upgrade - Dave's Blog


Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Considerate MessagePort Usage

2013 Aug 7, 7:14
Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.When writing a JavaScript library that uses postMessage and the message event, I must be considerate of other JS code that will be running along side my library. I shouldn't assume I'm the only sender and receiver on a caller provided MessagePort object. This means obviously I should use addEventListener("message" rather than the onmessage property (see related What if two programs did this?). But considering the actual messages traveling over the message channel I have the issue of accidentally processing another libraries messages and having another library accidentally process my own message. I have a few options for playing nice in this regard:
Require a caller provided unique MessagePort
This solves the problem but puts a lot of work on the caller who may not notice nor follow this requirement.
Uniquely mark my messages
To ensure I'm acting upon my own messages and not messages that happen to have similar properties as my own, I place a 'type' property on my postMessage data with a value of a URN unique to me and my JS library. Usually because its easy I use a UUID URN. There's no way someone will coincidentally produce this same URN. With this I can be sure I'm not processing someone else's messages. Of course there's no way to modify my postMessage data to prevent another library from accidentally processing my messages as their own. I can only hope they take similar steps as this and see that my messages are not their own.
Use caller provided MessagePort only to upgrade to new unique MessagePort
I can also make my own unique MessagePort for which only my library will have the end points. This does still require the caller to provide an initial message channel over which I can communicate my new unique MessagePort which means I still have the problems above. However it clearly reduces the surface area of the problem since I only need once message to communicate the new MessagePort.
The best solution is likely all of the above.
Photo is Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.
PermalinkCommentsDOM html javascript messagechannel postMessage programming technical

With WP7 Mango available for all, Microsoft pushes ahead with new updates

2011 Dec 1, 3:22

“including driver updates to enable Internet sharing on some models such as the HTC HD7” Just upgraded and saw this. Very cool.

PermalinkCommentstechnical cell-phone wifi router wp7

Lifetimes of cryptographic hash functions

2011 Jun 20, 11:25A cautionary tale in chart form: lesson is make sure you can always upgrade your hashing algorithm or don't have security dependencies on hashing algorithms.PermalinkCommentsreference hash encryption security table technical humor

Ajaxian » Getting Users to Upgrade Their Browsers

2010 Apr 11, 3:53Has graphs of browser usage by version over time to show upgrade speed for Chrome, IE, and Firefox. Chrome has a lovely graph.
PermalinkCommentsgraph statistics infographics web browser chrome ie firefox version upgrade technical.

PSFK » Blog Archive » (Pics) Posterchild Finds New Uses for Old Phone Booths

2009 Nov 29, 1:58Phone booths get makeovers: "For Your Convenience Super-Hero Changing Station", "Coming Soon, improvements and upgrades to this public urination facility", and more.
PermalinkCommentshumor phone-booth cultural-disobediance graffiti new-york photo

What Does It All Mean? - Dive Into HTML5

2009 Oct 28, 8:55A walk-through what it takes to upgrade your good HTML4 document into a great HTML5 document. This is part of the stylized Dive Into HTML5 book.PermalinkCommentsreference html html5 technical mark-pilgrim xhtml

Digg the Blog - Blog Archive - Much Ado About IE6

2009 Jul 10, 9:43"This goes directly to why most folks use IE6: they don't have a choice. Three out of four IE6 users on Digg said they can't upgrade due to some technical or workplace reason."PermalinkCommentsie digg ie6 statistics web development browser technical

IE6 denial message for Momentile.com on Flickr - Photo Sharing!

2009 Jun 15, 4:46"This was such a fun project - this is what users of Internet Explorer 6 see when they visit Momentile." Funny image. There's just two things I don't like about this: (a) it makes me feel sorry for IE6 when the only thing anybody should feel in relation to IE6 is the urge to upgrade to IE8 and (b) I hate it when websites get all preachy and try to convert you to another browser.PermalinkCommentshumor webdesign ie6 ie browser comic

Text/Plain Fragment Bookmarklet

2008 Nov 19, 12:58

The text/plain fragment documented in RFC 5147 and described on Erik Wilde's blog struck my interest and, like the XML fragment, I wanted to see if I could implement this in IE. In this case there's no XSLT for me to edit so, like my plain/text word wrap bookmarklet I've implemented it as a bookmarklet. This is only a partial implementation as it doesn't implement the integrity checks.

Check out my text/plain fragment bookmarklet.

PermalinkCommentstext url boring bookmarklet uri plain-text javascript fragment

Xbox Achievements for Everyday Life

2008 Sep 16, 7:54

I just upgraded to the Zune 3.0 software which includes games and purchasing music on the Zune via WiFi and once again I'm thrilled that the new firmware is available for old Zunes like mine. Rooting around looking at the new features I noticed Zune Badges for the first time. They're like Xbox Achievements, for example I have a Pixies Silver Artist Power Listener award for listening to the Pixies over 1000 times. I know its ridiculous but I like it, and now I want achievements for everything.

