Secure Your Site

Back in the dark ages of 2012, I posted about the benefits of encrypted web traffic, but https was a pain to implement for small websites and frankly, there was no incentive to be ahead of the curve when only 5% of websites were secure.

Times have changed, and a majority of websites are now using https. Google’s choice in 2016 to flag http-based websites as insecure in their popular Chrome browser had its intended effect. What started with sites containing password forms and credit cards has now become the status quo.

So what about small websites? Well, you can get a free SSL certificate from Let’s Encrypt and many hosts are installing them automatically. From there, it’s just a matter of enforcing https throughout the site, so even legacy links (e.g., my old theme pointed to its CSS file using an http link) are transformed to their secure equivalents. On WordPress, if you don’t want to touch your config files, you can get a plugin to do this for you.

There’s now no excuse to put your site’s visitors at risk. But some of the biggest sites in the world still do. If you use one of the 100 insecure sites listed at, you can first be appalled, then move your traffic elsewhere.


Marketing with Integrity

One of the legit joys of working in nonprofit is the ease with which you can write compelling, honest promotional copy just connect the current appeal to the mission and you’re basically done.

Over in the profit sector, things aren’t so simple. For one thing, most businesses are built to make money for their owners and investors, at best a morally neutral endeavor. You’ll need to convince customers that you’re in fact incentivized to take their interests to heart when designing (and supporting) your new feature or product.

You also have a meta-issue to contend with: it’s entirely possible to sell the mere perception of value. People are even glad to pay for it! Are you in that line of business?

Of course not! But you can’t just claim that and be done. Here are some tips for your approach:

  • Get in their head. Answer the reader’s first question first. This is often “why should I read this copy?”
  • Reveal values with origins. Why did you build this product? Why did you get into this business? This primes readers to consider their own journey.
  • Don’t waste my time. Be clear about what the offer is and isn’t. Willingness to lose business you don’t want is a costly signal.
  • Start substantive, then revise catchy. Avoid depending on buzzwords and jargon. This is especially vital when getting approval from stakeholders you want to make a big claim you can stand by. And when you make that claim…
  • Use dream logic. Your product isn’t just a thing, it’s a representation of the type of person or organization you want to be. It vanquishes fears and overcomes obstacles. It resolves tension. Know and embrace these dynamics for maximum effect.


Productive Ambiguity

In general, specificity in writing makes things clearer… but not always. I was recently working on some UI text for a set of filters over a list of software update notices. Based on your selected user profile, we show you just the notices about the software we think you’d use. So how should we label the ‘select all’ checkbox that activates all user profiles?

The specific and accurate option would be something like ‘Select All User Types‘, but that makes the user think about our system for showing content, rather than what content they want to see, interrupting their process.

Select All Updates‘ is closer to what the user wants, but now we have to make sure that the noun ‘updates’ matches what they expect to see… and we never called the content ‘updates‘ or anything else, we just showed it to them. So being specific is actually introducing a problem where one didn’t exist.

After talking this through, I suggested ‘Show All‘. No mention of selecting filters or what the system does with those filters. Just get right to it. In cases where user expectations may be vague, consider matching that with ambiguous language.


Fix Your Copyright Line

You’ve got a nice looking website with fresh content.  But the footer says 2011.  Here’s how to fix that – and keep it fixed.


Responsive Design

What happens to your site’s cool layout when it’s viewed on a small screen like a phone or tablet?  In the old days (a few years ago) we used to code two different versions of a site – you’d do a bit of detection and then send mobile users to something like instead of the main view.  The downside is obvious:  every time you redesign your site’s look, you have to do twice the work.  And now that mobile accounts for 10% of all web traffic, this problem is not going away, it’s getting worse.

Enter Responsive design.  The idea is to build a site from the ground up with different screen sizes in mind.  This usually goes hand in hand with a Mobile-first approach, where the basic common elements of the site – headers, colors, fonts, etc., are coded first in the smallest view.  Then if the screen size is larger, elements can expand, take up multiple columns, and generally unfold into a spacious layout.  When we build a site this way, it takes much less time and effort than doing a separate mobile view and also takes into account newer sizes in between, like tablets.  I’m glad to know my site looks good on a laptop, phone, and the recently revealed screen size of the new iPad!


Auto-Posting to Facebook and Twitter

Once you add a blog post, you have to go publicize it on Facebook, Twitter, and other social media. This little routine can get tiresome, especially if you’re on several different networks. has a nifty little feature called Publicize that makes all of that automatic. Just hook up your site to your Facebook & Twitter accounts and when you post to the site, it alerts your friends & followers.

This is such a good time-saving idea that other platforms are picking it up. If you have a self-hosted WordPress site, check out plugins like Twitter Tools. If you’re on Drupal, a module like Drupal for Facebook will take care of it. Set it up once and cross an item off your daily to-do list.


How to Choose a CMS

Content management systems are the foundation of the modern web. Instead of manually organizing your pages, menus, and images, install a CMS to handle that part of the job.   The following options are great for personal or business sites, blogs, and portfolios – all free and open-source:

WordPress – The overwhelming choice for basic personal or business sites.  Includes built-in blog functionality, a super easy administrative interface, and a thriving community of developers.

