Re: [Lazarus] https website for Lazarus

[Marc Weustink via Lazarus]

Graeme Geldenhuys via Lazarus wrote:

On 2017-03-13 21:50, Marc Weustink via Lazarus wrote:

It is one of my plans to enable it for the lazarus sites.


And now with Firefox 52, it gives you a "in your face" warning that you
are logging into a unsecure website. Only only the crossed out padlock
in the URL, but also a popup warning below the Username field.


Yep... I noticed for some internal pages here :(

Anyway, I've enabled https for all lazarus sites (served by lazarus-ide.org)


Marc

--
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Graeme Geldenhuys via Lazarus]

On 2017-03-13 21:50, Marc Weustink via Lazarus wrote:
> It is one of my plans to enable it for the lazarus sites. 

And now with Firefox 52, it gives you a "in your face" warning that you
are logging into a unsecure website. Only only the crossed out padlock
in the URL, but also a popup warning below the Username field.

See the "Other Firefox 52 changes"


https://www.bleepingcomputer.com/news/software/mozilla-releases-firefox-52-the-first-browser-to-support-webassembly/


So I guess everybody is pushing for HTTPS everywhere.


Regards,
  Graeme


-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Graeme Geldenhuys via Lazarus]

On 2017-03-14 12:07, Anthony Walter via Lazarus wrote:
> If you have a subject you want people to explore, you need to
> represent it well. 

Apple does a lot of things wrong (these days), but they also do a lot of
things right when it comes to design. Using good Typography (via CSS
only) can look just as good, without the "heavy images" part. Or at
least, you can reduce the amount of large images you need.

But as Brian mentioned, it's your website (I think), and everybody is
allowed to implement their websites with their own ideas. ;-)

Regards,
  Graeme

-- 
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[brian via Lazarus]

On 03/14/2017 08:07 AM, Anthony Walter via Lazarus wrote:
> Graeme,
> 
> By far most of the heavy stuff is images and I don't see that as a bad
> thing. If you have a subject you want people to explore, you need to
> represent it well. Of course a website could just be static text, but
> if put some screen shots on the front page, maybe a gallery, rotating
> images linking to articles, a page header background, IMO you're more
> likely to get people stay, look around, and maybe read an article or
> explore further. Of course that's all subjective.
> 

It's also not correct, at least for some folks. You are, of course,
entitled to write your website any way you like it, but the 'heavy
stuff' to which you refer means that people like me won't dare come
and 'explore'. Living where I do, I have precisely two options for
internet access, dial-up and metered satellite access. From the size
given in a previous message, just loading your front page will cost me
almost 0.5% of my total daily bandwidth allowance.

If your sort of attitude prevails, I confidently expect that at some
future point I will have to go back 20+ years and resume using Lynx as
my browser.

Brian.


-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Anthony Walter via Lazarus]

Graeme,

By far most of the heavy stuff is images and I don't see that as a bad
thing. If you have a subject you want people to explore, you need to
represent it well. Of course a website could just be static text, but if
put some screen shots on the front page, maybe a gallery, rotating images
linking to articles, a page header background, IMO you're more likely to
get people stay, look around, and maybe read an article or explore further.
Of course that's all subjective.
-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Graeme Geldenhuys via Lazarus]

On 2017-03-14 10:38, Anthony Walter via Lazarus wrote:
> I just thought I'd share my experience with http://www.getlazarus.org
> I added https to it a few months ago using let's encrypt. The experience
> was pretty easy.

Indeed, Let's Encrypt is really easy to use and implement.


> The only hiccup I had/still have is that I serve images/video using S3 with
> a subdomain CNAME to improve performance. I had to use a separate

Unrelated to this really... I hate the way websites are designed these
days (but probably no way of going back to what it was a few years
back). Website are becoming "fat".

Take "www.getlazarus.org" as an example. Loading the full page from
scratch is a 1.244 MByte download. Of that, only 46KB is actual content
(HTML). That equates to a mere 3% of the whole download being content!

Please note, this is not a direct reflection on getlazarus.org only -
this seems to be the general trend of most websites on the internet
these days.

To verify, use F12 (Firefox) to see the developer window, select
Network, then click "Toggle Performance analysis". See the pie chart on
the right.


"http://www.lazarus-ide.org/; is slightly better, but still not great.
There 11% of the 181.19KB download is actual content.

"http://www.freepascal.org/; is even better still. There 21.9% of the
total 36.69KB download is actual content.

Regards,
  Graeme

-- 
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Marc Weustink via Lazarus]

As a test I used Letsencrypt for my own site. If successful then I 
planned to update Lazarus. My first automated certificate update went 
smooth, so Lazarus is next.