Achievements everywhere would require more developments in self-tracking. Self-trackers, folks who keep statistics on exactly when and what they eat, when and how much they exercise, anything one may track about one's self, were the topic of a Kevin Kelly Quantified Self blog post (also check out Cory Doctorow's SF short story The Things that Make Me Weak and Strange Get Engineered Away featuring a colony of self-trackers). For someone like me with a medium length attention span the data collection needs to be completely automatic or I will lose interest and stop collecting within a week. For instance, Nike iPod shoes that keep track of how many steps the wearer takes. I'll also need software to analyze, display, and share this data on a website like Mycrocosm. I don't want to have to spend extreme amounts of time to create something as wonderful as the Feltron Report (check out his statistic on how many daily measurements he takes for the report). Once we have the data we can give out achievements for everything!

Achievements for Everyday Life
Eat at least ten different kinds of animals.
Make Friends
Meet at least 10% of the residents in your home town.
Visit a city in every country.
You're Old
Survive at least 80 years of life.

Of course none of the above is practical yet, but how about Delicious achievements based on the public Delicious feeds? That should be doable...

PermalinkCommentsself-tracking data achievements

URI Fragment Info Roundup

2008 Apr 21, 11:53

['Neverending story' by Alexandre Duret-Lutz. A framed photo of books with the droste effect applied. Licensed under creative commons.]Information about URI Fragments, the portion of URIs that follow the '#' at the end and that are used to navigate within a document, is scattered throughout various documents which I usually have to hunt down. Instead I'll link to them all here.

Definitions. Fragments are defined in the URI RFC which states that they're used to identify a secondary resource that is related to the primary resource identified by the URI as a subset of the primary, a view of the primary, or some other resource described by the primary. The interpretation of a fragment is based on the mime type of the primary resource. Tim Berners-Lee notes that determining fragment meaning from mime type is a problem because a single URI may contain a single fragment, however over HTTP a single URI can result in the same logical resource represented in different mime types. So there's one fragment but multiple mime types and so multiple interpretations of the one fragment. The URI RFC says that if an author has a single resource available in multiple mime types then the author must ensure that the various representations of a single resource must all resolve fragments to the same logical secondary resource. Depending on which mime types you're dealing with this is either not easy or not possible.

HTTP. In HTTP when URIs are used, the fragment is not included. The General Syntax section of the HTTP standard says it uses the definitions of 'URI-reference' (which includes the fragment), 'absoluteURI', and 'relativeURI' (which don't include the fragment) from the URI RFC. However, the 'URI-reference' term doesn't actually appear in the BNF for the protocol. Accordingly the headers like 'Request-URI', 'Content-Location', 'Location', and 'Referer' which include URIs are defined with 'absoluteURI' or 'relativeURI' and don't include the fragment. This is in keeping with the original fragment definition which says that the fragment is used as a view of the original resource and consequently only needed for resolution on the client. Additionally, the URI RFC explicitly notes that not including the fragment is a privacy feature such that page authors won't be able to stop clients from viewing whatever fragments the client chooses. This seems like an odd claim given that if the author wanted to selectively restrict access to portions of documents there are other options for them like breaking out the parts of a single resource to which the author wishes to restrict access into separate resources.

HTML. In HTML, the HTML mime type RFC defines HTML's fragment use which consists of fragments referring to elements with a corresponding 'id' attribute or one of a particular set of elements with a corresponding 'name' attribute. The HTML spec discusses fragment use additionally noting that the names and ids must be unique in the document and that they must consist of only US-ASCII characters. The ID and NAME attributes are further restricted in section 6 to only consist of alphanumerics, the hyphen, period, colon, and underscore. This is a subset of the characters allowed in the URI fragment so no encoding is discussed since technically its not needed. However, practically speaking, browsers like FireFox and Internet Explorer allow for names and ids containing characters outside of the defined set including characters that must be percent-encoded to appear in a URI fragment. The interpretation of percent-encoded characters in fragments for HTML documents is not consistent across browsers (or in some cases within the same browser) especially for the percent-encoded percent.

Text. Text/plain recently got a fragment definition that allows fragments to refer to particular lines or characters within a text document. The scheme no longer includes regular expressions, which disappointed me at first, but in retrospect is probably good idea for increasing the adoption of this fragment scheme and for avoiding the potential for ubiquitous DoS via regex. One of the authors also notes this on his blog. I look forward to the day when this scheme is widely implemented.

