As you also can imagine by the new batch left side down this page: I'm now a WOT notary! So what does WOT mean? Here is a short cite:

"The thawte Web of Trust (WOT) is a Certification system that allows your identity to be validated for use in your Personal Certificate."

By default if you acquire a free e-mail Certificate from thawte, the Certificate is a general one: your name is not included in the Certificate properties nor in the trust chain. By identity validation (task of a WOT notary) you get a fully personalized Certificate including your name!

I like to spread and support e-mail signing/encryption to fight the Spam - so I decided to support (regional) users to get that personal free certificate to keep the e-mail system up and running: just filter for signed mails. I use it now for some years, believe me: if you once have the Cert., it's really easy to use. So if you ever get a mail sent by me but not signed, just move it to your waste basket...

So come on: sign your mails!

Just got this message from my IE 6 this moment:

Yes, indeed!. Short moment after: yesss, I do. Once again: yes!
Did I got a silent "featured" security update last week?

As you may know, .NET 1.1 supports three different Timer classes:

1. Windows timers with the System.Windows.Forms.Timer class
2. Periodical delegate calling with System.Threading.Timer class
3. Exact timing with the System.Timers.Timer class

The timings are more or less accurate (see CodeProject: Multithreading in .NET), but that is not the point I want to highlight today. Two sentences from the mentioned codeproject article are important for this post:

"... Events raised from the windows forms timer go through the message pump (together with all mouse events and UI update messages)..."

and

"...the System.Timers.Timer class. It represents server-based timer ticks for maximum accuracy. Ticks are generated outside of our process..."

To report state and newly retrieved items from requested feeds we used a concept to serialize the asynchronous received results from background threads with the help of a timer. This was introduced in the NightCrawler Alpha Dare Obasanjo posted last week for external tests. Some users reported strange failures, memory hog up and bad UI behavior with this Alpha so I would suggest here to not use it anymore for testing if your subscribed feeds count is higher than 20 or 30 feeds.

The idea was not as bad as it seems to be (if you only look at the issues above). The real issue in our case was to use simply the wrong timer class! The UI state refresh includes an update of the unread counters that is reported to the user within the treeview as number postfixes and (more important here) a font refresh (as user decides, default is to mark the feed caption text bold). Have a look to the constructor of the class we used for background thread result processing:

As you can see in line 10 we used the System.Timers.Timer class. The syncObject parameter is (as you can guess) the main form.

So what happens exactly now if the timer fires? I used the CLR Profiler to get the following exiting results. The event is called in sync. with the SynchronizingObject, means Control::WndProc(m) calls calls into System.Windows.Forms.Control::InvokeMarshaledCallbacks void(), MulticastDelegate::DynamicInvokeImpl()... and then our event method OnProcessResultElapsed(). The allocation graph mentions 101 MB (44.78%) used here! Here is the implementation:

As you can see: no real magic things happen. Interesting is the line 22: if there are no queued results, we just return and do nothing. But there was already a cost calling it in sync with the main UI thread, look at the call chain above! And as such it breaks the UI thread every 250 msecs also if there is just nothing to do.

But lets look what will happen if there is a result to process: let's pick the call into owner.OnUpdatedFeed(). The owner forwards to the UI class and no .InvokeRequired call is needed (the only good thing so far). It calls into FeedTreeNodeBase class to update the unread counter and node text of the treeview that in turn calls the TreeNode::UpdateNode() function. It will call into the treeview:WndProc(m), WmNotify(), CustomDraw()..., FontHandleWrapper::.ctor,... Font::ToHFont(), Font:ToLogFont() and...? You are right: it checks the code access security with CodeAccessPermission::Demand()! Right and secure, but slow. More slow even though the CodeAccessSecurityEngine::Check calls into a AppDomain::MarshalObject(Object) followed by a parameter memory serialization into another AppDomain! I scratched my head: what the f...? Then I remembered the second quote (above): Ticks are generated out of process! So this was the obvious reason for the cross-AppDomain call (memory allocation: 75MB, 33%).

So what to do to fix the problem(s)? Simply use the Windows.Forms.Timer! Think about it: it is driven by the main window message pump and runs always in the right context of the main UI thread (no .InvokeRequired calls). Timing isn't an important point here, we just want to process one result each time we are called. Further: no cross-AppDomain security check should happen anymore! With that timer it is just a simple update control(s) with some fresh data!

So take care of the timer class(es) you may use in your projects! Check their implications! Be careful, there are also other issues with it I did not mentioned here, read the docs!
Now I'm off to close related bugs...

Simple Single Sign-On [Sam Ruby]

A few days ago I googled around for trust centers offering personal e-mail certificates. Giving up after searching a half hour, because all of them (VeriSign, trustcenter.de, ...) require a fee.

Today I found my account information coincidental in my registration documents with Thawte: I already was in the possession of certificates! However these were already run off and only for no longer valid email addresses. So I renewed my certs and I'm really able to send signed mails: Outlook 2003 handles all that nicely while the older versions had some problems there. And best of the story: nothing to pay for! Now I only need some notaries to get my identity trusted.

Double check your mails you get from xyz.com comercial domains! They may have viruses attached with exactly the name of the domain xyz.com
[Clever Virus Attack]

Recently I found a link from the Rss Bandit referrer stats that points to the Microsoft Technet Security Site: there you can read about RSS, but more important you find a link to the security bulletin feed! Subscribed.

As a RSS Bandit user you know we are hosting a IE Control. So we have to consider all the security vulnerability related to Internet Explorer. Don Park pointed to Zap the Dingbat, that provides a exploit to test Url spoofing. We use our own Url toolbar, so my first idea was: we should be aware of this. But the used control is not under our control, so I really had to test it out. Here is the result:

You see: it displays the full address not cutted after the magic character... Doh!