background preloader

The First Few Milliseconds of an HTTPS Connection

The First Few Milliseconds of an HTTPS Connection
Convinced from spending hours reading rave reviews, Bob eagerly clicked “Proceed to Checkout” for his gallon of Tuscan Whole Milk and… Whoa! What just happened? In the 220 milliseconds that flew by, a lot of interesting stuff happened to make Firefox change the address bar color and put a lock in the lower right corner. With the help of Wireshark, my favorite network tool, and a slightly modified debug build of Firefox, we can see exactly what’s going on. By agreement of RFC 2818, Firefox knew that “https” meant it should connect to port 443 at Most people associate HTTPS with SSL (Secure Sockets Layer) which was created by Netscape in the mid 90’s. Client Hello TLS wraps all traffic in “records” of different types. The next two bytes are 0x0301 which indicate that this is a version 3.1 record which shows that TLS 1.0 is essentially SSL 3.1. The handshake record is broken out into several messages. Server Hello Checking out the Certificate Why should we trust this certificate? Related:  fundamentals

How Non-Member Functions Improve Encapsulation I'll start with the punchline: If you're writing a function that can be implemented as either a member or as a non-friend non-member, you should prefer to implement it as a non-member function. That decision increases class encapsulation. When you think encapsulation, you should think non-member functions. Surprised? Read on. Background When I wrote the first edition of Effective C++ in 1991, I examined the problem of determining where to declare a function that was related to a class. This algorithm served me well through the years, and when I revised Effective C++ for its second edition in 1997, I made no changes to this part of the book. In 1998, however, I gave a presentation at Actel, where Arun Kundu observed that my algorithm dictated that functions should be member functions even when they could be implemented as non-members that used only C's public interface. They are mistaken. Encapsulation Encapsulation is a means, not an end. Degrees of Encapsulation It's easily done.

Main Page - APIDesign The Rhetoric of the Hyperlink The hyperlink is the most elemental of the bundle of ideas that we call the Web. If the bit is the quark of information, the hyperlink is the hydrogen molecule. It shapes the microstructure of information today. Surprisingly though, it is nearly as mysterious now as it was back in July 1945, when Vannevar Bush first proposed the idea in his Atlantic Monthly article, As We May Think. Image from Wikipedia, free license Hyper-Grammar and Hyper-Style The hyperlink is not a glorified electronic citation-and-library-retrieval mechanism. This is the default mental model most people have of hyperlinks, a model borrowed from academic citation, and made more informal: Implicit inline: Nick Carr believes that Google is making us stupid.Explicit inline: Nick Carr believes that Google is making us stupid (see this article in the Atlantic). Both are simple ports of constructs like “Nick Carr believes [Carr, 2008] that Google is making us stupid.” Hyperlinking as Form-Content Mixing That’s not all.

Numbers Everyone Should Know Google AppEngine Numbers This group of numbers is from Brett Slatkin in Building Scalable Web Apps with Google App Engine. Writes are expensive! Datastore is transactional: writes require disk accessDisk access means disk seeksRule of thumb: 10ms for a disk seekSimple math: 1s / 10ms = 100 seeks/sec maximumDepends on:* The size and shape of your data* Doing work in batches (batch puts and gets)Reads are cheap! Paging Through Comments How can comments be stored such that they can be paged through in roughly the order they were entered? Under a high write load situation this is a surprisingly hard question to answer. A sharded counter won't work in this situation either because summing the shared counters isn't transactional. Searches in BigTable return data in alphabetical order. A lot of paging algorithms use counts. In the grand old tradition of making unique keys we just keep appending stuff until it becomes unique. Ordering by date is obvious. Related Articles

The Real Meaning of Model-Driven Architecture Leading-Edge JavaThe Real Meaning of Model-Driven ArchitectureAn Interview with No Magic from JavaOne 2007by Bill Venners with Frank SommersJune 27, 2007 Summary In this interview with Artima, Andrius Strazdauskas, Gary Duncanson, and Daniel Brookshier of No Magic discuss the goals of Model Driven Architecture, or MDA, and explain why they think it can improve programmer productivity and software quality. In this interview, I discuss Model-Driven Architecture, or MDA, with Andrius Strazdauskas, R&D Manager, Gary Duncanson, President and CEO, and Daniel Brookshier, Chief Architect of No Magic. Prior to this interview my understanding was that MDA was an attempt to program in pictures or diagrams, and I was skeptical. However, as I spoke with No Magic, I kept recognizing in their MDA tool many of the same characteristics that we built into our "little languages" and code generators in Artima's web architecture. Post your opinion in the discussion forum.

