This article includes a good summary of the current state of HTTP authentication XML.com: httplib2: HTTP Persistence and Authentication, in the context of developing a Python HTTP client library (httplib2) to support what should be supported. Here's the main of argument extracted:
In the past, people have asked me how to protect their web services and I've told them to just use HTTP authentication, by which I meant either Basic or Digest as defined in RFC 2617.
For most authentication requirements, using Basic alone isn't really an option since it transmits your name and password unencrypted. Yes, it encodes them as base64, but that's not encryption.
The other option is Digest, which tries to protect your password by not transferring it directly, but uses challenges and hashes to let the client prove to the server that it knows a shared secret.
Here's the "executive summary" of HTTP Digest authentication:
The problem with Digest is that it suffers from too many options, which are implemented non-uniformly, and not always correctly. For example, there is an option to include the entity body in the calculation of the hash, called auth-int. There are also two different kinds of hashing, MD5 and MD5-sess. The server can return a fresh challenge nonce with every response, or the client can include a monotonically increasing nonce-count value with each request. The server also has the option of returning a digest of its own, which is a way the server can prove to the client that it also knows the shared secret.
- The server rejects an unauthenticated request with a challenge. That challenge contains a nonce, a random string generated by the server.
- The client responds with the same request again, but this time with a WWW-Authenticate: header that contains a hash of the supplied nonce, the username, the password, the request URI, and the HTTP method.
The bad news is that current state of security with HTTP is bad. The best interoperable solution is Basic over HTTPS. The good news is that everyone agrees the situation stinks and there are multiple efforts afoot to fix the problem. Just be warned that security is not a one-size-fits-all game and that the result of all this heat and smoke may be several new authentication schemes, each targeted at a different user community.
Good to see HEAnet doing some serious machine thrashing: /~colmmacc/ ｻ Blog Archive ｻ Niagara vs ftp.heanet.ie Showdown. Keep up the good work Cormac.
ftp.heanet.ie is one of the single busiest webservers in the world. We handle many millions of downloads per day, but unusually for a high-demand site, we do it all from one machine. This is usually a bad idea, but as a mirror server has built-in resilience (in the form of a world-wide network of mirrors), and as we can't afford 20 terabytes of ultra-scalable, network-available storage, we use a single machine with directly attached storage, and rely on our ability to tune the machine to within an inch of its life. We regularly serve up to 1.2 Gigabit/sec, and have handled over 27,000 concurrent downloads. There's some more detail on our previous set-up (which is mostly identical to the current one) in my paper on Apache Scalability.
Over four years ago, when I started in HEAnet, Solaris and Sparc hardware represented about 50% of our Unix systems. Now it represents less than 2%, so I've had less and less opportunity to tinker on Solaris in the last few years, but have kept up with it enough to know how to use dtrace, and to still understand the Solaris fundamentals. At ApacheCon US 2005, Covalent had a T2000 along as a demonstration machine. I got to play with it a little and was very impressed. Unlike prior experiences, this machine felt very responsive. There was no waiting for the output of commands, no listening to the whirring of hard disks, and the benchmarking numbers it was producing weren't bad either.
When Jonathan Schwartz announced the "Free Niagara box for 60 Days" deal, we jumped at the opportunity to test one of the these boxes - which may be ideal for our needs. It took a while for Sun to iron out some administrative problems, but they certainly held up their end of the deal, and a nice shiny T2000 arrived a little over a week ago, for us to try out.
I have been a big proponent of XForms withn the TSSG (though I haven't yet convinced our commercial development teams to deploy solutions based on X-Forms).
2006-03-14: XForms 1.0 Second Edition Is a W3C Recommendation.
The World Wide Web Consortium today released XForms 1.0 Second Edition as a W3C Recommendation. The new generation of Web forms, XForms separate presentation and content, minimize round-trips to the server, offer device independence, and reduce the need for scripting. This second edition adds clarifications and corrects errors as reported in the first edition errata. Second edition publications include the following documents.
