Requiem for the Thunderbolt Display

Every nerd I know can name a component of their workstation that they feel is indispensable. That one thing that, should everything else in their workflow be switched out, they’d fight to keep. Many would probably fight for their computer, while others feel an affinity towards a specific keyboard or headphones.

For me, that one special thing is my Apple Thunderbolt Display. I know: it’s crazy to spend a thousand bucks on a 27-inch display, even back when I bought it in 2012. It has other faults beyond price, too: there’s an air gap between the glass and the panel, so the image isn’t as sharp as it could be, and it’s heavy. Really heavy. I bent the desk I used for three years because of the weight of this display.

Yet, it remains the thing on my desk that I would fight the hardest to keep.¹ There are a lot of reasons why, but I’ll give you just two.

First, a bit of personal history: when I was in my early teens, I saw a 30-inch Cinema Display in a local reseller’s store, and I coveted it immediately. I wanted to work on a display that large, with enough room in virtually any application for any kind of task. Its horizontal resolution was great enough that you could fit full HD video onscreen with some room left over for a clip bin. Its vertical resolution was enough to keep webpages and documents open in a more comfortable portrait orientation. My Thunderbolt Display is missing 160 pixels of vertical space, but it still feels massive — and it didn’t cost me the nearly $5,000 Apple was asking for the 30 inch Cinema Display when it was introduced in Canada.

Even better, though, is what the Thunderbolt Display does for a laptop. There are a great many complaints I’ve had with Apple’s computers over the years, but one thing I think they get absolutely right is their relentless pursuit of lightness and thinness in their portable products. When you lug a laptop around all day long, the last thing you want is for it to be heavy, or to take up more than its fair share of space in your bag. This is doubly true when travelling with it.²

However, when that laptop stops being a portable and is plopped onto a desk, the priorities of the computer change. Where overall smallness is desirable in a bag, a desk makes it possible to attach something as large and heavy as a gigantic display. Photo and video editing benefits most obviously, of course, but even something like web development is nicer on a big screen: you can have your IDE and two browser windows open at the same time, instead of juggling between windows.

While a computer is at a desk, it should be able to take advantage of a few other things that laptops aren’t very good at, too. A terrestrial gigabit Ethernet connection, for instance, better speakers, and external hard drives can all be connected. And no other product makes this as seamless as the Thunderbolt Display. Indeed, connected to my display are an Ethernet cable, two external hard drives, a Lightning cable, and a USB DAC. That’s a lot, and I have to connect just one cable to get all of those peripherals on board when I get home with my MacBook Air. I think that’s amazing.

Alas, Apple no longer makes the Thunderbolt Display. That’s probably for the best — who wants to pay $1,000 for a 27-inch display that has a density of just 109 pixels per inch? But instead of replacing it with that long-rumoured 5K Thunderbolt Display, they’ve elected to collaborate with LG on a plastic fantastic that accomplishes some of the same goals, and even improves upon Apple’s displays in some ways. It obviously features a much higher resolution — 218 pixels per inch — and a wide P3 colour gamut, and it’s priced competitively with other 4K and 5K displays on the market. It also offers even easier connectivity: because Thunderbolt 3 can provide much more power, just one cable is required to connect a new MacBook Pro to the display for both charging and data.

Unfortunately, the best reason to buy a Thunderbolt Display over its competitors hasn’t been carried over to the UltraFine 5K: it is no longer the amazing docking station that the Thunderbolt Display once was.

Instead of an assortment of ports on its back, LG’s display features just three USB-C ports. And that kind of makes sense: the future, as evidenced by Apple’s new MacBook Pro lineup, belongs to USB-C. Except the new MacBook Pro doesn’t have four USB ports; it has four Thunderbolt ports, with far greater speeds and capabilities than the standard USB spec offers, like daisy chaining.

It’s not just the variety of ports, but the quantity. Three ports is pitiful on a product like this, especially if you’d — logically — like to keep your peripherals permanently connected to it. And, while you can pick up a hub, the ports on the back of the display are apparently throttled, so a hub will be splitting an already-weakened connection. That’s disappointing on a product that’s explicitly designed to connect to Apple’s most professional notebooks.

If I were to swap my setup for a new MacBook Pro and LG’s 5K display, I’d need an Ethernet dongle, and three USB-A adaptors for my hard drives — my carefully-chosen Thunderbolt-connected drive would be getting a serious downgrade there — and DAC. I’d also want to pick up a USB-C Lightning cable, and a hub to have enough ports to run it all, and I’d have to tolerate everything running at a reduced speed.

Don’t let me get you down — LG’s 5K display might work just fine for your setup. But it doesn’t seem like an adequate replacement for the Thunderbolt Display. It doesn’t have the same hardware quality as an Apple product, it doesn’t have comparable functionality, and it has an ugly “forehead” to house the camera. Unfortunately, it seems like Apple won’t make a true successor to the Thunderbolt Display because they’re not making displays any longer. For a niche of Mac users, that’s a big loss.

I recently picked up one hell of a camera, though, so it might be a tough call. ↥︎
While there’s a market for the “portable workstation”, I’d wager that the discontinuation of the 17-inch MacBook Pro several years ago indicates that said market is rather tiny. Then again, perhaps the discontinuation of the Thunderbolt Display indicates that its market is also tiny. ↥︎

Secure and Trusted Phishing ⇥ textslashplain.com

Eric Lawrence:

One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites.

[…]

By December 8, 2016, LetsEncrypt had issued 409 certificates containing “Paypal” in the hostname; that number is up to 709 as of this morning. Other targets include BankOfAmerica (14 certificates), Apple, Amazon, American Express, Chase Bank, Microsoft, Google, and many other major brands. LetsEncrypt validates only that (at one point in time) the certificate applicant can publish on the target domain. The CA also grudgingly checks with the SafeBrowsing service to see if the target domain has already been blocked as malicious, although they “disagree” that this should be their responsibility. LetsEncrypt’s short position paper is worth a read; many reasonable people agree with it.

Josh Aas of Let’s Encrypt writes in that position paper:

Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.

The impression that a site with a DV certificate is, technically speaking, secure is largely the fault of the browser UI. Specifically, it’s the fault of Chrome’s UI, which displays a green lock icon and the word “Secure” in the address bar for sites with DV certificates. A site with an EV certificate — the kind of certificate that “guarantees” that a site is from a specific company — is displayed in the same green, but the “secure” text is replaced with the company name. This treatment is overly generous towards vouching for DV certificates, to a misleading extent. And that’s a problem, because Chrome is the world’s most popular browser.

Other browsers treat the two types of HTTPS certificates with a little more care. Both Safari and Microsoft Edge display a grey lock icon in the address bar when a site has a DV certificate, and a green lock icon with the company name when the site has an EV certificate. Firefox, on the other hand, displays the same green lock icon for sites with DV or EV certificates, but EV certificates also display the company name; DV certificates have no additional wording at all.

I think the approach that Apple and Microsoft are taking here is much clearer than what Google and Mozilla are offering in their browsers. In that sense, Aas’ position is correct. But I think that there’s more that certificate authorities could do as well. For instance, Let’s Encrypt could automatically flag any signing attempt with words like “bank”, “PayPal”, or the names of well-known companies and their products — “Google”, “iCloud”, and so forth. Let’s Encrypt could then revoke that certificate if it is being misused.

However, even with better protections in place to restrict the use of HTTPS certificates on phishing sites, I’m not sure how much difference it will make. Plenty of people who should know better have been convinced by phishing attempts.