I've been batting this around for a few days now. Recently, Mary Jo Sminkey of CF Webstore fame posted a note to an email list about the recent requirement by Authorize.net that incoming requests to their API use SSL 3.0. I confess to being unaware of the differences between SSL 2.0 and 3.0. So I set out to discover for myself. To start with SSL 2.0 uses weaker handshaking. A requesting client can, it seems, edit the list of preferences leaving the server no choice but to hand shake with the "lowest common denominator" cipher. There are some other issues as well dealing with how the packets are constructed etc. So the consensus is that SSL 2.0 is the weak sister and should be deprecated. For its part SSL 3.0 has been around for a decade or so and is widely supported.
The question is, will my CFHTTP calls from ColdFusion 6 or Coldfusion 7 still work when Authorize.net disables SSL 2.0? To answer this question I got some great help from Scott Krebs over at Edge Web. He dug out three or four URLs that were really helpful. I've included them at the bottom of this post. I also got some guidance from the Stephen Hawking of cryptography, Mr. Dean H. Saxe (the H is for Holy Cow he knows a lot). The answer is a qualified yes. Anyway, here's what I did to test while I wait for Authorize.net to get their act together and set up a test bed.Read More
Last night I was sitting at home and using my VPN to dial into one of our servers (a Win2k3 server). I noticed that there were a couple of patches pending installation. Now as a rule I do not run every patch, nor do I ever let windows "manage" patching for me. Instead, I let windows download the patches and I choose when and what to install. Still, a couple of these patches were important security fixes (Usually a good idea) so I installed them. Now windows does not always require a reboot after patching, but sometimes it does, and yes it is one of the annoying things about Windows, so please don't use this post to comment on how much better Linux is than Windows or cheese or Santa Clause or sex or whatever. Anyway, this time it did ask and when I chose to restart things went "a bit wonky" as some of my UK readers might say.Read More
If you ever send out a few tens of thousands of messages using CF you know the spool directory can get pretty crowded. If you are like me you sometimes want to keep an eye on it as those messages clear out to make sure there is nothing funky going on. If you use Windows Explorer this can be a maddening experience. Windows doesn't just retrieve a count of files. It retrieves the entire file list and meta data and it redraws the explorer window. When you have 50k messages in the spool folder it can take 10 to 30 seconds just for Windows to refresh the count so you can know how many were added or deleted to the folder.
Instead, I use a little tool called "t4edirsize" from tools 4 Ever. I have a "show spool" batch file on my servers that looks like this:
Some web developers never bother to learn the nitty gritty stuff that makes up the Internet. I've seen very bright programmers who don't know the difference between a GET request and a POST request (or why they should care). In your journey through the IT landscape it would behoove you to pick up a few tips on how the web actually works. In my view you should know the basics of how a web server and browser work together to deliver content. You should know how to setup a web site in IIS or Apache, and you should know when to use a GET and when to use a POST. It also wouldn't hurt to learn about IP addressing, routing, classless subnets, ARP Caching, application pools, JVM Garbage collection, the theory of relativity and the meaning of life.... but I digress.
Among the items I find myself explaining over and over is the concept of a "HOST Header" and how it's used on a web server. Like many of my blog posts this one is intended to help me so I can point to it and not have to repeat myself. Now to be fair, this topic is one I sometimes have to cover with customers and site owners who need to know the difference between a dedicated IP address and a "virtual site". Either way, here's a run down of "virtual sites" and "host headers".Read More
This topic crops up frequently in our line of work. Among the items that are often listed as important to search engines are "search engine safe" (SES) URLs. It has been pointed out that Google will index just about anything - including obscure looking URLs with cryptic parameters on them. Although this is true, we shall see that it does not exempt the developer from paying attention to the URL when he or she is thinking about search engine optimization. Let me explain.Read More
Fighting spam is a lot like those movies where blood sucking zombies just keep coming at you in a never ending supply of non-descript humanoids who want to eat your brain or take out your daughter. I can live with having to keep filters up to date. I know how to use SPF, Spam Assassin and client side filters like spambayes (check it out if you are an outlook user). I can even live with the bots constantly attacking my web forms and trying to hack them to send their own mail. But I think I have stumbled onto a technique that smacks of desperation.
