Weblog entry #192 for Steve
See all weblog entries made by Steve.
The SSL certificate for this site had expired, so I've generated a new one which should be valid for the next 365 days.
If you wish to validate the new certificate please follow the SSL certification validation instructions.
Anybody who wishes to donate a real SSL certificate is welcome to offer ;)
The only other thing I've done today is write a small tool to allow people to run SQL queries against Apache logfiles.
If that sounds useful take a look at the asql page.
I'm hungry now, but all is well I've got some bacon ... Mmmm bacon.
Comments on this Entry
goes great with redsauce!
sno
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Brown Sauce!
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Unfortunately right now it uses a simple and pretty fragile regular expression... I would like to make it more generic in that regard, perhaps with Apache::LogRegex, but I've not yet done so.
[ Parent | Reply to this comment ]
while (<LOGFILE>) {
my ($client, $identuser, $authuser, $date, $time, $tz, $method,
$url, $protocol, $status, $bytes) =
/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^\]]+) "(\S+) (.*?) (\S+)"
(\S+) (\S+)$/;
# ...
}
it works great.
[ Parent | Reply to this comment ]
Have you considered using a free certificate signing service, such as CAcert?
The CAcert root certificate is included in Debian's ca-certificates package, but people have to install it manually in Firefox, Windows and MacOSX. Nevertheless, once they installed this root certificate you can update your site certificate without disrupting them.
CAcert has a web-of-trust system to verify your identity, but you can get certificates for a webserver or e-mail address if you can respond to a ping e-mail.
Regards!
Bruno
[ Parent | Reply to this comment ]
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
To get a certificate that mentions your name, you have to join the web of trust and have your identity verified by physically meeting with other members. How easy this is depends on your region and the available members there. I did not get round to it yet.
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
CAcert has a web-of-trust system to verify your identity, but you can get certificates for a webserver or e-mail address if you can respond to a ping e-mail.This doesn't add up, as far as i can tell. How is it a web of trust, if certificates are issued simply by responding to a ping e-mail? It sounds like it's still a centralized authority, granting certificates according to its particular policy. A web of trust would allow clients to verify the certificates via a number of channels, something that's not possible with the X.509 certificates used in standard TLS. (I wrote an article about this as part of a book about political implications of internet tech if you want to read the argument in more detail)
I'm happy that CACert is out there, but i'm not convinced that their model is better or more trustworthy than the commercial CAs. It's cheaper for the server owner, granted, but it uses the same broken underlying assumptions as the rest of the industry.
I trust a d-a.org certificate signed by Steve's GPG key more than i'd trust any certificate signed by a big international CA.
[ Parent | Reply to this comment ]
I agree that X509 certificates has some broken assumptions, but verifying a server certificate through GPG is not exactly convenient.
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
- Most users don't see any difference between a certificate with "less guarantees" and a "high-guarantee" certificate. If the "weaker", non-web-of-trust certificate is treated as functionally equivalent to the stronger one, the web of trust verifications don't gain anything. Is there anything i conveniently do with a popular, modern browser that will let me know what kind of certificate i'm looking at?
- the web of trust for CACert is still routed through CACert's own authority. That is, a CACert web-of-trust-validated certificate claims that CACert claims that there are multiple channels through which the identity has been validated. But there's still a single point of failure in that chain: the CACert authority itself. If the CACert authority is compromised (technically or socially), it could be used to issue "web-of-trust-validated" certificates without an actual web of trust behind them. And given their choice of X.509 infrastructure, there is no convenient way for users to verify the multiple channels of trust directly.
[ Parent | Reply to this comment ]