Drupal – More flexible but also a steeper learning curve.  As they put it, “Drupal is like a Lego kit.”  If you want to do something non-standard (outside the realm of normal pages & blogs) look here.

Joomla – Particularly well-suited for membership sites, with user management, profiles, and members-only areas.  More flexible with modular content & menus than WordPress, but arguably easier to manage than Drupal.

All of these systems can be ‘skinned’ to look how you want.  Choose the one that has the functions, plugins, and flexibility you need.  Bear in mind that if you need to write an app from scratch, you might be better off with a framework like Django.  Knowing the scope of your project will allow you to make the nuts & bolts decisions down the road, so do this groundwork before setting up hosting!



When you go to pay for something online, or put in your password, it’s a good idea to make sure you’re using encryption.  Most of us know to look for https at the beginning of a web address when entering sensitive information – regular unencrypted http connections are like a postcard that anyone can read.  But for most web surfing, it doesn’t matter… right?

We are already being profiled – mostly by advertisers, but increasingly by anyone who is interested – based on our participation on Facebook and our searches on Google.  Even if your name is hidden, you can be identified by your surfing behavior.  In this environment, even if you have nothing to hide, you might want to make your web traffic less easily accessible to prying eyes, and one way is using encryption.  (This article is about encrypting your traffic, not completely hiding it, which requires stronger measures like Tor.)

As Cory Doctorow so vividly illustrated in his novel Little Brother, if the only people using encryption are ‘troublemakers,’ then, even if the content of their traffic is unreadable, authorities can identify them by focusing scrutiny on those users who pass large amounts of encrypted data.  In some parts of the world, having your communications monitored can not only lose you a job prospect or a loan, but can land you in jail.  The more people use https, the less obvious it is who is a political dissident and who is just a reasonably cautious web surfer.

Internet liberty activist group EFF promote a browser plugin called HTTPS Everywhere that makes encrypted browsing easy.  If you use Chrome, try HTTPS Enforcer.   It’s as simple and sensible as sealing the envelope on a letter you’re mailing.  And the increased demand for fully encrypted versions of your favorite sites will drive them to support safer browsing for everyone.

The only current downside of using the https version of a site is that it will tend to load slightly slower than otherwise.  Part of the delay is that your browser checks whether the SSL certificate – the guarantee that an encrypted site is who it claims to be – is valid.  All the encryption in the world won’t keep your traffic safe if it is being directed to the wrong destination.  Unfortunately, the system in place to check the certificates isn’t secure.

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down.

So when the check is necessary, it’s useless, and when it’s unnecessary, it wastes time:  “The median time for a successful OCSP check is ~300ms and the mean is nearly a second.” [Imperial Violet]

As Ars reports, the Google Chrome team is removing this check and implementing its own list of bad SSL certificates.  This will go a long way to making https as convenient as http, and I hope other browser makers will follow suit.  Until then, you can consider the slightly longer loading times of secure sites your contribution to making the web more private for everyone.

tech yoga

Why You Need an Assessment Protocol

Possibly the least sexy aspect of your practice, but the most decisive.

I’m a tech consultant and a yoga teacher. In both fields, I consider myself successful when I’ve helped my client address and improve a problematic situation. It’s very tempting when sorting out a problem to rest on expertise and do what you ‘know’ needs to be done.  Because of this temptation, it requires extra diligence to make sure you’re not just seeing what you already know, but treating each situation as fresh.

Because of the underlying tendency to automatize – which we all have – we need a routine to consistently counter our habits.  We also know that the placebo effect will make any intervention look more like it’s working.  That’s why the assessment protocol was invented. Here’s a great example:  a body reading protocol from James Earls and Tom Myers (in Fascial Release for Structural Balance):

1. Describe the skeletal relationships.

2. Assess the soft tissue pattern that creates or holds the pattern in place.

3. Strategise – develop a story about how and why these elements are interrelated, and create a strategy for the order in which those elements will be worked.

4. Intervene – do your work. …

5. Evaluate – when any given intervention is complete, reassess and re-evaluate.

Although the specifics are about the body, a similar protocol works great for tech issues. Before jumping ahead to solving the problem, first clearly describe it and work out its underlying structure. Too often, what’s addressed is superficial or temporary – the underlying pattern hasn’t been changed, and all the new work will quickly get washed away like a sand castle on the beach. Working out the dependencies and order of operations is key – and clarity here will allow your client to trust your work even if it involves things getting messier before they resolve.

I hope the people I work with pick up not just short-term fixes or even long-term solutions, but also inspiration to assess and re-evaluate what they’re doing on an ongoing basis. It’s so tempting to take the course that sounds like a good idea, or is just the way it’s done. The only way to counteract that is to check that each measure is actually tuned to address what you intend to address. Establishing a diligent evaluation routine is the difference between claiming objectivity and actually practicing it.


Mishka NYC

Infrastructure consultation for Brooklyn clothing designer.  Network installation & traffic shaping, hardware & software support, IT strategy & planning for a global brand with a small-business staff.