One mayor issue with Letsencrypt is that all automated update processes 
re-generate the CSR. Since our hoster supports dnsseq you don't want 
that. So I spent some time to create my own update scripts using my own 
CSR. Since these proved OK, Lazarus is next.


Marc

BTW, subdomains shouldn't be a problem

Anthony Walter wrote:

I just thought I'd share my experience with http://www.getlazarus.org

I added https to it a few months ago using let's encrypt. The experience
was pretty easy.

The only hiccup I had/still have is that I serve images/video using S3
with a subdomain CNAME to improve performance. I had to use a separate
certificate from Amazon for that content else I wouldn't get the green
badge to the left the URL in every browser. Amazon's tool to get a
certificate for S3/Cloudfront buckets is straight forward enough.

You can find non secure items on a page like in the scenario I described
above using any browsers developers tools console window. It will warn
about your security errors at the top of the console.

Finally, switch to using // in your html and css when specifying website
links/resources. This causes the client to use the same protocol for
those items which was used to request the main page. That is say image:
url(//images.mysite.org/banner.jpg
) vs
url(https://images.mysite.org/banner.jpg).


--
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Anthony Walter via Lazarus]

I just thought I'd share my experience with http://www.getlazarus.org

I added https to it a few months ago using let's encrypt. The experience
was pretty easy.

The only hiccup I had/still have is that I serve images/video using S3 with
a subdomain CNAME to improve performance. I had to use a separate
certificate from Amazon for that content else I wouldn't get the green
badge to the left the URL in every browser. Amazon's tool to get a
certificate for S3/Cloudfront buckets is straight forward enough.

You can find non secure items on a page like in the scenario I described
above using any browsers developers tools console window. It will warn
about your security errors at the top of the console.

Finally, switch to using // in your html and css when specifying website
links/resources. This causes the client to use the same protocol for those
items which was used to request the main page. That is say image: url(//
images.mysite.org/banner.jpg) vs url(https://images.mysite.org/banner.jpg).
-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Marc Weustink via Lazarus]

It is one of my plans to enable it for the lazarus sites. 

Mar 

On March 13, 2017 6:08:14 PM GMT+01:00, Tony Whyman via Lazarus 
 wrote:
>Has anyone thought about supporting https on the Lazarus (and Free 
>Pascal) websites? Firefox, for example, is getting increasingly sniffy 
>about unprotected websites and for good reason.
>
>It would also be useful to protect the svn feeds, if only to reduce the
>
>risk of a man in the middle attack sneaking something nasty into the 
>source code.
>
>Let's encrypt (https://letsencrypt.org/) seems to offer a very good
>free 
>service for https certificates where the objective is to protect the 
>connection and give reasonable confidence  that you are talking to the 
>named website, so there does not seem to be a cost reason why https is 
>not supported.
>
>Tony Whyman
>
>MWA
>
>-- 
>___
>Lazarus mailing list
>Lazarus@lists.lazarus-ide.org
>http://lists.lazarus-ide.org/listinfo/lazarus
-- 
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

Re: [Lazarus] https website for Lazarus

[Shaun O'Connor via Lazarus]

in light of recent disclosures i would  not be too optimistic about 
https at this point in time since if an endpoint is compromised https 
will offer no real meaningfull protection in some cases. however having 
said that at least there is some degree of protection against compromise 
of data.



On 13/03/2017 17:08, Tony Whyman via Lazarus wrote:
Has anyone thought about supporting https on the Lazarus (and Free 
Pascal) websites? Firefox, for example, is getting increasingly sniffy 
about unprotected websites and for good reason.


It would also be useful to protect the svn feeds, if only to reduce 
the risk of a man in the middle attack sneaking something nasty into 
the source code.


Let's encrypt (https://letsencrypt.org/) seems to offer a very good 
free service for https certificates where the objective is to protect 
the connection and give reasonable confidence  that you are talking to 
the named website, so there does not seem to be a cost reason why 
https is not supported.


Tony Whyman

MWA



--
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus

[Lazarus] https website for Lazarus

[Tony Whyman via Lazarus]

Has anyone thought about supporting https on the Lazarus (and Free 
Pascal) websites? Firefox, for example, is getting increasingly sniffy 
about unprotected websites and for good reason.


It would also be useful to protect the svn feeds, if only to reduce the 
risk of a man in the middle attack sneaking something nasty into the 
source code.


Let's encrypt (https://letsencrypt.org/) seems to offer a very good free 
service for https certificates where the objective is to protect the 
connection and give reasonable confidence  that you are talking to the 
named website, so there does not seem to be a cost reason why https is 
not supported.


Tony Whyman

MWA

--
___
Lazarus mailing list
Lazarus@lists.lazarus-ide.org
http://lists.lazarus-ide.org/listinfo/lazarus