On Mon, Mar 23, 2009 at 12:55 PM, Doug McNutt <douglist@xxxxxxxxxxxxxxx> wrote: > At 11:46 -0400 3/23/09, Brian Mearns wrote, and I snipped a bit: >> >> As long as we're on this topic, I'd like to step up on my soap box for >> a minute and beseech my fellow web developers to use minification >> thoughtfully. Reducing network traffic and speeding up load time is >> definitely a worthwhile goal, but we should always bear in mind that >> the web should be an open place to exchange ideas and techniques. Few >> things about web developing are more frustrating than seeing something >> cool on a person's page, and viewing the source only to find it's been >> minified to the point of obfuscation. If there are legitimate security >> concerns, then obviously that's a separate matter, but if the purpose >> is just minification, I think it'd be a real nice touch to precede the >> minified content with a brief comment indicating the URL for the >> original (unminified) source. Okay, I'll stop preaching now. > > From another point of view I am really frustrated by the way my banks and > brokers use JavaScript in their login schemes. It appears that the goal is > security through obfuscation which is never a good idea. > > I like to automate downloads of bank balances and security positions in the > early morning with a cron job. I typically use curl to access the site using > my perfectly legal login name and password. With the likes of a perl script > calling curl its usually easy to implement. > > But when the programmers use JavaScript to create cookies that are modified > in code before referring to an external - to them - site for some kind of > pulse checking it does get to be a PITA. If I couldn't read their JavaScript > I would be hard pressed to emulate what a browser does. > > And programmers who use JavaScript to check each letter as it is typed in a > way that makes it impossible even with a browser to copy and paste login > information are enough to make me change brokers. > > Minified for 2400 baud connections, perhaps. Make it optional but don't make > my scripts even harder to prepare. > > -- > -> Stocks are getting pelloreid <- > Agreed, security through obscurity is a good way to /reduce/ the number of attacks, but it is not a valid defense against them. Thanks for the input. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx