D.e.w.

I’m writing some software that makes it easy to make basic changes to web pages. The software is designed to be very easy to install and use. If I do it right, it will be just one file that you install on your server. Even though I love Ruby and am not too fond of Perl, I have considered writing this program in Perl simply because of Perl’s ubiquity. I want there to be very few barriers to entry.

So my dilemma is this: SSL is a barrier to entry. A program like the one I am writing—with access to the source files of a website, with the ability to overwrite those files—needs to be secure. It needs SSL.

But setting up SSL on a server is difficult for those who haven’t done it before, or who are using less sophisticated servers. Also, if you want a real certificate, and not a self-signed one, then you have to pay for it.

I’ve been wracking my brain for an alternative to SSL. Something that runs in the browser and can communicate securely with the server. Something that could be built into the software, so you can use it if you don’t have SSL set up on your server.

The pages themselves should be publicly viewable anyway, so it’s just the commands to the server and the resulting responses that need to be protected. This would be handled by javascript in the background anyhow (AJAX), so these transmissions just need to be encrypted properly.

And that, it turns out is not really that hard. Imagine the following scenario: the server makes it’s public key available. The client encrypts the login credentials from the user using that public key. Now only the trusted server can read them, right? And then we can continue the communications that way, or to save computing resources we can safely send a symmetric key using this method and encrypt further communications with that? Right? Wrong. Sure, this is encryption, but it’s not very secure.

The server we are communicating with might not be the real one. How can we trust that the public key we are using is actually the right one? And it gets worse. A lot worse. All this javascript that’s running in the browser? Where, exactly did that come from? Well, from the server that we don’t trust. If you were fooled into visiting a spoof of your own website, or if the pages sent by your website had been altered by a third party, it might look like it was doing lots of fancy crypto, when it is in fact, just stealing your password.

So, after lots of thought I’ve come up with a theoretical method to get around these problems. It’s not perfect and certainly requires a fair level of user-awareness and intervention for it to work, but I think it would provide pretty good security if it could be implemented.

Here’s how it goes:

1. The server side program is installed on the server with an asynchronous key-pair embedded in it.
2. A bookmarklet is installed in the user’s browser with the public key embedded in it.
3. All pages sent by the server are signed with the public key.
4. The user runs the bookmarklet, which verifies that the page sent by the server has not been altered.
5. The user now trusts the javascript code contained in the received page, which encrypts and decrypts any messages to the server, as described above.

This approach requires that each page received by the client must be checked for a signature before it is used. Unlike with SSL, at any time a third party could be tampering with the pages in transit, inserting arbitrary code (man-in-the-middle attack). So the onus would be on the user to verify each page before trusting it.

The basic principle at work here is that because javascript bookmarklets are installed by the user instead of presented by the server, they can be trusted to verify a signed web page. If a page has been digitally signed by a trusted source, then we can trust any further security measures implemented by code on the page.

Whether this method actually works will depend on how well such a signature-checking bookmarklet can be implemented.

You think a PUR water filter looks like a Cylon.

I recently had to turn to HP’s online help documentation while setting up a networked color inkjet printer for a Faculty member at work. I always dread visiting HP’s website, but on this particular day my experience was unusually heinous.

The page in question is titled HP Printers – Mac OS: Print only HP Drivers (non-Postscript) built into Mac OS X v10.4 but let’s start at the top, shall we. The first heading on the page tells me that I am reading an “HP Support document.” I like that. It’s brief and to the point. As with many first-headings-on-the-page I didn’t even notice it until I decided to write this article and re-visited the site. It was a wonder I even found the page again, as you will know if you’ve ever had to navigate HP’s website. I’m not saying that other sites where you tend to go for documentation and driver downloads are any better. Definetely not saying that.

