Simon Willison’s Weblog

The Beauty Of The Diffie-Hellman Protocol. Some useful explanations here. Diffie-Hellman is used by OpenID to establish a shared secret between the provider and the consumer.

# 10:08 pm / openid, diffiehellman, reddit, cryptography

More Django (likely more than is healthy). Jacob’s advanced Django tutorial from PyCon. I really like the template he’s using to present the slides and notes.

# 11:08 pm / jacob-kaplan-moss, django, pycon, tutorial, keynote

Permalink Redirect WordPress Plugin (via) Neat WordPress plugin that forces a redirect to an item’s permalink if the URL has any extra crud in it.

# 12:49 am / wordpress, disambiguated, urls, plugins

Steampunk Star Wars (via) Beautiful illustrations of Star Wars re-imagined in a steampunk context.

# 9:38 am / starwars, steampunk, illustrations

i’m Home. “Every time you start a conversation using i’m, Microsoft shares a portion of the program’s advertising revenue with some of the world’s most effective organisations dedicated to social causes.” Microsoft are now getting their marketing ideas from spam e-mail forwards.

# 10:43 am / funny, im, microsoft, spam

Brian Cox at LIFT07. An accessible 20 minute explanation of particle physics and the Large Hadron Collider.

# 11:39 am / cern, largehadroncollider, brian-cox

Adobe wants to be the Microsoft of the Web. The base platform technology for RIAs is too important to be controlled or designed by any single party.

# 1:01 pm / ted-leung, adobe, flash, flex, rias

Safe JSON (via) Subtle but important point about JSON APIs: you shouldn’t use a callback or variable assignment for JSON incorporating private user data, especially if it’s at a predictable URL.

# 1:11 pm / json, security

Math for the Masses. WordPress.com now supports inline LaTeX. A great example of a feature that will turn a small subset of a user base in to life-long fans.

# 2:44 pm / wordpresscom, latex

WordPress 2.1.1 dangerous, Upgrade to 2.1.2. Helping to spread the word. You’re affected if you’ve downloaded WordPress 2.1.1 in the last three or four days.

# 8:06 am / security, wordpress

Programming Erlang. A book on Erlang from the creator of the language himself, out in July but available to buy now as a beta PDF.

# 8:49 am / erlang, books, joe-armstrong

Rack. “Rack provides an minimal interface between webservers supporting Ruby and Ruby frameworks”. Ruby’s equivalent of WSGI has just hit v0.1.

# 8:49 pm / rack, ruby, wsgi

json-taglib. Because JSON just doesn’t have enough angle brackets.

# 8:52 pm / json, xml, jsp

Scaling Python for High-Load Web Sites. Slides from a talk at PyCon. Be sure to switch to the notes view (Ø in the bottom right)—a really nice overview of scaling up from a CGIs to load balanced, memcached Python application servers.

# 9:14 pm / memcached, python, scaling, pycon

pear 0.8. “A libevent/pyevent-based locking session daemon for the web”. Relational databases aren’t particularly well suited to the access characteristics of session data.

# 9:19 pm / sessions, libevent, python

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server.

# 9:24 pm / php, phpinfo, xss, security

Five things I hate about Python. By Jacob Kaplan-Moss. I didn’t know you could force eggs to install unzipped with an option in ~/.pydistutils.cfg—that’s always been my least favourite thing about them.

# 10:32 pm / eggs, python, jacob-kaplan-moss

Wrong-headed impersonation. Kim Cameron discusses user absent authentication, and emphasises the importance of delegation using delegation coupons.

# 2:38 pm / delegation, delegationcoupons, kimcameron, identity, authentication

Dashcode review. “Dashcode is quite possibly the best non-Firebug Javascript environment I’ve ever used.” High praise indeed.

# 9:06 pm / dashcode, firebug, widgets, javascript

JSON is not as safe as people think it is. Joe Walker reminds us that even authenticated JSON served without a callback or variable assignment is vulnerable to CSRF in Firefox, thanks to that browser letting you redefine the Array constructor.

# 10:51 pm / joe-walker, json, csrf, security

phpbb-openid: Your AIM screen name is your OpenID. Log in to a phpBB board with an AOL OpenID and it will try to associate your OpenID with an account that lists that AIM in the profile. This is the kind of behaviour I talked about in my FOWA talk.

# 7:57 am / phpbb, openid, fowa, aim, aol, phpbbopenid

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway.

# 8:06 am / json, security, xss

OpenID on WordPress.com. My first project launch as a freelancer. You can now use your WordPress.com blog as an OpenID.

# 8:41 pm / openid, wordpress, wordpresscom, freelance

Hacking del.icio.us with Python. Nat introduces snaflr, a Python script for republishing selected links from a number of del.icio.us users to one communal account.

# 11:11 pm / delicious, python, natalie-downe

37 Signals’ next app Highrise will support OpenID. I can’t wait to see how the 37 Signals team deal with the UI challenges involved in supporting OpenID logins.

# 9:23 am / openid, 37-signals, highrise

W3C Relaunches HTML Activity (via) “XHTML has proved valuable in other markets” == XHTML on the public Web has failed. Long live HTML!

# 10:34 pm / html, xhtml, w3c

Relying Party Best Practices. Proposed guidelines for OpenID consumers from Martin Atkins, currently under discussion on the mailing list.

# 11:45 pm / martinatkins, openid, bestpractices

Web Focus Leads Newspapers to Hire Programmers for Editorial Staff. It’s great to see this trend taking off. A newsroom is an excellent place to work as a programmer.

# 12:27 am / newspapers, programmers, jobs, adrian-holovaty, jacob-kaplan-moss