Monday, May 25, 2009
Flashcards, UTF8 and XSS
I know, I know! I've been bad about updating. But as usual, there's way more going on behind the scenes here than meets the eye.
I've been a busy beaver since the semester ended. I've got two main things going on in my life right now: my reading list and this web site. I read Lombardo's translation of the Aeneid and now I'm reading Ferry's Georgics. I'm also working through Discourse, Consciousness and Time by Wallace Chafe.
But I've also been working on this site! If you've tried to visit in the last week, you might have noticed that the site was a bit flakey from time to time. It's true, and I apologize, but it was all temporary and for a good cause.
First, I rewrote the flashcards feature entirely using AJAX technology. Check them out! They're completely awesome. They should work at the very least in IE8, Firefox 3, Chrome and Safari 3. That should cover 98% of the people out there. Maybe I'll test them in Opera later. There is one major feature missing: printing. But I added two super-awesome features: custom flashcards decks and practicing those decks online! Two other minor features are missing: timed slideshows when practicing and searching by tags. Those are minor additions that I'll get to later.
I also made the site more uniformly UTF8 compatible. This is a technical, backend feature that won't affect you at all, most likely. I used to send all the Latin characters to your browser in HTML entities, but now I'm sending them directly in UTF8 encodings. Surprisingly, that was a really easy feature to enable.
Another big improvement is the site security. I've been looking for holes and security breach-points. I discovered a big one: XSS (Cross Site Scripting). It's kind of an ugly loophole on websites, one which has been around for ages. Essentially I fixed my back-end library code to disallow these so-called XSS attacks. With a bit of luck and some salt thrown over the shoulder, I've hopefully closed all the loopholes.
As usual, I'll add a promise to try and update the news regularly. But if I don't, just remember that this site is continually improving behind the scenes.
I've been a busy beaver since the semester ended. I've got two main things going on in my life right now: my reading list and this web site. I read Lombardo's translation of the Aeneid and now I'm reading Ferry's Georgics. I'm also working through Discourse, Consciousness and Time by Wallace Chafe.
But I've also been working on this site! If you've tried to visit in the last week, you might have noticed that the site was a bit flakey from time to time. It's true, and I apologize, but it was all temporary and for a good cause.
First, I rewrote the flashcards feature entirely using AJAX technology. Check them out! They're completely awesome. They should work at the very least in IE8, Firefox 3, Chrome and Safari 3. That should cover 98% of the people out there. Maybe I'll test them in Opera later. There is one major feature missing: printing. But I added two super-awesome features: custom flashcards decks and practicing those decks online! Two other minor features are missing: timed slideshows when practicing and searching by tags. Those are minor additions that I'll get to later.
I also made the site more uniformly UTF8 compatible. This is a technical, backend feature that won't affect you at all, most likely. I used to send all the Latin characters to your browser in HTML entities, but now I'm sending them directly in UTF8 encodings. Surprisingly, that was a really easy feature to enable.
Another big improvement is the site security. I've been looking for holes and security breach-points. I discovered a big one: XSS (Cross Site Scripting). It's kind of an ugly loophole on websites, one which has been around for ages. Essentially I fixed my back-end library code to disallow these so-called XSS attacks. With a bit of luck and some salt thrown over the shoulder, I've hopefully closed all the loopholes.
As usual, I'll add a promise to try and update the news regularly. But if I don't, just remember that this site is continually improving behind the scenes.
Labels: ajax, features, flashcards, security, utf8, vergil, xss
Sunday, August 3, 2008
Official OpenID Support
It's official! I've just completed the first phase of OpenID support. You no longer have to remember a username and password for this site.
How does it work? When you sign in simply type in your OpenID and you'll be taken to your provider which will validate your username and password. Depending on your provider, you might have to pass some tests (like captchas) or set an expiration date for your login.
