Portfolio hosting

Say you're looking for a job, and you want a portfolio you can show to prospective employers who "don’t interview anyone who hasn’t accomplished anything."^[1] If your portfolio involves web development, you'll need hosting for your projects.

The consensus among Slashdot users as of the fourth quarter of 2012 is that WebFaction is the way to go. It supports Python and PostgreSQL in addition to PHP and MySQL, and it even supports SNI so that you can secure user credentials for users of non-obsolete web browsers.

Contents 1 Tradeoffs 1.1 HTTPS 1.2 Languages and databases 2 Approaches 2.1 Home hosting 2.2 Shared hosting 2.3 VPS 2.4 No user accounts 2.5 Warn the user 3 References

Tradeoffs

HTTPS

If your one of your projects involves user accounts, you'll need HTTPS support on this hosting so that users don't use something like Firesheep to intercept and forge session cookies of other users on the same subnet. Since the Firesheep tool began to raise awareness of cookie theft, the Electronic Frontier Foundation has been distributing an extension for the Firefox web browser called HTTPS Everywhere that automatically rewrites HTTP URLs to the corresponding HTTPS URLs on sites known to support HTTPS.

Web developers may consider implementing HTTPS if they want to show support for HTTPS Everywhere or just care about their users' credentials not getting stolen. The EFF has answered some common objections to implementing HTTPS by giving tips on how to reduce connection overhead^[2] but has not yet given guidance to implement HTTPS on small sites such as blogs, forums, and wikis. The expensive part of implementing HTTPS used to be the SSL certificate, but that's no longer much of an obstacle since StartCom started offering free certificates for a domain, making some people wonder^[3] why web sites use unencrypted HTTP at all nowadays. But even with free certificates for personal sites, implementing HTTPS on a site that doesn't make money is not without its tradeoffs.

The first tradeoff is that as of the fourth quarter of 2012, user agents responsible for roughly one out of every seven page views^[4] still don't support SNI, which allows name-based virtual hosting for SSL sites. The most common SNI-ignorant web browsers are Internet Explorer on Windows XP^[5] (11.6%)^[6] and Android Browser on Android 2.x (2.8%). Because these browsers can't see any certificate on port 443 of a given IP address other than the primary one, each certificate needs a dedicated IPv4 address. Entry-level shared web hosting uses name-based virtual hosting and is thus incompatible with SSL without SNI, and most shared hosts don't offer SNI, partly out of laziness or conservatism on the host's part and partly to avoid having to field expensive technical support calls about lack of support for IE on XP.^[7] This barrier was noticed soon after the release of HTTPS Everywhere.^[8]

Some people may write off viewers using this specific combination as collateral damage. For example, conventional wisdom is that users of IE on Windows XP are either on company time or less technologically inclined than users of Chrome, Firefox, or Opera, and Android users are less willing, for example, to buy paid applications than iOS users. But if you do want to offer SSL to these viewers, you need some way to get your site onto a dedicated IPv4 address so that your site's certificate becomes the primary one on the IP. By 2006, the annual cost of a dedicated IPv4 address from a web hosting company had already exceeded the annual cost of a certificate,^[9] and these addresses have become even more scarce since then. And if you're looking for a job, you probably don't have the money for expensive hosting.

The other tradeoff is that as of December 2012, Google AdSense does not support HTTPS.^[10] Placing an ad unit on a page may result in warnings about "mixed content", or insecurely delivered objects that may be able to change the behavior of securely delivered objects, on a page, and some browsers present this warning as a modal alert box, disrupting the user's experience in much the same way that a pop-up does. People who depend on AdSense income may have to redirect anonymous visitors from HTTPS to HTTP in order to show advertisements to these viewers without the pop-up.

Languages and databases

While you're at it, try to find a hosting provider that offers PostgreSQL if you can. Some people have reported problems with the fundamental design of PHP and MySQL or with the default settings that a lot of popular web applications rely on. And a disturbing number of shared web hosts don't offer any language but PHP on their cheapest plans, and they don't offer PostgreSQL on anything below a virtual private server (VPS). Even what they do offer may be a years-old outdated version because an upgrade could break other customers' existing sites hosted on the same server that depend on deprecated features, and shared hosts don't always make it easy to move an account to a new server with new versions of the language and database.

Approaches

Home hosting

Some Internet service providers in some countries allow running a server at home. This gives control comparable to a virtual private server but requires you to leave a PC turned on at all times, and it may need to send periodic messages to the DNS provider to update your home computer's IP address.

There are three drawbacks. First, it doesn't work in all countries. ISPs in some countries without a large allocation of IPv4 addresses put all customers behind a transparent HTTP proxy or a big NAT, where one public IP address represents hundreds or thousands of customers. Second, check your acceptable use policy: some ISPs consider running a server on a home SLA as grounds for disconnection, and some enforce it by blocking inbound ports or the HTTP or TLS handshake. Third, leaving a computer powered on takes electric power and causes heat and noise unless you host it on a cheap, passively cooled device like this $25 USB stick or a Raspberry Pi board.

