Commentary and insight on web development and the Internet at large written with a wry smile and a hungry look.
simple HTTP Authentication class - Fri Aug 21, 2009
It is definitely not as commonly used these days but as a quick and dirty tool for non-critical applications, HTTP based authentication can still prove useful. The link that follows is for a PHP5 compatible HTTP authentication class I wrote a few years back. Specifics can be found in the source code.
topics: programming, security
I heart full disclosure - Wed Aug 05, 2009
I shudder to think what a world without full disclosure would look like.
For those not familiar with the term, "full disclosure" is security jargon for the practice of fully divulging details about discovered vulnerabilities, often with proof of concept examples proving the existence of the bug. With full disclosure there will normally be no doubt about whether a given issue affects you - the fact you have all of the details allows you to test things out for yourself.
Now the reason why I consider this approach to dealing with security vulnerabilities so important can be summed up by pointing out some facts relating to a pair of recent Microsoft security bulletins:
Now both of these issues are considered critical and security bulletins were sent out on August 11, 2009. However, in the first case the vendor (Microsoft) was told of the vulnerability privately over two years previously (2007-03-19) and in the second over a year previously (2008-04-07). Microsoft does not believe in full disclosure (nor does the commercial security researcher in this case) which means that for over two years the only people who knew about the first issue outside of the vendor and researcher were blackhats and other n'er do wells. Without full disclosure this is what happens as there is no pressure on the vendor to deal with critical issues in a timely manner. The vendor often considers the chance of bad publicity to outweigh the dangers posed to their customers.
Now let's compare that with the recent WordPress admin password reset vulnerability posted on August 10, 2009 using full disclosure (all the details, example exploit). A mere day later, the WordPress was patched to correct the issue. Not two years, not one year, not even a month - a single day!
In my opinion full disclosure is the most efficient way of minimizing the window of exposure between a vulnerability being discovered and a solution being in place.
Wikipedia has a decent article on full disclosure including links to contrary arguments for those wishing to do further reading on the topic.
Experienced PHP web developer.
$35 an hour, no job too small.
There is no replacement for integrity and experience.