OWASP; simply because I had trouble finding it the last couple of times I looked.
Normally when I go there, it is because I want to review their recommendations for Automated Password Resets.
Piro and Kimiko worked out fairly quickly that he was her coffee target of choice.
But have Largo and Erika realized that she broke his arm way back when?
Is Firefox compliant with RFC 2616; 8.1.4 ?
Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy. A proxy SHOULD use up to 2*N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times and avoid congestion.
Microsoft says that they comply by default, but give a registry setting to modify the behavior. This is consistent with the data that I saw in a recent test.
When I run a similar test using Firefox, it appears that there are more than two connections running concurrently (that is, I've got three different ports receiving "Continuation or non-HTTP traffic", where the range of the packets is overlapping.
Answer: Firefox knows that I'm talking to a proxy, and so is throttled by network.http.max-persistent-connections-per-proxy instead of network.http.max-persistent-connections-per-server (see about:config). Since I'm only just discovering this setting today, it seems likely that the current value (4) is the default setting... strangely non-compliant.
Future reading: Open Web Application Security Project guidelines to building a secure web application.
[Other mirrors available.]
Often, when googling, I feel that I have trouble choosing search terms (see whale mating).
What I want is, along with my search results, to get a list of search terms, which would improve my search results if I added one. Ideally, the terms would neatly divide the search space, but the user impact I'm really after is "oh, yeah! That's what I meant to search for".
It's really the sort of thing I would expect to be hiding at www.cloogle.com [warning: link to nowhere].
Yeah, yeah - I should just go to google and look for this thing. That's a bit recursive for a Saturday morning.
A translation for much of the chinese which appears in Firefly. Isn't that convenient.
You guys are so unhip it's a wonder your bums don't fall off.
So I jump from another list of worst songs to Fark's almost anonymous music confessions thread. And I find myself thinking "people are supposed to feel guilty for liking that? Wow, am I unhip."
Well, ok - except for Culture Club. I understand why people should be embarassed by that one.
"they listened too closely to their largest customers and not enough to their fastest-growing ones." - Management by Baseball
Amy reminds me that the web runs both ways. A quick ego surf suggests that people who can spell my name will have no trouble finding me.
On my search list:
Beckett Hood - Arthur Murray, Austin, 1993
Paul Smith - Arthur Murray, Austin, 1994 ("Want some rye? 'course you do.")
Sierra Vine - Boston, 2003
"Superficially, this site looks like a set of FAQs about a novel that I wrote entitled QUICKSILVER. As time goes on, we hope that it will develop into something a little more than that. We don't know how it will come out. It's an experiment."
I'm not sure the Metaweb bit will pan out - why here rather than at Wikipedia or Wolfram Research?
But I love the idea of using a wiki to support annotations.
Go read Mark Pilgrim before you join the spam wars.
Point the first: ok, we've got an immovable object. What we need is an irresistable force. And, as Mark points out, the resource cost of the war is exorbinant - we need a spare irresistable force. The SETI approach might be an interesting one to try, but I doubt that it is viscious enough. Is there any way we can sick the Scientologists on the spammers? - I really think the Baby Cooper Dollar Bill solution is the most likely to be effective.
Point the second: why on earth are the spammers going after the Internet, when most of the consumer eyeballs are watching television?
In the interest of robustness, servers SHOULD ignore any empty
line(s) received where a Request-Line is expected. In other words, if
the server is reading the protocol stream at the beginning of a
message and receives a CRLF first, it should ignore the CRLF.Certain buggy HTTP/1.0 client implementations generate extra CRLF's
after a POST request. To restate what is explicitly forbidden by the
BNF, an HTTP/1.1 client MUST NOT preface or follow a request with an
extra CRLF.
Mind you, SHOULD and MUST NOT are defined such that the passage isn't completely hopeless.
Thou shalt be liberal in what thou accepts... Thou shalt be liberal in what thou accepts... Thou shalt be liberal in what thou accepts...
Your Sky, which I discovered last night when trying to tell a friend where to look in the sky to find Mars.
Thanks to Amish Tech Support, I've spent more than a few hours playing Bounce Out
I can finally stop, as I have
It appears that 18 is the limit on the initial bounce. The pattern is a hollow hexapus, with a three armed shadow. I don't think that one is going to turn up any time soon, though I am mildly curious what it scores.
"And groups often gravitate towards members who are the most paranoid and make them leaders, because those are the people who are best at identifying external enemies." -- Clay Shirkey, reporting the results of W.R. Bion.
I can see the spam now Best programming tutorial on the web! Sign up now!
But Lar is certainly right. How much of the current economic slowdown can be attributed to the evolution of WWW to XXX?
ColdForged challenged readers to find an image, on the internet, which describes the location of the solar plexus without references to Chakras.
It seems that they are incognito: it wouldn't normally have occurred to me to search for celiac plexus, but there you go.
Last year, TouchGraph launched a demonstration of their information network tool leveraging the Google API.
After playing with it a bit, I got terribly confused. What does this thing think my home page is about, anyway? Why am I related to Ania Mitros? Is this some soulmate I've yet to meet, or worse yet maybe we were supposed to meet yesterday on the bus.
Then I discovered that one of the other people related to her is my college roommate. OK, that's spooky.
Wait, another clue - his current page isn't related; it's his old UNC page. Aha! It considers us to be related because we are all alums of Margarett Root Brown College at Rice University.
Now I'm less impressed. Good to know that Bill made it back to Texas, though.
Q: What happens when you ask IE to apply XSL to a XML document, while also issuing redirects between HTTP and HTTPS?
A:Not much.
UPDATE: IE 6 results added
[more ]Spent the day fighting with an application that wants to use both HTTP and HTTPS. Sometimes.
It's not a horrid idea - a clear channel for normal traffic, a secure channel for sensitive traffic. But it gets more complicated. . . .
[more ]The automation team noticed the curious incident of the dog in the night time today. C & G, you go, sisters.
But the big surprise is that I can't find an obvious link on the Microsoft website for those that think they've found yet another security issue. Given their track record, I'm disappointed it's not their splash page.
In any case, it doesn't appear that the "Display Mixed Content" prompt appears when it should, if a secure page retrieves a stylesheet via http.
[more ]Another day, another web browser. Maybe I should subcontract to Ratbert.
This time, the exercise is development of some tools for testing a protocol that, in production, will be carried via HTTPS. Sure, we could just test it all on the HTTP channel, but where's the sport in that, and we'd rather find out now, rather than later, if there is a surprise.
Of course, the web servers I'm working with don't have valid certificates - the cert authority is no longer recognized. I think that reflects the fact that we generated the certs with a server that is no longer in operation.
Not an insurmountable problem, after a bit of digging. The answer was
MKB 182888
The other day, I found myself wishing for an easy way to mock a web service.
Which is to say, that I wanted to hardcode the answer, without interfering with the actual service that was running. It turns out that you can accomplish this with IIS.