Shared hosting

Type budget ssl hosting into Google and you might be able to find plans under $120 per year. Most of these will be similar to the HTTP-only shared hosting that you may have used in the past, except they're IP-based instead of name-based so that each site can have its own SSL certificate, or they use a certificate owned by the hosting company that lists multiple sites in Subject Alternative Name fields. Past searches have returned results like the following:

• WebFaction, as mentioned above, offers SNI and claims to offer a dedicated IP through trouble tickets for those customers who require Android 2 or IE/XP compatibility.
• Domain Ledger: "Economy Plan" for $5.95 per month plus $29.95 per year for SSL (which includes their certificate), but use of Perl, Python, or Ruby costs extra.
• HostGator offers web hosting with "shared SSL" for under $8 per month.

VPS

Some hosts offer a virtual private server (VPS), also called a virtual dedicated server (VDS), for $120 per year or less. A VPS is a virtual machine, run on a server in a datacenter. The customer has privileges equivalent to those of the administrator of a dedicated server, including the ability to customize the operating system. A VPS is far more likely to have its own public IP address than a shared hosting account, allowing it to run several HTTPS sites on separate ports, or even several HTTPS sites on the standard port 443 for those visitors whose browser supports SNI.

• Directspace ^[11]
• prgmr.com^[12]
• Inception Hosting^[13]
• Not yet sorted [1]

No user accounts

You might try designing your web application to use OpenID so that your site never sees passwords. Users would log in with their AOL, Google, LiveJournal, Ubuntu One, WordPress.com, or Yahoo! account, and these well-known identity providers would take care of all the SSL. But then you'd have the same problem as web sites that run only their login page through HTTPS and immediately drop back to HTTP: though the password is encrypted, the session cookie is not, and that can still be sniffed and cloned.

So design your application to be completely stateless or otherwise anonymous. All information submitted to the site is either immediately visible to the public, without any form of authentication or authorization, or deleted after the page finishes loading. This can work for applications where you are demonstrating only the client side, such as graphic design of CSS, or a game written in JavaScript or Flash.

One Slashdot user suggests^[14] that anyone seeking a web development position ought to have developed a bank interest/mortgage/retirement calculator written in PHP, Perl, Python, Java, Ruby, etc. that calculates on the server, one written in JavaScript that calculates on the client, a video game written in JavaScript or Flash, a news aggregator that combines a fixed set of Atom feeds, and an anonymous imageboard with a spam filter. Another recommends a regex tester or a currency converter.^[15] They appear to claim that web applications can be made sticky even without storing preferences in a user account or session cookie.

Another option is to provide a stand-alone program designed for PCs running Windows (.msi), PCs running GNU/Linux (.deb), or Android-powered devices (.apk). Since 2011, Android phones have been available on prepaid carriers, and both the Nexus 7 by ASUS and the Kindle Fire by Amazon are affordable Android tablets.

Warn the user

Stick with HTTP-only shared hosting at any entry-level provider that doesn't completely suck,^[16] but put prominent warnings on the site that the connection is not secure because this is a demonstration site, and that users should not submit any valuable information or use the same password as on other sites. This will provide evidence of web application programming ability,^[17] even if it is not as valuable to an interviewer as the experience of having run a production web site.

Pin Eight has chosen to combine shared hosting with SNI with this approach. Users logging in insecurely are presented with a warning and given an option to switch to HTTPS, followed by a disclaimer about IE on XP.

References

1. ↑ Jon Evans. "Why The New Guy Can't Code". TechCrunch, May 7, 2011.
2. ↑ Chris Palmer. "How to Deploy HTTPS Correctly". Electronic Frontier Foundation. 2010-11-15. Accessed 2012-06-25.
3. ↑ Slashdot comment by adolf
4. ↑ "Can I use" usage table Accessed December 8, 2012.
5. ↑ Eric Law. "Understanding Certificate Name Mismatches". IEInternals, 2009-12-07. Accessed 2012-11-25.
6. ↑ IE uses the built-in SSL stack of Windows, which didn't support SNI until Windows Vista. IE 6-8 is used as a proxy for IE on Windows XP. The small number of Windows Vista users who have not yet upgraded to IE 9 is probably negligible.
7. ↑ unrtst
8. ↑ Lennie. "EFF Tool Offers New Protection Against 'Firesheep'". LWN, 2010-11-24. Accessed 2012-10-21.
9. ↑ Ali Ebrahim. "Server Name Indication (SNI)". inside aebrahim's head, 2006-02-21. Accessed 2012-11-25.
10. ↑ SSL version of AdSense ad code Accessed 2012-12-08.
11. ↑ thanks Compaqt
12. ↑ thanks Short Circuit
13. ↑ thanks icebraining
14. ↑ zeroshade
15. ↑ Fjandr
16. ↑ Alternatives to Go Daddy recommended by Slashdot users
17. ↑ thanks Compaqt