Methods to certify a software application

Sorry, I'm not aware of any companies that do that, but as a slightly off the wall suggestion, you could try talking to some university departments about it. They may take it as a research project, or be able to put you in contact with some agencies who could help. Those sorts of places usually have some industry contacts. Eg. http://selab.netlab.uky.edu/[^] or similar. I agree it's easy if you make the assumption that the software behaves consistently, and is not essentially hostile (for example hidden functionality that sends data elsewhere under certain conditions), but I thought the point was that they weren't prepared to take your word for it. I woudn't know how to check for that without analysing the source - which might still miss the offending code if it were well enough hidden. Either way, best of luck with it

Doing a full source code analysis and test would (depending on the software) potentially be a long and expensive process, which may not be cost effective, or even effective at detecting problems. If your application uses easily identifiable network traffic, you could advise them to set some firewall rules to log and drop the packets. They could then run the software for a while to test it to their own satisfaction. I would have thought that this would be the cheapest and easiest solution. If their data is security critical, they should have a robust firewall ruleset anyway. Presumably though, they want a certificate so they don't have to take responsibility for it for legal reasons... If so, they should be able to advise you on a suitable certification company / authority. If not, it doesn't really mean anything, and you could just get anyone to glance over the source and say they certify it (in a non legally binding sense of course :) )

Whilst not relevant to the general thread, I have solved the SSL certificate problem, by using the guide available here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html[^] which seems to work for generating a CA and signing a key using xp pro sp3, IIS 5.1 and openssl 0.9.8k. Thought I'd link it in case this thread shows up from a search for CA problems or somesuch. Disclaimer: I have not had time to look into the security implications of this approach, and don't know if there are any problems with following it. Don't use this on a publically accessible machine unless you know what you are doing. I'm only using it for a test certificate.

Exactly, that explains the answer well. Explaining the question is rather more difficult. Presumably the numerous and horrible problems with it are intended to distract from this single inescapable fact.

At the crossing point they are both at the same distance from Lahore by definition.

I'm trying to develop some new software using the Silverlight 3 beta, as Silverlight is finally starting to acquire the features needed to develop serious non-trivial applications. My application requires duplex web services, and needs authentication of users. The recommended method to achieve this is to use the new in-message soap authentication features supported by Silverlight 3. The first hurdle was that the aspnet_regsql command that is supposed to generate a membership database didn't. Cue lots of fiddling around for hours trying to work out why. Eventually I gave up and installed MySQL, and fussed around with that for awhile before finding that I would have to implement my own membership providers (some kind soul did develop a set once, and hosted them here, but they don't seem to support any recent versions). I also discover that the entity data model wizard won't do anything with a MySQL backend, which means prototyping my app is going to be a real headache. I went back to trying to bludgeon SQL Express 2005 into behaving as it should, and eventually discover that it won't run and connect to an APP_DATA file hosted database unless you have administrator privileges. Okay fine. I'll develop software whilst logged in as administrator. Whatever. No idea if this is a documented feature or not, I just want to write some code. The next hurdle is that the new authentication support requires SSL. Whilst it's good to know that MS realise that sending credentials unencrypted is a bad thing, this is going to somewhat hamper development, because Visual Studio's built-in testing webserver Cassini does not support SSL. Oh well, I'm running XP Pro. Maybe I'll just install the crippled version of IIS that only supports one website, and spend ages moving files around and remapping virtual directories every time I want to run anything else. Perhaps it won't be too painful - MS have certainly saved me the problem of dealing with cross domain access issues :/ So I install IIS. Wow, great. Except that it doesn't work. For some reason, the out of the box settings mean that I can't access the built-in demo page without entering a local machine login and password. All the settings look right, but it just will not serve any dynamic content without a login. Which is odd, as it is happy to send GIFs and HTML files. After yet more fiddling around, it seems that IE requires special settings to allow it to view local websites without prompting for login. So it isn't IIS at all, just some piece of gruesome windows

Well I figured out what causes the breaking layout. There's a self closing link tag in there with just an ID. This can be used eg. to link to a certain point within a page. It validates fine. Placing a link like that into the page seems to make all the other links render strangely. Swapping it with an empty tag avoids the problem. I'm pretty sure this is a beta bug - I've sent it to the newsgroup. Shrug.

