Paul E. Jones' Blog

Some people love them and some people hate them, but HTTP cookies are really darn useful. Cookies are the way web sites remember who you, avoiding the need to enter and re-enter your password from day to day. Cookies can also store information, such as user preferences on a given computer.

Facebook, blogs, and many other public web sites use cookies. They can be misused, of course, such as by advertisers who track your movement around the Internet. However, most uses of cookies are not so invasive. But, there is a big problem with cookies: they’re entirely insecure.

Cookies might be encrypted by the server, so certain information in the cookie might be secure. However, when cookies are used to maintain a user’s logged in state, the user is at risk of having his or her session stolen. This happened recently with Facebook, in fact. However, what if a hacker is able to grab a user’s session and post malicious content or delete photos or do other destructive acts in the name of the user? This is scary.

What solutions exist? Presently, the only solution is to use HTTPS. HTTPS will encrypt all traffic to and from the client. Unfortunately, HTTPS comes with a high price: encrypting and decrypting every single bit of data between the browser and server is expensive.

So, a colleague and I thought about a better approach and we came up with a proposal for just encrypting a part of the cookie information passed between the client and server. Have a look and tell me what you think. The draft can be found here.

You know, back in 1999 there were rather heated debates over H.323 vs. SIP. Then, there were claims that H.323 was dead. (Jeff Pulver said that: I heard it with my own ears.)

Roll the clock forward to 2010 and we still hear the same things. OK, perhaps it is not being declared dead, but some view H.323 less favorably for whatever reason. Is it because SIP does something H.323 cannot do? Nope. H.323 does everything SIP can do and more.

Perhaps one day SIP might be a major success. After all, if 5,000 people start charging through a concrete block wall thinking they can run through it, they will likely succeed. There might be a few casualties on the front line, but they'll knock it down. And so it is with SIP.

The reality is, though, that H.323 continues to be deployed and it dominates the videoconferencing market. As chair of the H.323 standards committee, I'm still actively engaged in the development of H.323 and spending some time looking forward now to H.325.

I will not try to sell you on the concept of H.323, since it is a well-established protocol. But, the new XML-based H.325 is really exciting. If you wish to know more about it, by all means, ping me.

In the meantime, let the debates continue! This is quite the spectacle! I'm eager to see what things will look like in another 10 years. :-)

OK, we’ve all known that credit card companies are greedy. Perhaps that isn’t even a fair description, I’ll admit. Financial institutions are in business to make money and so they will do things in order ensure profitability. Shareholders expect that.

Still, the logic of these companies escapes me a little. The other day, I logged into my account to pay my credit card bill when I was presented with this message that said “Late Payment Warning”. It scared me, because I thought that perhaps I had missed my payment due date. I clicked on the link and it said that if I failed to make my payment by the due date that I would be charged $40 and my account would be subject to a Penalty APR of 29.99%.

Wow, those are strong threats for a person who has never been late making a payment. So, I called the credit card company and told them I wanted to cancel my credit card. They asked why and I told them. They then proceeded to tell me that that message is on every person’s account due to new federal laws. I replied explaining to them that there were no federal laws that required them to charge $40 or increase my interest rate to some astronomical rate. Further, any such notices to that effect could be done more tactfully. This went on for at least 10 or 15 minutes and between two different people who were begging me not to cancel my credit card.

Perhaps this is a petty reason to cancel a credit card, but we all know that it takes loss of customers for a company to change and I don’t mind being the first person to “speak with his wallet.”

What followed was absolutely hilarious. Apparently while my credit card company was on the phone with me pleading to keep my business, the same company was mailing a letter to my step-daughter to inform her that if she didn’t spend more money on her credit card each year, she would have to pay a $60 annual fee. In fact, they planned to charge her $60 in a month or two and would then return that to her after a year if she charged at least $2,400. Let’s review: they will charge her $60, but then credit her account in one year, at which time they will charge her $60 again? They did say this was an annual fee.

Clearly, she has no desire to pay $60/year and will call (if she hasn’t already) to cancel her credit card. Even if she would charge $2,400 over the next year, she does not want to give the credit card company a $60 loan or whatever you call this charge/refund/charge/refund every year.