But HP.com is pretty bad. For example the list of Mac drivers for the DesktJet 6127 goes something like this: After choosing your operating system, you have the following wonderful headings to guide you:

• “Driver”
• “Driver – Printer,”
• “CD-ROM order page”

I know I can safely ignore the last one, because I want to download a driver, not order a CD. But what’s the difference between “Driver” and “Driver – Printer.” Well, either one sounds good, so let’s look at what links are listed under both these categories. We have:

• “DeskJet Software for Mac OS X”
• “Tiger – Mac OS X v10.4 update information”
• “hp deskjet 6127 driver for Mac OS X 10.1.5 and OS X 10.2”
• “HP Inkjet Driver (Universal Binary)”

How is one to choose? I leave out the third option becuase it appears to only apply to older versions of Mac OS X (the machine is running Tiger). I’m on an Intel mac, so the Universal Binary option might be a good choice, but the other two choices also sound good, although they don’t specifically mention anything related to Intel-based Macs. I should point out that although you must specify one of seven versions of Windows before getting to the equivalent place for Windows help, there are only two Mac choices: Mac OS 9 and Mac OS X. So I guess for Mac using HP customers, you just have to live with everything getting thrown in together. But, I digress. I ultimately choose to go with the second—Tiger mentioning—link since I was not given a finer-grained choice regarding operating systems earlier on. And because I had already installed one of the other drivers and that hadn’t changed anything except my mood.

This is where things get really ugly. Recall, the document is titled “HP Printers – Mac OS: Print only HP Drivers (non-Postscript) built into Mac OS X v10.4 (Tiger).” This seems to be referring to how Mac OS X 10.4 (Tiger) has a bunch of printer drivers built in, and you don’t have to install anything. That sounds familiar. It also alludes to the fact that some printers don’t speak Postscript (PS). That also sounds familiar. I tried setting up the networked printer with the generic PS printer driver but that didn’t work and that’s why I’m reading this document in the first place. So we seem to be off to a good albeit rather wordy start.

Lucky me, there’s a secondary heading just below the first one. It reads “Mac OS X v10.4 Tiger and HP Drivers.” Okay, this document has to do with Tiger and printer drivers. Got it. Let’s move on.

The latest HP printer driver for this device is built into Tiger for print only functionality and does not require a download or reinstallation of any HP software to print.

“Print only” is emphasized, so I’m begining to wonder what else this printer is capable of. Perhaps recieving print jobs over the network from a computer? Or is that not considered “print only functionality”? What the heck does “print only funcitonality” mean? And what function other than printing am I likely to be interested in if I am reading this document?

This document applies to raster (non-Postscript) HP Designjet, Deskjet, Business Inkjet, and LaserJet printers.

Good. Good. That’s why I’m here, baby. Show me some love.

In order to best take advantage of the latest HP driver and new Mac OS X v10.4 Tiger features, it is recommended that you delete original HP printer queues from Printer Setup Utility and create a new HP printer queue.

No thanks, I’ll pass on that recommendation. There are about 6 other printers set up on this Mac, and I really don’t want to have to install all of them again, just to get this one working. Moving on to the instructions now, even though I’m not sure what the goal is yet.

1. Upgrade install from Mac OS X v10.1, 10.2, 10.3 – select ‘Reset Printing System“ option (from the Printer Setup Utility pull down menu) to delete all previous printer queues. The HP printer queue can also be deleted manually from Printer Setup Utility.

What? Come again? What does “upgrade install” mean? Am I supposed to upgrade to 10.4 again, just to get this printer working? Hmm, maybe not since it says there that the “queue can also be deleted manually from Printer Setup Utility.” Right, but again, I’m not interested in that.

2. From Printer Setup Utility, click on Add, select connection type (e.g. All, Bonjour, USB, Appletalk) and create new HP printer queue. The Printer Setup Utility is found in the Applications/Utilities folder.

