In this issue

A report by Eric Murray was released this week based on the results of a random sample of over 8000 secure web servers. Surprisingly, only two thirds of sites surveyed were found to have adequate ("strong") encryption. Eric defined strong sites as those that support TLS v1 or SSL v3, support 128 bit ciphers, and have valid non-expired third-party certificates.

The June 2000 Netcraft SSL survey (requires paid subscription) found that 78% of sites they surveyed were capable of strong encryption, and the trend is up from only 67% one year earlier. There is no excuse for sites to have weak encryption since full-strength servers are available world-wide, commercial and free.

ARIN, one of the organisations responsible for administration and registration of IP addresses, have recently changed their policy so that they will no longer issue IP addresses to be used for IP-based virtual hosting. The HTTP/1.1 protocol added a new feature to enable multiple sites to be run on a single IP address, since HTTP/1.1 browsers send the name of the host or site they want to contact as a Host: header. This is called a "name-based" virtual host. Some older browsers send the Host: header even though they are not fully HTTP/1.1 compliant.

Name-based virtual hosts work well for most sites, and modules such as the mass virtual hosting module, mod_vhost_alias can allow huge numbers of name-based virtual hosts on a single IP address. However the problem is when sites try to use SSL for security. Because of the way the SSL protocol works, each secure site that has it's own name needs it's own IP address. If you are running ten secure sites you will need ten different IP addresses. Changes have been proposed to allow name-based SSL virtual hosting, but these are not yet implemented in browsers or servers. Until this is widely implemented, sites with multiple SSL virtual hosts will have to argue they are a special case when requesting IP addresses.

The New York Times this week contains a story about open source software, specifically highlighting Linux and Apache. The article includes a picture of some of the Apache code and one of the Apache founders, Brian Behlendorf.

Of the estimated five million software programmers worldwide, Mr. Behlendorf figures that fewer than 50,000 participate in open-source projects. "The goal is to bring what works from open source into this other 99 percent of the programming community," he said.

Apache Velocity is a clean room implementation of the Java based MVC template engine WebMacro. Velocity is an alternative to other template technologies such as JSP and is released under the Apache Software Foundation license.

In this section we highlight some of the latest articles on the web that are of interest to Apache users.

The Developer Shed continues it's PHP series, PHP 101 with a look at form-processing capabilities, and an introduction to the comparison and logical operators and the "if-else" and "switch" family of conditional statements. Continuing with the PHP theme is the Intranet Design Magazine with their guide to "What's New in PHP4". The article takes a glance at the most important and useful additions to the language since PHP3 and how to integrate Java.

CNET Builder.com looks at "Setting up CGI with SSI and Apache"; covering the basics of writing and running CGI scripts and using Server Side Includes.