XML. XML has the XPointer framework to define its fragment structure as noted by the XML mime type definition. XPointer consists of a general scheme that contains subschemes that identify a subset of an XML document. Its too bad such a thing wasn't adopted for URI fragments in general to solve the problem of a single resource with multiple mime type representations. I wrote more about XPointer when I worked on hacking XPointer into IE.

SVG and MPEG. Through the Media Fragments Working Group I found a couple more fragment scheme definitions. SVG's fragment scheme is defined in the SVG documentation and looks similar to XML's. MPEG has one defined but I could only find it as an ISO document "Text of ISO/IEC FCD 21000-17 MPEG-12 FID" and not as an RFC which is a little disturbing.

AJAX. AJAX websites have used fragments as an escape hatch for two issues that I've seen. The first is getting a unique URL for versions of a page that are produced on the client by script. The fragment may be changed by script without forcing the page to reload. This goes outside the rules of the standards by using HTML fragments in a fashion not called out by the HTML spec. but it does seem to be inline with the spirit of the fragment in that it is a subview of the original resource and interpretted client side. The other hack-ier use of the fragment in AJAX is for cross domain communication. The basic idea is that different frames or windows may not communicate in normal fashions if they have different domains but they can view each other's URLs and accordingly can change their own fragments in order to send a message out to those who know where to look. IMO this is not inline with the spirit of the fragment but is rather a cool hack.

PermalinkCommentsxml text ajax technical url boring uri fragment rfc

LibraryThing Developers are Responsive

2008 Jan 31, 10:47

[Many books in large bookcase. Photo creator http://flickr.com/people/babblingdweeb/]I use my recently added books feed from LibraryThing, a site I've mentioned before where you track, review, recommend, and share your books, and I put the recently added books on my page. I thought it might be nice to include the book covers so I suggested adding book covers to RSS feeds in LibraryThings 'Recommend Site Improvements' group. The next day I had a response from the founder and lead developer Tim Spalding who had started implementing the feature. I noticed a few bugs, reported them on the same thread, and he fixed them soon after. Fantastic! It makes me want to upgrade to a paying account.

Incidentally, if you notice the Ghost in the Shell book appear multiple times in my RSS feed its due to the previously mentioned iterative bug fixes. The same item appeared multiple times slightly differently with each bug fix and your RSS aggregator may have picked them up as distinct items.

PermalinkCommentstim-spalding librarything rss homepage

First-Gen Zune Getting All The New Features: This is How You Treat Your Customers - Gizmodo

2007 Oct 3, 6:18The new Zune features are available to existing Zune owners via software upgrade. Awesome!PermalinkCommentszune microsoft mp3 news sharing upgrade

Office with a View

2007 Jul 14, 3:12New OfficeI've been at Microsoft three years as of last Thursday. It makes me feel old but on the bright side I've upgraded offices. I now have an office with a window. Its actually a coincidence that I got this office at the time of my Microsoft anniversary but I like to pretend. I've had a single office for only four or five months now so its a nice surprise that I'm moving into a single window office so soon.

Hanging Pen HolderOf course this move means I'll be leaving some things behind. For instance the hanging dry erase pen holder that I created out of office supplies I will leave attached to my old white board. My new office has fancy whiteboards with trays built-in (sooo fancy) so I know the person coming into my old office will make better use of my hanging dry erase pen holder then I would. I explained to him that the rubber bands need to be replaced every eight months or so and not to exceed the maximum weight restrictions.

Diversity in NumbersAdditionally, the office art masterpiece I created I will also leave behind. When Bill Gates was featured on the cover of Diversity Inc. for his amazing philanthropic acts many of us got copies in our mailboxes. I collected mine and some from the recycling bins and put up five of the covers on the wall. Eventually others added to it which was my intent, but I only started this when I eventually checked my mailbox a week or so after the magazine arrived so there weren't as many covers left with which to work. At any rate I ended up with eleven on the wall. I'll leave the interpretation of the artwork up to the viewer.PermalinkCommentsmicrosoft personal office nontechnical

XPointer Framework - IE7 XML Source View Upgrade Part 3

2007 May 17, 5:16Previously I created some resource tools and then I used them to overwrite msxml3's XML source view. In this update I've added support for the XPointer Framework.

This time around I've started to add support for the XPointer Framework to my XML source view and I've added installation instructions. The framework consists of a series of pointer segments each of which has a scheme name followed by data in parenthesis. For example 'scheme1(data1)scheme2(data2)scheme3(data3)'. A pointer segment resolves to a portion of the XML document based on the data and the scheme name. The whole pointer resolves to the first segment that successfully resolves. That is, from the example, if scheme1 resolves to nothing and scheme2 resolves to something then that's used and scheme3 is ignored. In addition to the framework I've added support for the xmlns scheme which binds namespace prefixes to a namespace URI and the element scheme which is a simple way to resolve to particular elements in an XML. I also have limited support for the xpointer scheme the content of which is resolved as an XPath with some extra functions (which I don't support -- hence the limited). I've also thrown in schemes for the two SelectionLanguage values supported by msxml3.