This is a good overview article on the subject Why XForms Matter, Revisited - O'Reilly XML Blog
Just read Sean's post Sean McGrath, CTO, Propylon
It desribes a new service to rate your blog's influence using a formula:
[(blog posts web links) (bloglines subs * 2)] * 1 (Pagerank/10)
Couldn't resist and added a link at the bottom of the list of links in the left pane of my home page :-) - my rating is lower than Sean's at 4176!
Here's a reference to an interesting analysis of the technology used in Skype, and a discussion of "Edge-connectivity" as a concept SATN.org: Comments from Bob Frankston, David Reed, Dan Bricklin, and others
It is useful to be able to understand how Skype works in detail in order to trust the code. I'm glad to see that the authors noted that it is difficult to block Skype traffic.
The more important result is to understand Skype's Edge-connectivity. It's an example of how communities can stay connected independent on the accidental properties of the Internet and the gatekeepers. Because the relationships are maintained at the edge mobility is fundamental. You don't need the network to do meshing when the applications maintain their own relationships. Meshing then becomes a low level technique for pooling routers rather than a way to make applications mobile.
Here's an interesting reference to a Ney York Times article from John Battelle's blog John Battelle's Searchblog: Abortion, Adoption, Amazon.
The full article is here
Amazon Says Technology, Not Ideology, Skewed Results
By LAURIE J. FLYNN
Published: March 20, 2006
Amazon.com last week modified its search engine after an abortion rights organization complained that search results appeared skewed toward anti-abortion books.
Until a few days ago, a search of Amazon's catalog of books using the word "abortion" turned up pages with the question, "Did you mean adoption?" at the top, followed by a list of books related to abortion.
Amazon removed that question from the search results page after it received a complaint from a member of the Religious Coalition for Reproductive Choice, a national organization based in Washington.
"I thought it was offensive," said the Rev. James Lewis, a retired Episcopalian minister in Charleston, W.Va. "It represented an editorial position on their part."
Patty Smith, an Amazon spokeswoman, said there was no intent by the company to offer biased search results. She said the question "Did you mean adoption?" was an automated response based on past customer behavior combined with the site's spelling correction technology.
She said Amazon's software suggested adoption-related sources because "abortion" and "adoption" have similar spellings, and because many past customers who have searched for "abortion" have also searched for "adoption."
Ms. Smith said the "Did you mean adoption?" prompt had been disabled. (It is not known how often searches on the site turn up any kind of "Did you mean..." prompt.)
Customers, however, are still offered "adoption" as a possibility in the Related Searches line at the top of an "abortion" search results page. But the reverse is not true.
Ms. Smith said that was because many customers who searched for abortion also searched for adoption, but customers who searched for "adoption" did not typically search for topics related to abortion.
Still, the Rev. Jeff Briere, a minister with the Unitarian Universalist Church in Chattanooga, Tenn., and a member of the abortion rights coalition, said he was worried about an anti-abortion slant in the books Amazon recommended and in the "pro-life" and "adoption" related topic links.
"The search engine results I am presented with, their suggestions, seem to be pro-life in orientation," Mr. Briere said. He also said he objected to a Yellow Pages advertisement for an anti-abortion organization in his city that appeared next to the search results, apparently linked by his address.
Web software that tracks customers' purchases and searches makes it possible for online stores to recommend items tailored to a specific shopper's interests. Getting those personalized recommendations right can mean significantly higher sales.
But getting it wrong can cause problems, and Amazon is not the first company to find that automated online recommendations carry risks.
In January, Walmart.com issued a public apology and took down its entire cross-selling recommendation system when Web customers who looked at a boxed set of movies that included "Martin Luther King: I Have a Dream" and "Unforgivable Blackness: The Rise and Fall of Jack Johnson" were told they might also appreciate a "Planet of the Apes" DVD collection, as well as "Ace Ventura: Pet Detective" and other irrelevant titles.
An excellent tutorial on leveraging HTTP authentication in web-based applications REST based authentication
To recap, the REST elevator pitch is
- Identification Of Resources
- Manipulation Of Resources Through Representations
- Self-Descriptive Messages
- Hypermedia As The Engine Of Application State
This is an excellent article explaining what Ajax is and how to use from Perl perl.com: Using Ajax from Perl.