re: Secure Logins (fun with Greasemonkey)

January 28, 2006 1:35pm 8 Comments

[url=http://shiflett.org/archive/186]Chris[/url] posted about [i]Secure Logins[/i], last week. In it, he describes the confusion that exists when users cross from HTTP to HTTPS via forms.

Chris isn't alone in noticing this problem. A few weeks ago, on the [url=http://www.grc.com/securitynow.htm]Security Now![/url] podcast, Steve Gibson answered a user question about the same problem.

On Chris' blog, I mentioned that this would be a good use for [url=http://greasemonkey.mozdev.org/]Greasemonkey[/url]. (If you don't know about Greasemonkey, you should definitely check it out.)

Since then, I've had two flights, and took a little time to work out [url=http://www.phpdoc.info/greasemonkey/ssl-indicator.user.js]a solution to the problem[/url].

When hovering a form button, image or submit input, you'll see a description of the form's action, and various potential problems (onsubmit, onclick, etc).

It doesn't solve all "hijacking" problems, but it's not supposed to.. it's just a quick indicator of where your form [i]probably[/i] posts.

Even if you're not interested, take a look at the source for a cool little embedded image trick.

Enjoy.

S

+1 for Shalosh Nekudotayim

November 27, 2005 10:25am 3 Comments

If you don't read the [url=http://beeblex.com/search.php?s=l:php.internals&o=1]PHP Internals[/url] mailing list, you've probably missed most of the recent discussion on namespaces.

Since you're reading this entry, there's a good chance you've read one of the other posts about the [url=http://www.php.net/~derick/meeting-notes.html]results of the 2005 PDM[/url], though.

Of particular interest (especially given the recent Date class [url=http://beeblex.com/lists/index.php/php.internals/20324?s=l:php.internals]debacle[/url]) is the point on [url=http://www.php.net/~derick/meeting-notes.html#name-spaces]namespaces[/url].

At the meeting, the core developers decided that "\" is a logical choice for the namespace operator as it is the only single non-alpha-numeric character on (US) keyboards that isn't yet an operator.

This has been met with [url=http://beeblex.com/lists/index.php/php.internals/20447?s=l:php.internals]some[/url] [url=http://beeblex.com/lists/index.php/php.internals/20586?s=l:php.internals]resistance[/url].

For some reason, people don't seem to think that "\" is a good choice for the namespace operator. I'm not sure why this is... \ seems logical to me.

[b]UPDATE[/b]: As you see, the title was changed from Shaloshayim Nekudotayim to Shalosh Nekudotayim. Check the comments--thanks Hebrew speakers.
Jessie Hernandez (the author of one of the [url=http://www.zend.com/zend/week/pat/pat44.txt]existing namespace patches[/url]) originally proposed the use of ":" (as in "namespace:class::var").

This was rejected by the core developers because : is already an operator: it is used in the [url=http://php.net/ternary]ternary operator[/url]. It would make things like the following break:
[php]
$foo = $bar?moo:oink:meow;
[/php]

So, if $bar is true, does $foo become moo:oink? or oink:meow? So, no good.

One solution is to enforce whitespace around the ternary colon:
[php]
$foo = $bar?moo:oink : meow;
[/php]

I hope this never makes it into PHP. Fortunately, Rasmus has already [url=http://beeblex.com/lists/index.php/php.internals/20458]denied it[/url].

So, there have been a number of other ideas. Most of them are simply impossible ("." ? Seriously... it's the concatenation operator!).

I have absolutely no problem with "\". Some people have argued that "\" looks too much like "/". This is simply bogus. The same people think that ":" vs ";" is OK, but it's essentially the same comparison.

Barring \ (for whatever reason), I would like to see ":::". Yes, it's a little longer than the other operators, but who really cares? It's ONE extra keypress (you've already got shift held down from the previous colon.) Even Ilia [url=http://beeblex.com/lists/index.php/php.internals/20579]agrees[/url].

Why ::: ? Well, it makes sense. :: resolves scope, ::: should resolve the scope's scope. Right?

So, what's with the title of this entry, you ask? I had to do a little research to come up with it, and it might be completely wrong as I don't speak/write Hebrew, but, since :: is called "Paamayim Nekudotayim" (or "double colon" in English), I propose "Shaloshayim Nekudotayim" which (hopefully) means "triple colon." Feel free to correct me (-:

S

Updates on me (if anyone actually cares)

November 26, 2005 9:35pm 1 Comment

It's been a long time since I blogged. You might remember that I was looking for [url=http://blog.phpdoc.info/archives/24-Search-for-the-Perfect-Laptop.html]the perfect laptop[/url]. The search was due to imminent changes in my work-life (imminent at the time, but have been in place since the middle of September).

