Re: [Dspace-tech] DS-2220: Always load Google Analytics over SSL
Fair point. As a technologist working in the developing world, this should matter more to me, but alas, my heart always cries deploy hard crypto!. There is a compromise between the two somewhere... In related news, today Google announced that Chrome 39 will disable SSLv3 fallback, and Chrome 40 will disable it entirely: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 And TLS1.0, which came after SSLv3 (despite the decrement), is 15 years old now! And even Windows XP supports TLS 1.0. Regards, On Tue, Oct 28, 2014 at 9:54 PM, Stuart Yeates stuart.yea...@vuw.ac.nz wrote: I was shooting for always loading over HTTPS, as surely loading ANYTHING we can over HTTPS should increase our users' security, ie jQuery, images, CSS, etc... Yes, but only if you're assuming that only humans connect and all of them use modern browsers with good https support. Many users in the developing world access on an array of kinds of hardware and software that we would consider obsolete. Requiring the latest and greatest web technologies to access our research isn't going to decrease that development gap. Many tools, from plain server monitoring systems to reference checking systems to fancy website thumbnail services just work better and more reliably over http than https. cheers stuart -- Alan Orth alan.o...@gmail.com https://alaninkenya.org https://mjanja.ch In heaven all the interesting people are missing. -Friedrich Nietzsche GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] DS-2220: Always load Google Analytics over SSL
Stuart, I was shooting for always loading over HTTPS, as surely loading ANYTHING we can over HTTPS should increase our users' security, ie jQuery, images, CSS, etc... but it seems Google's example code for this traditional ga.js recommends doing exactly what we're already doing: https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingOverview So maybe there's something they're doing with the document.location in their script... I dunno. Alan On 10/27/2014 11:22 PM, Stuart Yeates wrote: Isn't the fix for this to use protocol-independent URIs? i.e. the ones that start with // rather than https:// or http:// ? Or is there an important secondary issue I'm missing? cheers stuart -- I have a new phone number: 04 463 5692 *From:* Alan Orth alan.o...@gmail.com *Sent:* Monday, 27 October 2014 11:51 p.m. *To:* dspace-tech@lists.sourceforge.net *Subject:* [Dspace-tech] DS-2220: Always load Google Analytics over SSL I was just poking around and noticed we conditionally load Google Analytics over SSL. We should *always* load ga.js over SSL. Bug here: https://jira.duraspace.org/browse/DS-2220 Patch and pull request is linked in bug report. Cheers, -- Alan Orth alan.o...@gmail.com mailto:alan.o...@gmail.com https://alaninkenya.org https://mjanja.ch In heaven all the interesting people are missing. -Friedrich Nietzsche GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- Alan Orth alan.o...@gmail.com https://alaninkenya.org https://mjanja.ch I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. -Bjarne Stroustrup, inventor of C++ GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] DS-2220: Always load Google Analytics over SSL
I was shooting for always loading over HTTPS, as surely loading ANYTHING we can over HTTPS should increase our users' security, ie jQuery, images, CSS, etc... Yes, but only if you're assuming that only humans connect and all of them use modern browsers with good https support. Many users in the developing world access on an array of kinds of hardware and software that we would consider obsolete. Requiring the latest and greatest web technologies to access our research isn't going to decrease that development gap. Many tools, from plain server monitoring systems to reference checking systems to fancy website thumbnail services just work better and more reliably over http than https. cheers stuart -- ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
[Dspace-tech] DS-2220: Always load Google Analytics over SSL
I was just poking around and noticed we conditionally load Google Analytics over SSL. We should *always* load ga.js over SSL. Bug here: https://jira.duraspace.org/browse/DS-2220 Patch and pull request is linked in bug report. Cheers, -- Alan Orth alan.o...@gmail.com https://alaninkenya.org https://mjanja.ch In heaven all the interesting people are missing. -Friedrich Nietzsche GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] DS-2220: Always load Google Analytics over SSL
Isn't the fix for this to use protocol-independent URIs? i.e. the ones that start with // rather than https:// or http:// ? Or is there an important secondary issue I'm missing? cheers stuart -- I have a new phone number: 04 463 5692 From: Alan Orth alan.o...@gmail.com Sent: Monday, 27 October 2014 11:51 p.m. To: dspace-tech@lists.sourceforge.net Subject: [Dspace-tech] DS-2220: Always load Google Analytics over SSL I was just poking around and noticed we conditionally load Google Analytics over SSL. We should *always* load ga.js over SSL. Bug here: https://jira.duraspace.org/browse/DS-2220 Patch and pull request is linked in bug report. Cheers, -- Alan Orth alan.o...@gmail.commailto:alan.o...@gmail.com https://alaninkenya.org https://mjanja.ch In heaven all the interesting people are missing. -Friedrich Nietzsche GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette