I made a mistake in verifying HTTP Message Signatures


A pet cat typing on a computer keyboard.

It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard1. There are lots of complex parts and getting any aspect wrong means certain death2. In a previous post, I wrote A simple(ish) guide to verifying HTTP Message Signatures in PHP. It turns out that […]

Continue reading →

A simple(ish) guide to verifying HTTP Message Signatures in PHP


Screenshot of JSON. As described in text.

Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using PHP. I don't claim that it covers every use-case, and it […]

Continue reading →

HTTP Signature Infinite Loop?


A padlock engraved into a circuit board.

I'm trying to get my head round HTTP Signatures as they're used extensively in the Fediverse. Conceptually, they're relatively straightforward. You send me a normal HTTP request. For example, you want to POST something to https://example.com/data You send me these headers: POST /data Host: example.com Date: Sat, 24 Feb 2024 14:43:48 GMT Accept-Encoding: gzip Digest: […]

Continue reading →

Sometimes gzip beats Brotli


Screenshot showing a transfer with the content-encoding as gzip.

Perhaps this was obvious to you, but it wasn't to me. So I'm sharing in the hope that you don't spend an evening trying to trick your webserver into doing something stupid. For years, HTTP content has been served with gzip compression (gz). It's basically the same sort of compression algorithm you get in a […]

Continue reading →

Some new HTTP verbs


Photo of an orange cat chewing on the wires coming out of the back of a computer.

Hyper-Text Transfer Protocol is, by some measure, the most popular way for computers to talk to each other on the Internet0. Generally speaking1, clients (like browsers) talk to servers using a set number of HTTP "verbs". This tells the server what sort of thing the client is trying to do. The two most popular2 verbs […]

Continue reading →

Why Does Twitter Think Facebook is Swedish?


I've nothing against the Swedes. Lovely people. Sweden is the third-largest country in the European Union by area. But I'm not from there. Neither, as far as I am aware, is Facebook. But Twitter seems to think so. When I share a link to Twitter on Facebook, this (sometimes) happens. And sometimes, I get this […]

Continue reading →

Why Are @VirginMedia Hijacking My HTTP Connections?


It is a truth universally acknowledged, that an ISP in possession of a good Internet connection must be in want of a customer. One would think that, in these capitalist times, ISPs would compete over who could provide the fastest speed, the best service, and the lowest price. Sadly, in the UK, our ISPs seem […]

Continue reading →

Path - Privacy & Security Problems


I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be […]

Continue reading →