Tag Archives: dotnetrocks

String Types

Not quite a year ago, I received a .Net Rocks! mug from Richard Campbell and Carl Franklin after a comment I’d left for a previous episode was read on the show. History repeated itself on Thursday when they used another of my comments, this time one about C++, as the lead-in for the show’s main topic.

Thursday’s show was about a scripting language, chaiscript, that allows you to write scripts in C++ and use them from other C++ projects. (C++ as a scripting language is a neat trick since it’s normally compiled ahead of time and shipped to the user as a binary executable.) It’s an interesting show and you should absolutely give it a listen. There’s also an interesting bit around the 20 mark, talking about the Commodore 64 (I had no idea those disk drives had CPUs).

The gist of my comment was that some of the features added to C++ since I’d last used it sounded rather compelling (particularly “stack semantics” which sound like there’s a sharply reduced need for new and delete, and that even pointers are largely hidden). I still have reservations though because of “scars from working with a half-dozen different, not-quite compatible string types.”

The first web application I ever worked on was a bit of a brownfield product, sharing code for the business logic with a desktop product that used the Microsoft Foundation Classes library (MFC). The resulting web application started off with char * along with the MFC CString class. (That’s two string types right there.)

Because this application ran on Active Server Pages (so-called “Classic ASP”), we soon added the BSTR and CComBSTR types in order to work with COM. And then, every so often, a new “sheriff” would attempt to unify things under a single “standard” class, which meant the introduction of TCHAR, wchar_t *, std::string and std::wstring. (Of course, as we all know, unifying under a new standard just makes things worse.)

So that’s really eight not-quite-compatible string types.

It was definitely a learning experience (if for no other reason than the anti-patterns), but I very much enjoy the fact that the C#, Java, and JavaScript languages only have one string type apiece.

Three Minutes of Fame

Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.

Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)

So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)

Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)

The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.

One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.