I was just getting ready to upgrade to Apache httpd 2.5.2 when I noticed an apparent security issue on their web server. This won't allow anybody to crack into www.apache.org, so let me just describe it here, and see what people think. I wanted to check the PGP signature of the file I downloaded from a mirror, so I grabbed the signature from Apache's web site at http://www.apache.org/dist/httpd/httpd-2.0.52.tar.gz.asc. Notice anything funny about that URL? The scheme is http, not https. That means the connection is unauthenticated, which means it's vulnerable to a man in the middle attack. Shouldn't these signatures only be served over an authenticated connection? Am I out to sea, or is this a real problem? Let me know what you think. Before commenting, please take note of two things:
Possibly the verification of the KEYS file from the root certificates might cover this. But if that's the case, then why are we warned to "Make sure you get these files from the main distribution directory, rather than from a mirror." If we really do need to get them from the main site, and not some other site, then we really do need to prvent man-in-the-middle attacks.
Indeed, when I tried to verify the file, a problem showed up:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 33 16 9B 46 FC 12 D4 01 CA 6D DB D7 DE EA 4F D7
This looks like a classic case of good algorithms compromised by bad protocol implementation. This is exactly how codes are broken and security subverted in the real world.
The IETF has posted another last call working draft of Internationalized Resource Identifiers (IRIs). "An IRI is a sequence of characters from the Universal Character Set (Unicode/ISO 10646). A mapping from IRIs to URIs is defined, which means that IRIs can be used instead of URIs where appropriate to identify resources." In other words this lets you write URLs that use non-ASCII characters such as http://www.libération.fr/. The non-ASCII characters would be converted to a genuine URI using hexadecimally escaped UTF-8. For instance, http://www.libération.fr/ becomes http://www.lib%C3%A9ration.fr/. There's also an alternative, more complicated syntax to be used when the DNS doesn't allow percent escaped domain names. However, the other parts of the IRI (fragment ID, path, scheme, etc.) always use percent escaping. The changes in this draft appear to be editorial in nature.
Aaron Swartz has registered application/rdf+xml as the MIME media type for the Extensible Markup Language (XML) serialization of the Resource Description Framework (RDF). Mark Bake and Mark Nottingham have registered application/soap+xml as the MIME media type for SOAP 1.2 messages serialized as XML 1.0. Time to update your mime.types files.
James Kass has updated Code2001, a freeware TrueType font covering some of the scripts in the new Plane 1, including Deseret, Old Italic, Gothic, Aegean Numbers, Cypriot Syllabary, Pollard Script, and Ugaritic. It also provides experiemntal support for Old Persian Cuneiform, Tengwar, and Cirth, though the code pointm here will change in the future. According to Kass, "Code2001 works on Windows 2000, but may not work on other operating systems. Mac OS X supports Unicode's higher planes and Code2001 will work with certain applications." This release adds "rough glyphs for many of the scripts which were added in Unicode 4.0 are now found in the font. These rough, filler glyphs were added quickly in order to enable testing of these additions. These rough glyphs will be improved for the next release, meanwhile they should be better than those little squares."
Sonic Software has released Stylus Studio 6.0, a $495 payware XML editor for Windows. Features include:
New features in 6.0 include:
Steve Ball has released version 1.2.1 of the XSLT Standard Library has been released. This is a collection of commonly-used templates written purely in XSLT. Besides bug fixes, version 1.2.1 adds new SVG and comparison modules and new templates in the string, date-time and math modules. I used the date templates from this library in the stylesheets for Processing XML with Java. xsltsl is open source published under the LGPL.
Engage Interactive has released DOMIT! 0.9.9, a free-as-in-speech (LGPL) DOM implementation for PHP. Version 0.99 is a bug fix release.