If you've read [url=http://blog.phpdoc.info/archives/12-phpa-April-2005-Released.html]past entries[/url] in my blog, or [url=http://www.phparch.com/issue.php?mid=69]recent issues[/url] of [url=http://www.phparch.com/]php|architect[/url], you might remember that I became the Editor-in-Chief in the spring.

Around 6 weeks ago, I quit my job and started spending my days with [url=http://blogs.phparch.com/mt/]Marco[/url] and the rest of the team at [url=http://tabini.ca/]MTA[/url] (publisher of php|a).

It's been really great, so far, I've got my hands in a lot of projects, and I've been given some pretty serious responsibilities. Good times. (-:

php|works

September 15, 2005 12:25pm 0 Comments and

I've finally found a few minutes to upgrade my s9y install, so I no longer have an excuse to avoid posting here.

I'm currently at php|works (like Marco, Wez, Derick, Ilia, Marcus, Rasmus, George, Chris, Lukas, Davey, and many others whom I'm probably forgetting).

It's been wonderful, so far. Interesting talks, great company, and an excellent venue.

As always, the best part is sharing mind-time with the guys I normally only see on IRC and in mails. Marco has been exceptionally hospitable.

In the same vein (mind-time sharing), I managed to get some work done on Livedocs, yesterday, and I bugged Ilia enough to commit my patches. In short: the search bar is now in the default theme, and the leftbar TOC now has the "current" breakout on the top of the list (suggested by both Wez and Lukas).

S

Suddenly 5.1 Isn't So Exciting

August 12, 2005 11:00pm 10 Comments

Up until today, I was really pumped up about the imminent release of PHP 5.1. Then I read [url=http://beeblex.com/lists/index.php/php.internals/17883]this[/url].

I'm still excited about 5.1, but it now pales in comparison to the potential that exists in 6.0.

The best part, though, is the general concensus of change that's attached to the thread.

Read on for my opinion on the points that have been brought up.
Let's take a look at Rasmus' original ideas:

[quote]1. Remove register_globals completely[/quote]
Yes! Anyone with half a clue agrees that register_globals shouldn't be used. Let's help those with a lower clue-ration.

[quote]2. Remove magic_quotes_*[/quote]
Yes! Same rule as #1. I [i]really[/i] hate cluttering up my (must-be-portable) code with stuff like "$var = get_magic_quotes_gpc() ? stripslashes($_GET['var']) : $_GET['var'];"

[quote]3. Add input filter extension which will include a mechanism for application developers to very easily turn it off which would swap the raw GPC arrays back in case the site had it turned on by default.[/quote]
I was originally [i]against[/i] this idea. Well, more like [url=http://beeblex.com/lists/index.php/php.internals/14669]against automatic filtering[/url]. I've since changed mind.

One of the things that I had the opportunity to chat with Rasmus about at [url=http://blog.phpdoc.info/archives/11-Busy-Conf.-PHP-Quebec.html]Conf. PHP Quebec 2005[/url] was admin-implied input filtering. He told me that input filtering should be an option of the system administrator, and shouldn't always be left in the developer's hands. This makes sense. It's primarily the developer's burden to write good code, but most of us run apps that weren't written by [i]us[/i]. There should be some way to apply blanket filtering.

Obviously, to make this system work, there needs to be some way for the developer to access the raw, unfiltered content (yes, there ARE occasions where it's necessary to grab '<', '="">', and '"' from the request. My retort to Rasmus' theory of admin power was "If the developer can get to the raw data (and he [i]has[/i] to be able to do this), how are we any better off? Yes, a good developer will use this mechanism ONLY when necessary, but what about a Jr. developer who 'learns' from the wrong piece of code?" His answer: it'll be simple to grep for this mechanism. So, I conceded. I'm now all-[i]for[/i] an automatic input filter.

[quote]4. Include an opcode cache by default. A lot of work has gone into pecl/apc recently, but I am not hung up on which one goes in.[/quote]

Zend politics aside, I don't know why this hasn't been pushed harder before. +1

[quote]5. Remove safe_mode and focus on open_basedir[/quote]
I've never had the.. uh.. "pleasure" of working with safe_mode, professionally, but this SEEMS like the best option. Yes, it will upset a LOT of web hosts. Hopefully they'll see the light. I'm not holding my breath, though.

[quote]6. Remove some stuff that has been marked deprecated since PHP 3/4[/quote]
Please, yes. With the exception of dl() (-:

[quote]7. Make identifiers case-sensitive
8. Remove various function aliases[/quote]

These, I don't really care about. Either way is fine by me.

So there's my 2c (Canadian).

What do [i]you[/i] think?

S

← Previous  1 2 3 4 5 Next →

About

Subscribe

User

Clicky Web Analytics