As far as I can tell, the credit card company is greedy for not wanting to deal with low-volume customers and wasting time arguing with higher-volume customers, and stupid for throwing away current and potential business from responsible people like my step-daughter.

I have often seen some really stupid software errors. Today, I received one that I think ought to be right up there at the top. Here it is:

Perhaps there is a logical explanation for how accessing my local hard drive is a "network error", but it escapes me.

Perhaps this is hardly news, but it has been a very slow time coming. Back in 1999 or 2000, there was a push to try to integrate H.323 with XMPP. The challenge with doing that, as you can imagine, was that H.323 is focused on voice and video, while XMPP is focused on instant messaging and presence. Trying to glue these two technologies together is challenging at best. So, the H.323 experts group elected to let the protocols go their independent directions.

Then, in the early 2000s there was an effort in the SIP-related working groups in the IETF to, dare I say, clobber XMPP with the introduction of presence and instant messaging functionality in SIP. Like H.323, SIP was not designed to do that and, while it could be done, did it make sense? Apparently, some people felt that it did and so they forged ahead with the creation of SIMPLE, which are are hardly trivial extensions to SIP that enable instant messaging and presence. The problem is that it never took off.

Meanwhile, Jabber (the company behind XMPP) was making significant inroads in the enterprise market with XMPP. It was great: it was secure, scalable, and worked seamlessly between enterprise domains.

Google recognized the strength of XMPP and decided to adopt that protocol for its IM client rather than introduce yet another proprietary IM protocol in the market. That was a smart move.

Over the past couple of years, virtually every instant messaging provider and enterprise product manufacturer working in this space has announced support for XMPP and many have already delivered.

Cisco acquired Jabber and the service is already available from its WebEx division. Microsoft announced support in OCS. Of course, Google was already deploying XMPP with GoogleTalk. AOL adopted XMPP. Yahoo! seem to be moving in that direction. IBM Lotus Sametime supports XMPP. Most recently, Facebook announced support for XMPP.

So, with support from virtually every major network in the world, coupled with the fact that any domain owner can operate an XMPP server much like one can an email server, the winner is clear: XMPP is the standard for instant messaging and presence.

As many of you probably know, Avaya acquired Nortel's enterprise assets a few months ago. Now, they're out making noise about how Avaya is more powerful and stronger than ever before. They are Avaya to the power of N!

Here's an ad Avaya is running:

I laughed when I saw that. So, Nortel has been and still is a sinking ship, meaning its value is approaching 0. So what do we get from this equation? At least it isn't zero, I suppose.

While the fact that Internet Explorer's market share is shrinking is not news, what I found interesting is that November 2009 was the first time that Internet Explorer was used by fewer than 50% of the visitors to Packetizer.

Really, I'm amazed. Well, perhaps I'm not. I commented earlier that I had gotten fed up with Internet Explorer and I switched to Firefox. Still, it is amazing to watch the percentages shift like they have over the past two years. If I had time, I'd provide a graph.

So where are users going? Interestingly, users seem to be moving in two directions: Firefox and Apple's Safari. While Firefox is not a huge surprise, what was a surprise to me was that 8.3% of the visitors in November 2009 used Safari versus just 0.6% in November 2007.

Is it time I bought a Mac?

It has been a couple of years since we started implementing new spam prevention measures on Packetizer. Spam had reached such levels that it was almost impossible to read legitimate email, because individuals (including me) were receiving in excess of 600 spam messages every day. To say the least, it was insane.

We now have spam volumes reduced to a level that is manageable, perhaps allowing 10 to 20 spam messages through per day per user on the system. Of that, virtually all of it is effectively detected and filtered out as spam.

While the situation today is significantly better than where we were a couple of years ago, what concerns me is the fact that so much spam originates from "trusted networks". We operate a blacklist on Packetizer so that "repeat offenders" get blocked, but some networks are known repeat-offenders, but we simply cannot block them. Examples include Yahoo! and Hotmail. For Packetizer, those are the top two spam transmitters, with Google often right behind them (though not lately, interestingly). More troubling, though, is that they are not just a little more problematic, but significantly more problematic. But what can they do? They are web sites where anybody without an email address can quickly and easily create one: they provide a great service. Even so, there is no way to imagine how many "disposable" spam accounts get created daily on those networks.