Funny, in my Printer Setup Utility, there’s no “connection type” listed anywhere on the main screen for adding new printers. There is a “protocol” that needs to be set, but the examples given are not options. Also, you may notice that the instructions do not tell me which is the correct option. Basically, they are assuming that I already know the answer to the question I am seeking an answer for: “How do I properly set up a networked non-postsciprt HP inkjet in Tiger?” All I know now is that maybe I will have better luck if I delete all the printers that are set up and working just fine. There is one more step:

3. Clean install – If there is a clean install of Tiger, follow step 2 to add a new HP printer queue.

So maybe there is a problem with a Tiger installation that is not “clean.” If there are any printers set up, you cannot add any new HP printers? This makes no sense. But if it really were the problem why couldn’t the documentation just say that? Just say: “There’s this problem in Tiger that can sometimes happen where you have to delete all your printer queues just to set up another printer. We reallize that kind of sucks, but at least it will get your printer up and running. Hopefully Apple will fix this sometime soon, or we can find a way to, but for now, here’s what to do…”

But since they didn’t come out and say that, and since the directions they did give are either unacceptable to me (especially since I’m not convicnced deleting the other printer queues is going to work) or simply don’t apply to what I see on my screen here in “reality land”, I’m going to give up on this help document. Oh, but there’s one more peice of advice.

NOTE: Please note that Stuffit Expander is no longer included with Tiger, .sit file downloads will require downloading Stuffit at URL http://www.stuffit.com/mac/ . This link will take you outside the Hewlett-Packard web site. HP does not control and is not responsible for information outside the HP web site.

Okay. That might be helpful if there were any driver downloads in .sit format on this page. But there aren’t! There aren’t any downloads on this page. As the last menu so helpfully pointed out, this document didn’t have a version, or a size (i.e. no driver, just some text, I had correctly guessed).

Well, right underneath the very usefull Stuffit Expander disclaimer is a “content feedback” form where I can vent my frustration and hopefully someone at HP will take a look and write up some better documentation. So I filled out the form. I tried to be constructive. I pointed out that “upgrade install” didn’t make much sense and that removing all the printers wasn’t the most user friendly approach.

“This is good,” I’m thinking. “I’m making a difference.” I clicked submit. Oops, page not found. I guess I should have read the very bottom of the page before I clicked submit:

Please note this form is for feedback only, so you will not receive a response.

The sad thing is, this little document is just the tip of the iceburg. HP: your printer driver documenation for Mac OS X Sucks.

Or: Mozilla Technologies for Beginners

Even for someone who already knows a lot of the buzzwords, getting started with XUL/Mozilla can be very confusing. Mozilla’s documentation is pretty good, but it can be very hard for beginners. It’s especially difficult to get a handle on what all the technologies are and how they fit together.

Even Before You Start

Before we start, you should probably read the first page of the first chapter of “Creating Applications with Mozilla.”

Warning: The link I just gave you is to an older document and few things are out of date, so take it with a grain of salt or two. And don’t read more than the first page. Everything else is too old. Also keep in mind that you might not run into the acronym “XPFE” outside of that document very often.

I Have a Whole Bag of Jargon with Your Name on it

What follows is a brief overview of the various technologies and how they relate to one another. I will follow up some of the descriptions with links. For help on the stuff I don’t link to consult the Mozilla Developer Center (MDC) and your favorite search engine.

XUL

XUL stands for XML User Interface Language and is pronounced “zool.” If you want to write a stand-alone application or a Firefox extension, this is the first thing you need to learn. XUL is to Mozilla as HTML is to a web page. XUL defines the structure and meaning of the user interface—what windows there are and what widgets are in each window.

Normally, one XUL file (with a .xul extension) represents a single window in a project. If you are familiar with HTML and XML, then you can jump right in to the more specific things that you can do only with XUL. I mentioned widgets before—these are things you can click on in a window, such as Listboxes, Toolbars, Menus, Splitters, Progress bars etc. All the basic things you need to design an interface are there, and you can even build your own widgets as well (more on this later).

