Gestern war wieder Webmontag in Karlsruhe. Ich hielt einen Vortrag über Datenschutz und Datensparsamkeit bei Webservern, im Kontext von Wir speichern nicht und dem kürzlichen Urteil gegen das Justizministerium, welches IP-Speicherung untersagte.
Die Diskussion war lebhaft, wobei es sehr schnell in Richtung juristische und politische Fragen ging, während der Vortrag sich eher auf die Technik bezog.
Slides Datenschutz und Datensparsamkeit als OpenDocument

Desweiteren gab es einen Vortrag zu OpenSocial, Bilder vom Barcamp und der Web 2.0 Expo Berlin und Lästereien über den neuen Kalender vom Karlsruher Stadtmarketing.

A big problem with web security in the past was that it was impossible to have https-hosts with more than one certificate per IP. This is due to the protocol design of https, which needs to establish an ssl-connection with the certificate before the hostname is transferred.

There is a solution though, called Server Name Indication (SNI) and part of TLS. Strange enough, client compatibility isn't that much of a problem. Firefox, Opera and IE already support it in their current versions, konqueror will with kde4, I've no information when it'll hit safari. Oh, and I haven't testet w3m, lynx, links and wget yet, but if you want, feel free to add your experiences to the comments :-)

The problem was that until some weeks ago, openssl didn't support SNI, apachen mod_ssl didn't, lighttpd didn't. Only GnuTLS, but mod_gnutls is considered unstable by it's authors. With OpenSSL 0.9.8f, TLS Extensions and with them SNI landet in openssl, apache still needs patches.

We've now implemented SNI on schokokeks.org, which you can test:
https://www.schokokeks.org/
https://www.hboeck.de/
https://www.fabian-fingerle.de/

If your browser supports SNI, you should see different certificates, all on the same IP. All certs are cacert-signed, they also have a Wiki page from the VhostTaskForce for SNI and alternative solutions.

Up until recently, I had URLs of the form /item/number, which is due to the reason that this was the URL-naming-scheme of bblog, an ancient blogging software I used years back. Now serendipity supports URLs with the title (minus problematic charakters), which is much better for search engines, because they often rate words that appear in the url better. Now, changing the URL after years of blogging doesn't seem appropriate (probably hundreds of links, trackbacks, bookmarks), so I needed some migration path. Serendipity doesn't support two url schemes out of the box, so I hacked some bash to do the trick. This will generate (after changing the url) forward rules (add them to .htaccess after the s9y-stuff), which send a »moved permanently«-answer. This has do be done only once, as there won't be links on new articles with the old scheme.
It's a fast hack and it probably doesn't fit in other situations without changes, but it's a nice example how fast you get somewhere with some bash and sed magic:

for i in `seq 1 31`; do

        wget --quiet -O - http://www.hboeck.de/archives/P$i.html|grep serendipity_title | \

        sed -e 's:^.*href="\([^"]*\)">.*$:\1:g' | \

        sed -e 's:^/\w*/\(\w*\)-.*:RewriteRule ^item/\1 \0 [L,R=301]:g'

done