Scott Hanselman

When did iTunes start sucking?

I rarely Blog Bile™ but I've been an iTunes fan since day one, and suddenly iTunes 7 is the only application that can utterly suck the life out of Windows. It's ridiculously slow. Literally simple things like moving or resizing the window are "Click...wait 2 seconds...drag" operations. I've got a lousy 7034 songs and I can't even scroll or search without pain. It's bad under Windows XP, but it's unusable under Vista. I'm also totally unable to play my protected songs under Vista RC2. I've googled, but I'm not getting a sense that this is a pervasive problem.

Is anyone else seeing this problem? What happened to cause iTunes to fall from grace?

Please, discuss.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

Here's an excerpt from a "mid-level" educational/nutshell whitepaper I'm doing on the new shiny SSL certificates that are coming soon. If you want information from someone who REALLY knows what they are talking about, subscribe to Tim Callan's SSL Blog. Also, watch the IEBlog. If you're running IE7, you can download and install a sample testing certificate then visit the fictional https://www.woodgrovebank.com and see the new certificates it in action. 

ASIDE: On a totally different (but, eh, slightly related) note (and I'll blog or Hanselminutes.com about this later), if you're running IE7 and .NET Framework 3.0, check this out.

SSL - Secure Sockets Layer

What is changing?

Every online banking site protects their user’s data while it is in transit on the wire using Secure Sockets Layer or SSL, running one layer below protocols like HTTP and FTP. Many end users are informed enough to look for the “s” in HTTPS in their browser’s address bar and most look for a lock in the browser status bar before sending private data across the Internet.

Early versions of SSL used comparatively weak 40-bit encryption but most sites now use at the very least 128-bit and in some cases, 256-bit AES encryption. Many impose this important restriction by default by allowing only SSL3.0/TLS1.0 over HTTPS.

This screenshot from the Mozilla Firefox browsers shows that the encryption strength of two different banking sites. This dialog is reached by the user clicking on the lock icon within their browser.

In these examples, both sites are using high-grade encryption.

Recently more and more phishers have been successful in fooling the public into giving up personal information with the use of so-called “domain-authenticated SSL Certificates.” These SSL Certificates go through virtually no background check to prove the site is who they say they are. They prove only the domain name, but as the general public rarely clicks on the lock icon to view more information about the company or organization behind a SSL connection, they assume that a secure connection equals a trusted connection. This, of course, is not the case. Unfortunately these SSL Certificates look essentially the same to the browser as one issued by a highly trusted certification authority, thereby causing a phisher’s site to look “as secure” as your bank’s site.

High Assurance or Extended Validation SSL Certificates are a new kind of SSL certificate that will be treated very differently by newer browsers. Internet Explorer 7 will be the first browser to take advantage of this new technology with others like Firefox and Opera very close behind. This standard is being actively developed by the CA/Browser Forum as of this writing and will be referred to commonly as EV SSL Certificates.

To quote from Tim Callan’s SSL Blog at http://blogs.verisign.com/ssl-blog/2006/03/a_new_kind_of_ssl_certificate_1.html:

If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated.

A lofty goal indeed, but one worth striving for.

How will an EV SSL Certificate change the end-user experience?

When visiting a test Banking Site that has an EV SSL Certificate using IE7, the address bar turns green and a new active lock icon appears showing the name of the organization this site claims to be.

The lock icon toggles back and forth also showing the Certificate Authority that issued the certificate.

If the user clicks anywhere in the secured area of the address bar, the identifying EV SSL Certificate popup is green and shows the user information they can use to make the decision to trust this site or not.

What is required to get an EV SSL Certificate?

As of this writing EV SSL Certificates are not yet available for purchase, but they are expected within very soon as the standard is finalized. Within a year expect all major browsers to support the standard and within another year most e-commerce users will know to watch for the new browser behaviors when making their decisions. I predict some browsers will have settings that will only allow users to visit sites over SSL that use EV SSL certificates.

Educate your organization about the importance of having an EV SSL certificate when they are ready to be issued, and be prepared to meet the much more rigorous standards that will be expected by the Certificate Authority before they issue one. There will likely be a revised Certificate Authority WebTrust auditing standard (usually called CA Web Trust) that CAs will have to pass before they can issue an EV SSL certificate, and CAs will impose much stricter vetting procedures to verify the company or organization requesting the certificate is who they say they are.

Conclusion

Given the concerns on today's Internet around privacy and control over content, every e-commerce or banking site should be prepared to upgrade their SSL Certificates to EV SSL. There's no downside.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

My thirty-eighth Podcast is up.  This one is a little off the beaten path, but it's a topic that is near and dear to me as I'm a Type 1 Diabetic on both an Insulin Pump and Continuous Glucose Meter - 24 hours a day. I figure since you're all technologists you'd be interested in some of the discussion around how this problem can be solved, mostly using technology. I hope you enjoy it.

We're listed in the iTunes Podcast Directory, so I encourage you to subscribe with a single click (two in Firefox) with the button below. For those of you on slower connections there are lo-fi and torrent-based versions as well.

Subscribe:

Links from the show are also always on the show site, although this show had no links to speak of. Do also remember the archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

Last year this time, I posted my reading list for that month with the grand idea of posting the list monthly, but it's just such a hassle to get the books input into the post. (Should have used Amazoner, I suppose) However, I remembered, belatedly yesterday that the whole point of writing the Windows Live Writer CueCat/Amazon Plugin (I need a better name) was to make this kind of list. So, here's a partial list of what I've just finished reading, or that I'm in the middle of reading.

