by Eric Murray was released this week based on the
results of a random sample of over 8000 secure web servers.
Surprisingly, only two thirds of sites surveyed were found to
have adequate ("strong") encryption. Eric defined strong
sites as those that support TLS v1 or SSL v3, support 128 bit
ciphers, and have valid non-expired third-party certificates.
The June 2000 Netcraft
SSL survey (requires paid subscription) found that 78% of
sites they surveyed were capable of strong encryption, and
the trend is up from only 67% one year earlier. There is no
excuse for sites to have weak encryption since full-strength
servers are available world-wide, commercial and free.
ARIN, one of the organisations responsible for administration
and registration of IP addresses, have recently changed
their policy so that they will no longer issue IP
addresses to be used for IP-based virtual hosting. The
HTTP/1.1 protocol added a new feature to enable multiple
sites to be run on a single IP address, since HTTP/1.1
browsers send the name of the host or site they want to
contact as a Host: header. This is called a "name-based"
virtual host. Some older browsers send the Host: header even
though they are not fully HTTP/1.1 compliant.
Name-based virtual hosts work well for most sites, and
modules such as the mass virtual hosting module,
mod_vhost_alias can allow huge numbers of
name-based virtual hosts on a single IP address. However the
problem is when sites try to use SSL for security. Because of
the way the SSL protocol works, each secure site that has
it's own name needs it's own IP address. If you are running
ten secure sites you will need ten different IP addresses.
Changes have been proposed to allow name-based SSL virtual
hosting, but these are not yet implemented in browsers or
servers. Until this is widely implemented, sites with
multiple SSL virtual hosts will have to argue they are a
special case when requesting IP addresses.
The New York Times this week
contains a story about open source software, specifically
highlighting Linux and Apache. The article includes a picture
of some of the Apache code and one of the Apache founders,
Of the estimated five million software programmers
worldwide, Mr. Behlendorf figures that fewer than 50,000
participate in open-source projects. "The goal is to bring
what works from open source into this other 99 percent of the
programming community," he said.
Apache Velocity is a
clean room implementation of the Java based MVC template
engine WebMacro. Velocity is an alternative to other template
technologies such as JSP and is released under the Apache
Software Foundation license.
In this section we highlight some of the latest articles on
the web that are of interest to Apache users.
The Developer Shed continues it's PHP series, PHP
101 with a look at form-processing capabilities, and an
introduction to the comparison and logical operators and the
"if-else" and "switch" family of conditional statements.
Continuing with the PHP theme is the Intranet Design Magazine
with their guide to
"What's New in PHP4". The article takes a glance at the
most important and useful additions to the language since
PHP3 and how to integrate Java.
CNET Builder.com looks at
"Setting up CGI with SSI and Apache"; covering the basics
of writing and running CGI scripts and using Server Side