Occasionally I view a stats report for my blog. I use Smarter Stats from "Smarter Tools". It's quite good and it gives me some excellent reporting options (I also love their "Smarter Mail" server). One of the reports I like to view is "referring sites". Mostly I'm just snooping to see if any CF big wigs like Ben Forta, Sean Corfield or Ray Camden have linked to my blog (we keep a bottle of champaigne on ice for those occasions). It is interesting to see all of the sites that are listed. All of our CF Webtools blogs are cross linked so I see them listed as I would expect. Google, MSN and Yahoo are all represented as are blog aggregators like fullasagoog and the old Macromedia weblog aggregator. Interestingly I see some international sites like soso.com and orkut.com.
All of these I can explain and understand how they arrived in my log files. But here's a couple I can't explain. There is a link to a site called "blogdim.com" - which I took to be another blog portal. When I went to the site it is actually a personal loan information site. A closer look discovered sites like "topsecuredloan","onlineapoker", "insurede" and others less benign. How are these particular referring sites getting into my log files? I have a couple of guesses.
My first guess has to do with email. If you are using a web based email client like Yahoo, and someone sends you an email with a link in it, when you click on the link the "referring site" is actually something like "mail.yahoo.com". So perhaps these sites are showing up because someone is clicking on a link in a web based email client that uses that domain. I kind of find this explanation unlikely. Would anyone really be checkign their mail at a domain like onlinepoker.com? I suppose if they were using a web host where it was set up that way it could happen.
My second guess is that someone clicked on a Google ad for Coldfusion Muse. I quickly went to my ad words account and verified that I am not set up to serve Google ads for my blog. We only serve ads for our main web site, CF Webtools.
There may be other explanations, but at least one that I can think of is that it is a new form of spam. It would be trivial to create a bot that issues web requests with a specific referrer. After all, adding your site as a referring site causes your link to show up in reports and sometimes someone (like myself) will click on it. Of course it would only target folks who are looking at web log reports. Can any muse readers provide any alternate theories? It certainly seems like an act of desperation - or perhaps just too easy to pass up. In any case, I'm off to apply for a 22% loan. Tata.
You probably know that CF Webtools hosts a fair number of sites in our own burgeoning data center. We are not a commodity host (i.e. Godaddy or HostMySite). Instead, we host a large group of Farcry sites, several dedicated servers, and a large group of very complicated Coldfusion sites with special requirements (data feeds, point to point encryption, data aggregation and third party secure services etc.). Our hosting has grown substantially in the last year and has become an excellent revenue center for us.
One of the type of projects we find ourselves doing with some regularity is a "site re-host". Usually a company has an application that clearly requires more help and attention than can be gained using a commodity host and self service control panels. Furthermore, such sites have often "evolved" from widgety little intranet type sites with B2B tools, special custom ecommerce applications or homegrown CMS capabilities into monsters of maintenance with hundreds of pages (many of them titled stuff like "order_bak.cfm" or "index.old"). Incidently never leave a file like "index.old" on your web site. If the web server is in default config mode it can serve that file up to your user without running it through the Coldfusion engine. That exposes your code and makes you easier to attack.
In any case, re-hosting a site seems like a simple enterprise. If your site consists of a database and codebase then it can be simple - but the devil is in the details (and in the cat as my Dad use to say). Here is a rundown that you might find useful.Read More
In this post, part 2 "b" in our search engine series, we will discuss how the content and structure of your page might influence how your site is viewed by search engines. In part 1 we talked about having useful and valuable content. That lesson is the foundation on which all other legitimate techniques must be based. If your content is not useful you are part of the problem we are trying to solve. In Part 2 "a" we talked about stuff that goes into the header. Now it's time to talk about things that go into the actual page.Read More