To get started with XUL, I highly recommend the XUL Tutorial over at XUL Planet. There is also a version of this same tutorial on the MDC which is probably the next place you should look at look.

Once you have a fair amount of XUL under your belt, you will probably need to learn more about Templates.

Those interested in developing pluggins should read about Overlays and also check out the “pluggin documentation” on MDC.

JavaScript

JavaScript is a scripting language that is most commonly used in websites to do things like pop up annoying advertisements and add new content on the fly to a page that has already been loaded. If it’s “web 2.0” and you’re not talking about a business model or a graphical style, then it’s probably done with JavaScript. The language has had a huge come-back on the web recently, thanks to Ajax.

In Mozilla, you use JavaScript to do things like open new windows, load files from the local machine, control widgets in the interface, and save user preferences. There are a bunch of Mozilla specific things you can to with JavaScript that are not available in a web page. In future versions of the Platform you will even be able to interact with SQL databases using JavaScript.

CSS

CSS stands for Cascading Style Sheets, and is a layout and design language. You use this to style your interface, to give it colors and sizes. You use CSS to specify which fonts to use and even which interface elements are visible by default. Again, CSS is primarily a web design language in the wild. In Mozilla, there are extensions to the language for things that pertain to desktop applications, as well as anything that you can do in a web page in Firefox. Examples include platform specific appearances for buttons and transparency.

RDF/XML

RDF stands for Resource Description Framework. It’s more of an idea or concept and not really a language. RDF is a conceptual framework for representing data. Basically it is a way of defining data by representing or listing the connections among that data.

Combine this conceptual framework with XML and you have a way of actually writing it down so that computers and (theoretically) people can understand it.

In other words, RDF is just an idea and RDF/XML is how you write that idea down. RDF/XML is the preferred choice for saving data like preferences, bookmarks, and history in Firefox and similar data in the Mozilla Platform as a whole.

At least two things make this really confusing. (1) Most people say RDF when they mean RDF/XML, but not always. (2) RDF/XML is about the ugliest markup I’ve ever seen. Namespaces make XML look like crap and RDF/XML uses namespaces a lot.

To get started with RDF read Introduction to RDF. And then move on to the XML end of things, perhaps with RDF in Fifty Words or Less.

XULRunner

XULRunner is the temporary name for the program used to package up a project as a stand-alone application. It is not just for XUL. XULRunner allows you to take what is otherwise just an extension to Firefox and create an application out of it that will run all by itself on Windows, Mac, and Linux. Theoretically you can package up anything that will render in Gecko with XULRunner, so you could even use XULRunner to distribute a web page as a stand-alone application.

As I write this, the current “stable developer release” of XULRunner is 1.8.0.4. That means that it works pretty well for developers, which is a nice way of saying that if you’re a Mozilla geek you can probably get it to work. I Expect XULRunner to be much better supported once Firefox 3 is released. That will be the first product out of Mozilla to be based on XULRunner. Firefox 2 and Thunderbird 1.5 are packaged up “by hand.”

On Windows and Linux, you can also use XULRunner to run your code as if it were a stand-alone application straight from the project code. This is great for development, since you can skip some steps and still see your code running as if it had been installed as regular old application.

XPInstall

XPInstall stands for Cross-Platform Install and is a way of putting your files together in such a way that they can be used as an extension to a Mozilla-based product. It involves putting important files in the right places and also adding a few more files that make the installation process nice and smooth. If you are working on a stand-alone application you can usually point XULRunner at the same file structure that makes XPInstall work to test your project out all by itself instead of as an extension to another Mozilla-based application.

Wrap Up

XUL and CSS are where the design takes place. These languages define what the structure of the interface is and how it looks. JavaScript is where the programming happens. It defines how the application or extension behaves.

RDF/XML is a way of storing data as links between data.

Finally, if you organize your code the right way, you can use XPInstall to install it as an extension, or XULRunner to package it up as an application.