to generate the messages. The plugin is really simple and you can set it up in a few minutes. There’s no need to edit any templates, but you can still customise it.

P3P

I really wish that, following the EU Directive that mandated consent for cookies, that there had been some collaboration between web site owners and web browser vendors to come up with a more graceful solution. Whilst I accept that it’s best if users are able to consent to cookies being stored on individual web sites, this could have been done in a standardised way as a function of the user’s web browser.

Years ago, the W3C proposed P3P, which used HTTP headers and machine-readable privacy policies to allow users to select a level of privacy that they were comfortable with. Anything else, such as third-party cookies, would be blocked if desired. Ironically for a web standard, the only current web browser that supports P3P is Microsoft’s Internet Explorer, which has done since version 6. It remains an opt-in and rarely-used standard and the W3C paused all work on it ages ago.

I haven’t researched P3P enough to know whether it could be developed further, so that web sites can use it for EU Cookie Directive compliance. If it could, and if Google, Mozilla, Apple, Opera and others all agreed to implement it, then the web could become a less annoying place. Especially if there was an option to implicitly accept all cookies from all first-party web sites, for example.

SSL-secured

by
A screenshot of Firefox showing that the connection to neilturner.me.uk is secured with a certificate.

One of my first projects after moving to the new server was to sort out a SSL certificate. Until now, any secure connections to this site have been using a ‘self-signed’ certificate which brings up big red warnings in most web browsers. Which is fine for me as I know I can ignore the warnings, but not ideal.

However, Google is (rightly) making HTTPS sites rank slightly higher in its results pages. So having a proper SSL certificate verified by a third-party is now more important, and not just because it offers better security to your users.

Two things were holding me back from getting a certificate in the past: the need to have an extra IP address, and the cost.

Extra IP address

Traditionally, if you want a SSL certificate for a particular domain, that domain would need to have its own, unique IP address. This was something that my host offered, but only by raising a support ticket and having it added manually. On the new BigV platform, I can easily add up to four IP addresses, allocate each to a domain name and set the reverse DNS. More IP addresses are available if needed, but on a request basis – after all, there aren’t many spare IPv4 addresses left.

Cost

I also had it in my head that SSL certificates were expensive – I was expecting at least £10 per month. As I’m saving £6 per month on my new hosting package, I decided to spend some of that saved money on an SSL certificate. Richy recommended Xilo to me via Twitter, and they offer SSL certificates for £16 per year – which is much cheaper than I expected. Xilo are a Comodo re-seller.

Setting up the certificate was really simple – it took me around 10 minutes, following Bytemark’s user manual. It’s been in place for a week now and works fine. I can’t get an Extended Validation (EV) certificate which shows the green bar in web browsers, as I’m not a company – individuals have to go for the more bog standard certificates.

Right now SSL is there as an option if you want to use it, but it isn’t the default. I may change my mind and make the site HTTPS-only, but this would require me to fix every link to every embedded image over 13 years of blog posts, and I’m not sure of the effect on my server’s load. That’s a project for another time.

Hello from the new server!

by
A screenshot of the web site for Bytemark's BigV platform

I apologise for not posting anything for the past few days, but I’ve been waiting for the DNS on the domain to switch over to a new IP address. It should have happened on Saturday but it was actually the early hours of yesterday morning before it took effect, and in the meantime the new server was running an image taken from the old server on Saturday. So that the old server and new server were not out of sync, I decided to wait a little while – and besides, this week has been very busy for me at work.

So that’s the apology out of the way, now on to good things!

I’m still hosting my site with Bytemark, but I’ve moved to their new BigV platform. Mainly because they’re phasing out their older Virtual Machine platform but also because BigV offers more for less.

I was paying £15 per month (plus VAT) for the old virtual machine, which got me 500 MB RAM and 10 GB of storage on standard magnetic disks (plus 50 GB backup space). The new BigV virtual machine has double the RAM (1 GB) and 25 GB of storage on a solid state drive, although no extra backup space. But it’s only £10 per month plus VAT, so it’s a third cheaper. And because there’s more RAM and it’s running on solid state drives, it should be much faster.

Of course, I should really have left the upgrade until Monday, rather than doing it on a Saturday night when there was no-one at Bytemark to help me when it went wrong, but we’ve sorted the issues out now. And Bytemark did provide detailed instructions for moving across.

Next, I’m looking to install a proper SSL certificate on here. But for now, back to your erratically scheduled blogging.