Next time I might try to support the xpointer functions that aren't in xpath using msxml script. But I think I'm losing steam on this project... we'll see.PermalinkCommentsresource technical xml xpointer res xpath xslt

New XSLT - IE7 XML Source View Upgrade Part 2

2007 May 11, 8:55Last time, I had written some resource tools to allow me to view and modify Windows module resources in my ultimate and noble quest to implement the XML content-type fragment in IE7. Using the resource tools I found that MSXML3.DLL isn't signed and that I can replace the XSLT embedded resource with my own, which is great news and means I could continue in my endevour. In the following I discuss how I came up with this replacement for IE7's XML source view.

At first I thought I could just modify the existing XSLT but it turns out that it isn't exactly an XSLT, rather its an IE5 XSL. I tried using the XSL to XSLT converter linked to on MSDN, however the resulting document still requires manual modification. But I didn't want to muck about in their weird language and I figured I could write my own XSLT faster than I could figure out how theirs worked.

I began work on the new XSLT and found it relatively easy to produce. First I got indenting working with all the XML nodes represented appropriately and different CSS classes attached to them to make it easy to do syntax highlighting. Next I added in some javascript to allow for closing and opening of elements. At this point my XSLT had the same features as the original XSL.

Next was the XML mimetype fragment which uses XPointer, a framework around various different schemes for naming parts of an XML document. I focused on the XPointer scheme which is an extended version of XPath. So I named my first task as getting XPaths working. Thankfully javascript running in the HTML document produced by running my XSLT on an XML document has access to the original XML document object via the document.XMLDocument property. From this this I can execute XPaths, however there's no builtin way to map from the XML nodes selected by the XPath to the HTML elements that I produced to represent them. So I created a recursive javascript function and XSLT named-template that both produce the same unique strings based on an XML node's position in the document. For instance 'a3-e2-e' is the name produced for the 3rd attribute of the second element of the root element of the XML document. When producing the HTML for an XML node, I add an 'id' attribute to the HTML with the unique string of the XML node. Then in javascript when I execute an XPath I can discover the unique string of each node in the selected set and map each of them to their corresponding positions in the HTML.

With the hard part out of the way I changed the onload to get the fragment of the URI of the current document, interpret it as an XPath and highlight and navigate to the selected nodes. I also added an interactive floating bar from which you can enter your own XPaths and do the same. On a related note, I found that when accessing XML files via the file URI scheme the fragment is stripped off and not available to the javascript.

The next steps are of course to actually implement XPointer framework parsing as well as the limited number of schemes that the XPointer framework specifies.PermalinkCommentsxml xpointer msxml res xpath xslt resource ie7 technical browser ie xsl

Resource Tools - IE7 XML Source View Upgrade Part 1

2007 May 9, 4:15I read about text/xml URI fragment resolution a few months ago. I was interested to find another kind of fragment reference other than the text/html URI fragment but of course I didn't find an implementation in IE, Firefox, or Opera. I decided to see how much work would be required to implement this in IE.

In IE and Firefox when you open an XML file that doesn't have an XML stylesheet the XML source is rendered with syntax highlighting. In IE I also noticed that the gold bar appears when you open an XML file off of your local machine. To me this suggested that the XML source was being rendered as HTML which I assumed was produced by running an XSLT on the source XML file. If so, I figured I could modify the XSLT to implement text/xml URI fragments. I ran FileMon to see if iexplore.exe loaded an XSLT file when opening an XML file. Only the XML file and MSXML3.DLL were opened and no XSLTs were loaded as files. My next hope for modifying the XSLT was if it existed as a resource in MSXML3.DLL. I did a findstr on the DLL for SCRIPT and found an XSLT so I decided to check for resources in MSXML3.DLL. Unfortunately my previous resource viewer didn't work correctly so I decided to write my own.

I created resource tools to view and modify resources in Windows modules. The viewer outputs HTML with links to the individual resources of a module using the res URI scheme that's built into IE. The modifier is a simple command line tool that replaces or adds one resource at a time to a module.

Using these tools I found that the XSLT was stored as a resource in MSXML3.DLL. I'll talk more about the existing XSLT and the one I replaced it with next time.PermalinkCommentsresource technical xml msxml res xslt xsl
Older Entries Creative Commons License Some rights reserved.