OpenID is a fairly new and big concept for the Internet. Version 2.0 has just recently been ratified, so it's starting to get big exposure. In fact, Yahoo! now officially supports OpenID. For Yahoo! it's easy: just type in "yahoo.com" as your OpenID and they do the rest. Others who are known to offer support with a "special" URL are Blogger, AIM/AOL, LiveJournal, Verisign and Wordpress. For instance, my LiveJournal OpenID would be the same as my LiveJournal user page (efesar.livejournal.com). Others are jumping on the bandwagon as we speak. Myspace has officially announced support for OpenID, but when it will launch is unknown. In some cases, mine for instance, you can even "centralize" an OpenID on your own domain, a feature which works with many sites, but unfortunately not with Yahoo. But it does work with Verisign. For example, I set up my site efesar.com as a "relying party" for my Verisign OpenID. I have a Verisign OpenID, but I can also use "efesar.com" as my OpoenID, which then takes me to Verisign.com, which then validates my identification (username, password, fingerprints, security devices, pictures, captchas, etc). Once I'm signed in, it sends me back to the site where I was trying to login, and -- presto-change-o -- I'm logged in.
I'm excited about OpenID and I'm happy to offer it on this site. Personally, I hate having a username and password for every single site I visit. Sometimes my username is not available. Sometimes they have weird password rules. Some are longer, some are shorter, some want more numerals, more symbols and more uppercase letters. It gets to be a real hassle. Someday I hope to narrow my "password" list down to three logins total: a "throwaway" login, a "normal security level" login, and a "high security level" login. We should all be so lucky.
OpenID is very secure (using a lot of back-and-forth encryption and verification) but the "mental process" or "social engineering aspect" does present some security risks for you, but only if you're not careful. Always make sure that any site which accepts OpenID sends you to the real site. don't type in your password unless you're positive you're on the right site! Any hack can mockup a "fake" (but real-looking) Verisign or Yahoo! login page. It's up to you to make sure it's the real deal. Look at the address bar in your browser -- if it's real, it'll be at yahoo.com or verisign.com. If it's fake, you'll see sometihng stupid like loginsite.partner.yahoo.fakerussianpasswordstealingsite.cc). Never ever ever trust an OpenID in a "new window" or in a "new tab" or in a "popup." Those are almost surely fakes.
Sorry about the rant, but since OpenID is such a new technology, there are going to be a lot of losers out there trying to take advantage of this great technology. Now, back to our regularly scheduled update...
There are a few features that I still have to implement to make this site's OpenID implementation perfectly complete: allowing you to change your OpenID once you've started an account, remembering your OpenID between sessions, and merging multiple accounts. But those aren't big show stoppers, and anyway these features should be up and running shortly. Enjoy!
Labels: aim, aol, blogger, livejournal, myspace, openid, password, security, username, verisign, wordpress, yahoo
Tuesday, July 29, 2008
Back End Improvements
So now that the site is "live" Google has been indexing it like mad. There are approximately 18,000 pages on this site (because every word gets its own page), and Google decided to hit every single one of them. Today.
So, the good news is, we survived. The better news is that I was able to see some "holes" in the security and indexing. So, I patched up a few holes and verified and tested the registration and sign on system. I also added a robots.txt, updated the blog archives so they work and programmatically titled every page so when you see them in a search engine, you'll know exactly what you're looking at.
Well, I'm exhausted. I've been working on this site for 3 days straight, in between sleeping and doing my regular 40-hour-per-week summer job. So maybe I'll just leave it be for a few days and see how it fairs.
So, the good news is, we survived. The better news is that I was able to see some "holes" in the security and indexing. So, I patched up a few holes and verified and tested the registration and sign on system. I also added a robots.txt, updated the blog archives so they work and programmatically titled every page so when you see them in a search engine, you'll know exactly what you're looking at.
Well, I'm exhausted. I've been working on this site for 3 days straight, in between sleeping and doing my regular 40-hour-per-week summer job. So maybe I'll just leave it be for a few days and see how it fairs.
Labels: google, indexing, security