August 2004 Archives

Some exciting and disturbing news surfaced this week. Computer Scientists from France and China have uncovered flaws in the MD5 and SHA-0 hashing algorithms. Though still preliminary, these findings suggest that an attacker could produce a hash collision in a short timeframe on a household PC. The security implications are quite serious. Apache, for example, signs its releases on mirror sites with MD5 checksums. An attacker could, in theory, incorporate malicious code in such a way that the compromised Apache distribution would yield the same MD5 signature.

The discovery of a similar flaw in SHA-1, which is widely used in PGP and SSL, may have been announced last Tuesday at Crypto 2004 in Santa Barbara. I could not find any related articles, however.

I ran into this nytimes.com article this afternoon. Marisa L. Dudiak uses blogs as a form of expression in her second-grade class.

"It allowed them to interact with their peers more quickly than a journal," she said, "and it evened the playing field." Mrs. Dudiak said she found that those who were quiet in class usually came alive online.

The article mentions that blogs are easier to maintain than complex course web sites.

"School Web sites are labor-intensive and are left up to administrators and teachers," said Mr. Grunwald, whose consulting firm in Washington focuses on the technology link between home and school. "With blogging intended to be a vehicle for students, the labor is built in. The work that is required to refresh and maintain an interesting blog is being provided by students."

Instructors have discovered that children often put more thought and time into a blog than they would otherwise put into a journal, because their parents and peers may also read their work.

IPP, which stands for Internet Print Protocol, is a standard protocol for printing, configuring print options, and managing print jobs. It's the native protocol understood by CUPS, the Common UNIX Printing System. It's also widely supported by Windows, Macintosh, and Linux clients. The server accepts local print jobs or, when so configured, jobs from other computers on the LAN or Internet.

WebDAV is a protocol for distributed authoring of web content on web servers. Think of it like FTP, but without FTP.

So what's so interesting about these two seemingly unrelated protocols? They both extend HTTP. Yes, that's right. Normal web servers, like Apache and IIS, may optionally load WebDAV modules. WebDAV clients use the same URL as any web browser, but send special WebDAV HTTP commands like COPY, MOVE, LOCK, UNLOCK, and MKCOL (make directory). (HTTP already includes a PUT command for content uploads.) The outermost layer of CUPS is a normal HTTP server running on port 631. You can administrate CUPS using a regular web browser. When printing a job, a client opens a regular HTTP connection and sends a Print-Job request.

The benefits of extending HTTP are obvious. HTTP already includes extensive, well-tested mechanisms for authentication and security, including SSL. By taking advantage of these features, WebDAV and IPP servers can safely and securely permit remote access by authorized users. In fact, the CUPS configuration file purposefully bears a striking resemblance to Apache's httpd.conf.