I'm having a problem with IE8 rendering link tags in a way that breaks my layout. It only occurs in standards mode, and doesn't seem to show up in any other browsers. http://www.contractsolutions.co.uk/test.htm[^] (No real content here, just a simple layout test - you need to specifically enable standards mode) Can anyone see why this layout breaks? Been looking at this too long to be able to see what's there... thanks

Many thanks for your help Jared

Thanks Jared, Could you just clarify, are you saying that silverlight 2.x will correspond to Blend 2.x, and therefore Silverlight 2 support will *likely* be added to Blend 2 as a (free) service pack - Or - When Silverlight 2 is finally released, a new release of Blend 3 will fully support it, which is likely to be available at an upgrade cost? Obviously it's all guesswork to a certain extent until it's announced, but intelligent guesses are usually better than my guesses ;) Cheers, Steve

I've just bought an upgrade to Blend 2, which I notice still doesn't appear to be able to target silverlight 2. I see that the 2.5 preview does, but I can't seem to find any info on what the upgrade path (any costs and timescale) will be. Has anyone seen any details of what this will be?

Oh well, at least we're supposed to be getting a load of new standards compliance :laugh:

Damn, are they ever going to fix that UI tab slowness issue? It's a small thing but it drives me up the wall - totally unnecessary. Glad they're moving towards seperate processes though (even if still flawed). When you say "Crashes recover cleanly", does this mean that it restarts and reopens the same page? A lot of the crashes I've seen (in earlier versions) have been reproducible most/all of the time on a given page, so I expect to be seeing a lot of infinite loops while it repeatedly finds it's unable to deal with some pages...

You may find that users will be rather surprised if you start sending their usernames and passwords to another domain (and with good reason). The fact that the other site doesn't give a mechanism to do this also suggests that it may not be a good idea. If you have control over the koko site, you'd probably be better off implementing a robust authentication system (or hosting the application on that domain/machine). If you do that request from the client, what you'd be doing is handing off authentication control to the client, which means it's very insecure (ie. you trust the client to send the request to the right place, and you trust that the "Yes" answer isn't just made up by modifying the client script). Really don't do this. To do it on the server side would allow some control over the authentication, but the method to do it would depend on what languages and technologies you use on the server side. Essentially all you'd be doing is a GET request with the parameters as sent from the user, and checking the response for Yes/No.

Well I always figure that 50% of something is better than 100% of nothing, but you're right, they will take a cut. What's worth doing depends on your business model and scale - but either way, knowing how stuff works is a good thing. Good luck with it

In order for the CSS file to load, it must be linked to (by an HTML file). So the answer is no - you can't really do it. The only way you could achieve a similar result is by pre-loading the CSS somehow, but there's not really much to be gained by doing this in most situations. Just put the CSS link toward the top of the page, and let the browser get it when it wants it. If you're having problems with the speed, try debugging it using firefox with the YSlow plugin. It gives you a lot of information about the structure of your page, and potential bottlenecks.

For a "pay per click" model, you can implement it using a piece of server side script. Create a script which takes a parameter specifying where to redirect to, and adds to a counter, so you know how many times it's been hit. Replace your advert links with links to the appropriate script, and Bob's your uncle. All you need to do is tally up the number of clicks at the end of the month, and send the advertiser a bill for it. There are additional features that may be desired, such as statistical logging, keywords used, and various data integrity controls that ideally should be added - and your advertisers may want more data than a simple number. Frankly - using an existing (well known) platform provides trust. If I were an advertiser, I wouldn't trust a custom system to bill me correctly unless I knew the owner well. I'd really advise against reinventing the wheel here, unless it's part of your core business - and if it is, you'll need to do some good research.

What you need to be doing is looking at the code, and seeing what you're duplicating. Pull out the common elements, and then see what you have left. Try something like: .css_class1{ background-color: #988F81; color: #000000; border: solid 1px #F6F5F2; border-right-color: #333333; border-bottom-color #333333; } There's further improvements that can be made, but that's a start. In fact, since you seem to be trying to get a 3d effect on the edges of the border, you could try replacing it with "border-style: inset", or "border style: outset", which probably won't display identically to your first sample, but is a standard style with shorter markup. eg: .css_class1{ background-color: #988F81; color: #000000; border-style: outset; }

Ahh Well sppotted - thanks. From reading the other sections, it seemed that it was already running on untrusted clients. From the tone of that, it seems that they are at least going to consider the security aspects before doing that.

Oh, and I should just mention - whatever you do - don't post a link to your site after telling the world that it's insecure - it's not likely to help your situation in the short term.