Why I Chose NewsBlur

Not all that long ago Google Reader closed it doors pushing millions of users off the platform. Many users were frustrated to lose their long time place to get their news not all that different from someone in yesteryear losing their favorite newspaper.  The whole thing was far from ideal but did go to teach users that you can’t expect cloud services to last forever (which is a good wake up call). But in the fall of Google Reader came many possible replacements which added their own spins on how one reads news. Feedly, The Old Reader and NetVibes were a few of the popular replacements. But I settled on NewsBlur and eventually became a paid user.

NewsBlur is mainly written by Samuel Clay (more on why I say mainly later).  He seems like a friendly, hard working fellow. He responds to bug reports and is active in his products community.  While this may seem like common sense just take a few minutes to look at random SaaS products on the Internet. You’ll find many of the developers are hidden behind customer service groups who, at worst, are outsourced and are more of a dead end than a way to get things fixed. Long story short, it seems like Samuel really cares about his product.

It is possible to have a Free account on NewsBlur. While you are limited to a specific amount of feeds many people will find the limits are higher than the feed counts they had in Google Reader. At the time of writing the limit is 64 sites.

There are some social features provided by NewsBlur yet these features are not required nor forced into general workflow. For instance, there is a concept of the BlurBlog which looks like it could be fun. But I tend to read the news and share elsewhere. If I ever decide to use the BlurBlog functionality it’s there. Otherwise I can just use NewsBlur as a fantastic reader.

NewsBlur is Open Source under the MIT license (also known as the Expat License). This gives me peace of mind knowing if Samuel ever decided that he was done with NewsBlur I could export my feeds, setup my own instance, and continue using the product on my own infrastructure. Yeah, it’s not trivial but it’s possible which is a huge advantage given the last reader I used shut down.

No software is without it’s bugs but Samuel does a good job bug squashing. And if you are developer who wants to give a hand you can patch the issue yourself and submit the fix (another win for Open Source). At the time of writing there are 43 development contributors to NewsBlur. This is a much better solution than waiting for a customer service representative to reinterpret your bug submission to a developer so that the fix may be done someday in the future.

If you are still looking for a replacement for Google Reader give NewsBlur a chance even if it’s a second chance as the application seems to be enhanced weekly. If you like it, consider becoming a paid user. Can you can’t say no to Shiloh:

RSS Isn’t Dead

Google announced that they are discontinuing their popular Google Reader service. For those unaware Google Reader is a convenient way to read RSS feeds. For anyone who doesn’t know what RSS is it stands for Really Simple Syndication: a convenient way to bring customized web content to you all in one place. Google Reader was a very popular way to read RSS feeds which, upon it’s notification of closing, had large amounts of users searching the Internet for a replacement.

Apparently RSS is dead. Well, if you listen to some writers. Their thought is that “everyone” uses Twitter, G+ or Facebook to read or be notified of new content. This probably comes as a big shock to the large amount of people who use RSS readers and services everyday. The truth is that not everyone uses social media as a way to keep tabs on news and information outside of their own social life. I’d hazard to say most people use social media for social purposes with an added small amount of news/information usage. For instance, if someone is really in to Lenovo products they will probably follow or friend Lenovo to get updates from them. But following posts directly from a company or organization is not the same thing as reading feed from multiple sources. Even those social platforms that do offer the ability to mix general life with corporate/news generally lack the ability to separate the two well. Maybe I’m odd but I don’t like seeing pictures of everyone’s kids and family updates mixed with not-so-happy hard news.

Saying RSS is dead reminds me of how email is dead. It isn’t at all but people do like to state it. Maybe people should also say going to CNN.com to read CNN news is dead? News organizations have social media presence and if social media is where everyone reads content then shouldn’t these organizations post directly to the social applications and skip the overhead of running their own systems? Using social media as the location for news sounds like trading custom news and data for digital water cooler conversations with company PR women.

RSS is not dead. RSS services are evolving into different platforms where focused data is king. At least the smart ones are. As a prime example look at Newsblur. It’s a web based RSS reader with options to train the system on the kind of news you like from your subscriptions. Granted, it does add some social functions for those who want that but the reader alone is what makes the service great. When it comes to hanging out and sharing random bits of life the social media outlets are still, and will likely always be, the most attractive players.

In the end social media and RSS are not the same thing. Yes, there can be crossover but that does not mean RSS is dead or that social applications and RSS are truly competing  RSS services are just evolving.

Adding SSL to MyFitnessPal with HTTPS Everywhere

MyFitnessPal is a simple, social site which helps track food, water and exercise. The web applications touts over 1 million foods and, if what you are eating is not listed, you can enter your own nutritional facts. Like many popular social applications MyFitnessPal uses SSL and, like many popular apps it moves the user AWAY from SSL after logging in. This means everything after login is being sent over the Internet in the clear.

Why?

There are a few reasons this is the case. The simplest answer is that they don’t realize that sending information of the Internet without any encryption is a problem. After all, it’s just food data right? But it’s not. It’s also the authentication token (in this case a cookie) which goes over the wire unencrypted.

They may turn it off to decrease load. I’ve heard this argument used before by people. It is true that SSL is ‘more expensive’ on the servers than plain HTTP but in the age of cloud computing, agile development and devops SSL should be an easy default.

No matter what the actual reason is please don’t take this as a slight to MyFitnessPal. Many sites have this issue. If they didn’t tools like HTTPS Everywhere wouldn’t exist to try and protect user data in transit.

Fix

OWASP explains what can happen as well as how to verify your safety. As far as I know the best fix is to install a rule in HTTP Everywhere to handle this site. Unfortunately most non-technical people may not be able to easily import the following but this is the rule that I came up with after noticing the lack of SSL post login:

<ruleset name="MyFitnessPal">
<target host="myfitnesspal.com"/>
<target host="www.myfitnesspal.com"/>
<target host="api.myfitnesspal.com"/>
<securecookie host="^www\.myfitnesspal\.com$" name=".*"/>
<rule from="^http://myfitnesspal\.com/" to="https://myfitnesspal.com/"/>
<rule from="^http://(www|api)\.myfitnesspal\.com/" to="https://$1.myfitnesspal.com/"/>
</ruleset>

Be aware though that this will NOT protect any data being transfered by the mobile applications. The real fix has to come from MyFitnessPal themselves. It looks like at least a few users have asked for the enhancement.

But Remember

Many sites have this issue. This issue should not stop you from using an application but do make an informed decision as to what data to pass along and what applications to link with. When possible use things such as HTTPS Everywhere. At the very least pay attention to your browser’s URL bar and know when your data is being sent in the clear.