Many sites do mix HTTP and HTTPS content. Sites that do this are no-longer considered secure (Larry goes away, the lock has a warning symbol over it) for good reason, the insecure content cannot be trusted. It may have been tampered with. If the content was a javascript file for instance, it could be very bad news.

But if we know that data from a secure source can’t be tampered with, could it vouch for content that isn’t secure? Let’s take an example of a fictitious webpage :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js"></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" />
Credit card number : <input type="text" ...


Even though the site is served securely, some important information is sent insecurely. I am proposing that the secure content is able to pass along a hash (sha1, not md5) of the content that it expects. If the content in the insecure channel meets the has the same hash value, then we can be reasonably assured that the data has not been tampered with during transport. Let’s see the code again :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js" data-hash="sha1:12b36be3076d357b2d390b2df3f9b65cd55b93e1" ></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" data-hash="sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3" />
Credit card number : <input type="text" ...


Starts with data- because I doubt something like this would be implemented outside of my head. But it seems to solve the problem of tampering with the data. If the hashes don’t match, the website is still broken. If they do match then we should be able to breathe easily.

Of course, in time people will figure out vulnerabilities. Hash collisions is a problem. But this is something that web had to deal with before. Maybe a nice edition would be allowing multiple hash values, like :

<img src=”http://media.cesaroliveira.net/panda.jpg” alt=”look out!” data-hash=”sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3;md5:953c78ac57ca68bfe532eb50120c8aa1″ />

Yeah. I know I said no md5

The reason maps doesn’t support Minefield is because of *drumrolls* … browser sniffing. Developers… no wait… GOOGLE web developers, I thought we moved on?

The actual bit of code is here unminimized and tidied up ;

function isBrowserGeolocationSupported(){
    if (window.navigator &&
        navigator.userAgent.search("Firefox") != -1 &&
        navigator.geolocation)
        return true;
    if (window.navigator &&
        navigator.userAgent.search("Chrome") != -1)
        return Number(String(/Chrome\/[0-9]+/.exec(navigator.userAgent)).substr(7))>=2;
    var gearsFactory=null;

The hell? Ok, so I understand they do a bit of browser sniffing because it looks like Chrome had a old/broken implementation of geolocation. But I wish there was a more graceful way of doing this (maybe something like navigator.geolocation.version < 1). One that didn't break every application that may implement geolocation that isn't named Firefox. Because, those exist too.

While going about my day, I wondering if self-signed certs can be used in a way that wouldn’t get you ostracized from a security conscious community. Johnathon has warned the blogosphere at large why self-signed certs are bad and why Firefox makes you jump through hoops to allow a self-signed cert to get through. But I thought of a good use case for why you may want to use it :

1. Self-signed certs provide little value for your users (fe. blog comments are public anyways)
2. You may not have the means (eg. credit card, unique ip if your with Dreamhost) to buy one
3. You only really need them for some basic stuff that users shouldn’t interact with at all. Like logging in to wordpress.

In which case, you can generate a self-signed cert and configure a web server to serve you it on some uncommon port such as port 43034. The benefit is that its transparent to users. It will not interfere with their browsing. And you get the benefit of encryption and authorization, and knowing for certain that the certificate is yours (you have access to the certificate’s fingerprints).

I tried this on Dreamhost and I failed. Or, rather, Apache doesn’t you set up a <VirtualHost> in a .htaccess file. Dreamhost didn’t have anything in their web panel that would fix this. You can enable SSL for a site, but they force you into port 443 and don’t let you have both HTTP and HTTPS.

Another excellent educational learning opportunity ruined by over-zealous security zealots.

The first project I started doing for fun was working on canvas. This was different then some canvas stuff I have done in the past, The interesting people at nihilogic did a sepia filter using canvas. I wondered if it was possible to do filter so you can see an image with a red-green colour blindness. After some substandard research, I finally managed to do it. Though the quality is poor because it tends to be inaccurate. YMMV.

I wondered if you can do something like this for an entire webpage. So I moved the Javascript to an extension so I can use canvas’ drawWindow() method and take a picture of the entire website. Though I noticed that doing this on large image was computationally expensive and locking up the UI for an unreasonable amount of time.

I then tried to move all the calculations out of the main thread into a DOM worker thread. It was an interesting experience. I noticed though that while the main thread (and therefore, the UI) did not lock up, it was still sluggish and impractical to use. So I decided not to develop the extension further.

You can see the full demo here.

I then thought about what this would look like on other browsers. I didn’t expect anything requiring DOM worker threads to work on Safari/Opera. And sure enough, it didn’t. But I found out that DOM worker threads was based off of Google gears! So I looked into that and made a separate webpage that uses gears. Unfortunately, I found out that my efforts were largely wasted, as it only increased support to Firefox 2 and Mac Safari (Gears isn’t compatible with Windows Safari or Opera, and IE doesn’t have canvas support).

Either way, I made the Gears version available here.

Going away from canvas, I spent most of another day working on Google Maps API. The problem I was trying to solve was to see if I can highlight a 1 square kilometre radius from a pinpoint. This was difficult, as points on a map had a latitude, longitude co-ordinate, and I had to blindly figure out how much to reposition for a half-kilometre. Finding the distance between two points was also helpful, but hard getting a good formula for.

Of course, I am highlighting all the accomplishments and not mentioning the frustrating obstacles. There were several lessons learn on the way. Including a lot about incompatibility and how much I still don’t know how to do the kind of algorithmic research that you sometimes need. I’m starting to wonder if the BSD course taught me more than just to be a code monkey with a business touch, and made me wonder whether the theoretical/mathematical part will ever stop me doing something because “I just won’t get it”. Though, at the same time, I wasn’t willing to put the time and effort of research into pet projects. So this will probably be a problem for almost everyone, and not just me (honestly, mapping out longitude and latitude to distance is not something you learn anywhere).