• I've just finished reading Stardust by Neil Gaiman and what a fine book it is! I noticed on Amazon that folks who read the kinds of books I read also read Gaiman, so on a whim I just went to my local book store and bought every Gaiman book. I was not disappointed. He definitely has a writing style, while his books can only be described as modern fantasy. Truly a great book by a great author.
• I'm about 300 pages into American Gods: A Novel by Neil Gaiman and it's another that did not disappoint. It's a little more obscure in its references and I've had to look up a few mythological things, but it's a book that is hard to put down. It could be a fantastic movie if someone truly cared enough about doing it right. Do check out his blog as well.
• I'm always trying to Learn Zulu but there's not a lot of books published in the last 10 years on the subject. I keep this one around just to stay frosty.

• Travis has been trying to get me into Vurt by Jeff Noon and it's just not happening. I've been 150 pages into this thing for at least 2 months now and I just can't slog through it. It's so abstract as to be obtuse. I'm hoping it picks up soon.
• I enjoyed The Goal by Eli Goldratt so Chris Brooks recommended Critical Chain. I'm only a few chapters in, but it's already got me thinking.
• As a new Dad, I'm loving John Rosemond's New Parent Power! It's huge, but appropriately broad in scope. I particularly like the "Principle of Benign Deprivation: Give your kids 100% of what they need, and 10% of what they want." That's how I was raised and I think it's a great way to manage things in this tricky American metaculture of acquisition we live in.
• Chris Sells recommended On Basilisk Station (Honor Harrington) by David Weber and I'm about 1/4 of the way through but it's just not gripping me. Not sure why, it just reads so old. You have have a paperback read worse than a hardback with bright white paper?
• I finished a re-read of The Forever War by Joe Haldeman and while there's a whole overly weird Free Love section that reeks of the 70s, the message is clear and while it was a thinly veiled Vietnam War protest novel, it could be read as a thinly veiled Iraq War protest novel. The Time Dilation stuff is always fun, with a great ending to get you thinking.
• I'm about done with Abraham: A Journey to the Heart of Three Faiths by Bruce Feiler that explores the relationship that Islam, Judaism and Christianity have with Abraham, and how things seem to hinge on their differing views of him as a biblical and possibly historical figure.
• I'm really enjoying A Short History of Nearly Everything by Bill Bryson. It is clearly a history book more than it's a Popular Science book, but the author's zest of the topic(s) and the huge breadth of the book really put a human face on the discoveries (unfortunately largely Western) of the last few hundred years and how they relate to the fullness of time.
• I've got Mo reading Kindred (Bluestreak Black Women Writers) by Octavia E. Butler. This is an alternate history book, but more a Time Travel book where the time travel itself is both glossed over from a technical point of view, but also fundamental to the point. A modern Black woman is pulled back into the late 19th century Baltimore and is enslaved by her Great-Great-Great-Grandfather. Another alternate-universe book by way of racial allegory is The Intuitionist about the theoretical first Black female Elevator Inspector. Also recommended.
• You can never go wrong with anything Philip K. Dick writes, so I fall asleep with a re-reading of any of his great short stories like those in  The Eye of The Sibyl and Other Classic Stories (The Collected Short Stories of Philip K. Dick, Vol. 5) by Philip K. Dick.
• I thoroughly enjoy Ursula Le Guin's work, and I was particularly pulled into Rocannon's World in this compilation of three novels in one: Worlds of Exile and Illusion: Rocannon's World, Planet of Exile, City of Illusions by Ursula K. Le Guin
• Philip Dick writes a lot of alternative history - what if Hitler won the war?-type stuff. In The Man in the High Castle by Philip K. Dick Americans live under Japanese occupation and explores the relationship between German and Japanese culture.
• I loved Neverwhere: A Novel by Neil Gaiman. I'm only halfway through American Gods, but so far Neverwhere is my favorite Gaiman book. It's set in the world of London Below, a parallel world in the sewers where those we've forgotten go. I won't ruin it for you, just check it out.

Well, the wife and I are off to dinner, it's our 6th wedding anniversary! (We eloped a year before the white-dress-wedding)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

The MSDN Docs are very careful not to recommend using impersonation it affects connection pooling when talking to databases downstream. The suggestion that one takes care when using impersonation has been in place since its inception.

Know Your Tradeoffs with Impersonation

Be aware that impersonation prevents the efficient use of connection pooling if you access downstream databases by using the impersonated identity. This impacts the ability of your application to scale. Also, using impersonation can introduce other security vulnerabilities, particularly in multi-threaded applications, such as ASP.NET Web applications.

You might need impersonation if you need to:

· Flow the original caller's security context to the middle tier and/or data tier of your Web application to support fine-grained (per-user) authorization.

· Flow the original caller's security context to the downstream tiers to support operating system level auditing.

· Access a particular network resource by using a specific identity.

(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGGuidelines0001.asp)

ScottGu has a good post on how to use declarative authorization to restrict access without impersonation. This works great with Forms Authentication and Custom Principals like we use at Corillian. Here's one of his examples:

   1:  using System;

   2:  using System.Security.Permissions;

   3:   

   4:  [PrincipalPermission(SecurityAction.Demand, Authenticated = true)]

   5:  public class EmployeeManager

   6:  {

   7:      [PrincipalPermission(SecurityAction.Demand, Role = "Manager")]

   8:      public Employee LookupEmployee(int employeeID)

   9:      {

  10:         // todo

  11:      }

  12:   

  13:      [PrincipalPermission(SecurityAction.Demand, Role = "HR")]

  14:      public void AddEmployee(Employee e)

  15:      {

  16:         // todo

  17:      }

  18:  } 

There's all sorts of wacky things one can do with impersonation, but it you ask yourself WHY you need it, perhaps you'll find a simpler solution.

One of my bosses always says "Guy walks into support, sez he needs a bigger mobile phone antenna. Doe he need a bigger antenna or does he really want better reception? Don't let your users dictate your solution with their statement of the problem."

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By