As noted in the Packetizer News section, organizations that are supposed to be helping to fight spam are actually becoming a problem themselves. Organizations like Spamhaus, MAPS, SORBS, and UCE PROTECT have proven to be a disservice to the public to some degree this year. The reason is simply that they just block mail based on IP addresses. Packetizer does that too, but it's because there are no alternatives.

What the industry needs to do is to start implementing DKIM. Do it immediately. DKIM is not intended to be a spam prevention tool, but it can be a valuable tool nonetheless in fighting spam. If every domain owner signed messages with DKIM and required all mail transmitted from their domain to be signed, then it would be relatively easy to establish a certain level of trust in those domains. Rather than blacklisting IP addresses, we can blacklist domains. I believe this would be a better solution, because domain owners can usually be tracked down. If registrars follow the rules as required by ICANN and insist on having accurate domain registration information, it would most definitely be easier.

I am tired of receiving spam and I think it's time that we -- all of us on the Internet -- encourage changes that help address the problem.

In the wake of Google's acquisition of Gizmo5, Tsahi Levent-Levi raises some good questions and made some excellent points in his blog posting on protocol interworking and the pain it introduces. Like many others, I have an opinion on this.

Google needs a way to interwork with the SIP-enabled gateways and SBCs, but SIP really isn't in line with its web strategy. XMPP, on the other hand, is since it utilizes XML and has interfaces like BOSH that allow one to get presence information and even do IM via the web browser.

Most people who know me are well-aware of my opinion of SIP: it is a nice client-server protocol for voice and video, but it falls significantly short trying to do anything more than that. SIP was initially intended to be a light-weight protocol that breaks away from the traditional telephony model, but has in fact fallen into the trap of replicating the PSTN over IP, implementing much of what was in the PSTN world and behaving like a traditional telephony protocol. It is not the web-centric, simple, light-weight protocol it was supposed to be: it is quite the opposite.

XMPP is web-centric in many ways and is very flexible. Heck, they are building things like Google Wave on top of that infrastructure! So, it makes a lot of sense trying to use XMPP in the core and pushing SIP to the edges for interworking with the rest of the world.

That said, perhaps Google has come to the realization that few have implemented Jingle and their plans are to marry SIP + XMPP into a single client. I can imagine IM and presence functions being handled by the XMPP side and SIP used for voice/video.

That makes sense for GoogleTalk, but what about the Google's Chrome OS? What kind of voice/video support will be available there? The only way to do that is via some plug-in to get voice/video capabilities from JavaScript, but perhaps that's exactly what they'll do.

Long-term, I agree they would be best-served by having a single protocol, but SIP cannot be it: it lacks the web-centric capabilities that Google needs to enable richer forms of communication available via XMPP.

I've been a long-time fan of Internet Explorer. Really, I have. While people have been praising Firefox, Opera, and other browsers for years, touting how they are more standards-compliant than IE, I continued to use Internet Explorer. I actually liked the browser. While it has its deficiencies, most of those deficiencies are not visible to the end-user: they are just painful issues that developers have to deal with.

As a developer, I have a certain appreciation for the cool, geeky features in Firefox. As an end-user, I like what Internet Explorer has to offer: a simple browser that works on most all web sites, because it's the dominant browser and everybody has to make their sites work with IE. When Internet Explorer 8 came out, I really felt like it was a great step forward. It was more standards-compliant than before and there were a number of good features added. I particularly appreciated the strong support for RSS and Atom feeds: it is significantly better than what Firefox has to offer.

Alas, though, I've decided to dump Internet Explorer. I do not know what Microsoft did with IE8, but the browser seems to freeze a lot. I do not mean that it crashes. Rather, it freezes for a while thinking deep thoughts, I suppose, and then resumes after a while. Sometimes, I would just open a different IE instance and visit a different web site while I waited on IE to wake up. The pages that caused the biggest problems were those that were extremely long or had a significant number of hyperlinks.

So, I dumped Internet Explorer. It is still on my machine, but I have now converted to Firefox. Firefox 3.5 has thus far proven to be extremely stable and has absolutely no problem with the web pages that present Internet Explorer with so many challenges. I do wish Firefox had better integrated RSS/Atom support, but I'll gladly trade that for the stability and robustness I do not get with Internet Explorer.