ReverseHttp html - RegEx match open tags except XHTML self-contained tags The Programmers’ Stone Http-https transitions and relative URLs When building a web site with HTTPS pages, one of the annoying tasks is to ensure that those pages make no references to HTTP resources. If they do, then Internet Explorer will pop up alarming messages about mixing secure and insecure content, and do you want to display the insecure content. This confuses users and generally discourages them from continuing to use your site. To fix the problem, all URLs on the page must use HTTPS. Relative URLs are the answer. Either of these images will display without warning on either HTTP or HTTPS pages. But what if you need to pull resources from another site? If this reference appears in an HTTPS page, the mixed content warning will appear. Here, we've left off the protocol scheme, but included a host name. You have to be careful to only use this syntax in pages destined for browsers. <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="//" width="600" height="400"> ...

You aren't gonna need it "You aren't gonna need it"[1][2] (acronym: YAGNI)[3] is a principle of extreme programming (XP) that states a programmer should not add functionality until deemed necessary.[4] Ron Jeffries writes, "Always implement things when you actually need them, never when you just foresee that you need them."[5] The phrase also appears altered as, "You aren't going to need it"[6][7] or sometimes phrased as, "You ain't gonna need it". YAGNI is a principle behind the XP practice of "do the simplest thing that could possibly work" (DTSTTCPW).[2][3] It is meant to be used in combination with several other practices, such as continuous refactoring, continuous automated unit testing and continuous integration. YAGNI is not universally accepted as a valid principle, even in combination with the supporting practices. Rationale[edit] See also[edit] References[edit] Jump up ^ Extreme Programming Installed, Ronald E. Dokumentacje - Wiedza - Technologie Implementing a simple HTTP/Web server in java for handling POST Note: An updated version of this post can be found in which will handle any kind of file uploads (text and binary files) of large size. In the last section on java, we have seen how to implement a simple/lightweight HTTP/Web Server to handle HTTP GET methods. In this section, we will see how to implement a simple HTTP/Web server in java to handle POST methods with an example of a file upload server using the POST method through a client form data. The benefit of implementing our own HTTP Server to handle GET/POST methods is that we can use them for some simple/lightweight applications which doesn't require an Apache Web server or a servlet container to be deployed to handle HTTP client requests, also these simple HTTP servers can be used as utility classes which can be integrated in a small scale applications. The below HTTP POST Server does the following functions. 1. 2. 3. So here's the code. Working:

Always Multiply Your Estimates by π Project estimation is a black art, nowhere more so than in game development. I once heard of a mysterious cabal of numerologists that multiplied their time estimates by π. The practice allegedly gave them sufficient buffer for new requirements, testing, iteration, and other arcane changes in scope. This struck me as curious and arbitrary, but I was intrigued. I am now delighted to report that I have been able to put their Circular Estimation Conjecture on a firm mathematical footing. Allow me to explain. Someone — a designer, your lead, the exec producer, a friend, your mom — asks you to do something. But things change. And of course it didn’t all go smoothly. So how long did your journey take compared to your original plan? Now some may question my mathematical rigour, and even dispute what I believe to be the incontrovertible conclusion. Oh, and that to-do list you made last weekend?

Top 10 Secure Coding Practices Top 10 Secure Coding Practices Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Bonus Secure Coding Practices Define security requirements. Bonus Photograph I found the following photograph on the Web, and I'm still trying to figure out who owns the rights to it. I like this photograph because it illustrates how the easiest way to break system security is often to circumvent it rather than defeat it (as is the case with most software vulnerabilities related to insecure coding practices). References [Saltzer 74] Saltzer, J. [Saltzer 75] Saltzer, J. [Seacord 05] Seacord, R. [Swiderski 04] Swiderski, F. & Snyder, W.