#foswiki 2013-05-09,Thu

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***ChanServ sets mode: +o MichaelDaum
ChanServ sets mode: +o CDot
[04:56]
........... (idle for 53mn)
ChanServ sets mode: +o MichaelDaum
ChanServ sets mode: +o MichaelDaum
[05:50]
..................... (idle for 1h41mn)
ChanServ sets mode: +o MichaelDaum [07:35]
GithubBot[foswiki] FoswikiBot pushed 1 new commit to Release01x01: http://git.io/3wND7A
foswiki/Release01x01 5e38aaa WikiTranslationGnome: Item9526: Uncommitted translations in the last 4 hours...
[07:41]
***GithubBot has left [07:41]
FoswikiBothttp://foswiki.org/Tasks/Item9526 [ Item9526: Translation work (needed for Pootle auto-checkin - please donĀ“t close) ] [07:41]
............... (idle for 1h14mn)
jastMichaelDaum: actually I believe there are different restrictions to the HTTP header. one source claims that header can only be used to *upgrade* the rendering engine, not to *downgrade* it (fine with me... I don't want these broken compatibility modes anyway). the META tag works for me now, though. [08:55]
MichaelDaumthose compatibiltiy modes are very bad
jquery-2.x doesnt support newer IEs in compat mode
so upgrade always upgrade
the only true setting is ie=edge,chrome=1
there's one gotcha however using http vs html headers
an IE8 still reports as IE7 even though it is *not* in compatibility mode
[08:59]
jastfortunately I don't care what it reports, only what rendering engine it uses :) [09:01]
MichaelDaumthat's because it switches to edge mode too late for the transport layer as it has to receive the content and parse it first [09:01]
jastand, almost more importantly, what script engine [09:01]
MichaelDaumnot so when there's a http header [09:01]
jastjquery-1.8.x fails for me in IE10 in IE7 compat mode, in the IE6/7 workaround code for $.attr(), called via ui::autocomplete's livequery stuff [09:02]
MichaelDaumso the very same xua header still behaves differently when it is in html or http ... for obvious reasons. [09:02]
jastall I care about is that that doesn't happen
(of course, IE7 compat mode in all older browsers doesn't exhibit the same problem)
[09:02]
MichaelDaumIE10 in compat mode is an IE7 ... which is aweful. no surprise you get errors. useing ie=edge makes this go away [09:03]
jastno, it works in IE7 proper
just not in IE10's compat mode
[09:03]
MichaelDaumoh f*
anyway ie=edge will fix it
[09:03]
jast(IE7 proper doesn't even work on windows 7, so IE10's compat mode must be different *somehow*)
yeah, it does
[09:04]
MichaelDaumyea well [09:04]
jastI was just very surprised that the META tag must be very early in the document, otherwise IE completely ignores it
craziness
[09:04]
MichaelDaumyour webserver stats will be reporting IE7 usage still [09:04]
jastI really don't care :) [09:05]
MichaelDaumI do [09:05]
jastpretty much all our wikis are in corporate networks... installed browsers are already known there [09:05]
MichaelDaum... and they explicitly role out compatibility mode set for the intranet zone [09:05]
jastgenerally provided via mass deployment
well, corporate networks are rarely sane :}
[09:05]
MichaelDaumthey get there...slowly. [09:06]
jastwe've had several cases in which corporate IT restructured the LDAP hierarchy without telling anyone [09:06]
MichaelDaumit only takes another half a dozn zero-day exploits til one makes it to the higher regions.
seen the news about the recent one?
[09:06]
FoswikiBotSorry, I haven't seen the news about the recent one. [09:07]
jastso far we've had two customers do an actual audit of our wiki
nah
[09:07]
MichaelDaumit said there was malware already circulating using the latest 0day exploit specifically targetted at us power plants [09:07]
jastneat [09:08]
MichaelDaumcould you imagine this: a bored maintenance personel surfing the internet ... and boom. [09:08]
jast(btw, the upshot of one of those audits was that the customer sponsored our new and improved SafeWikiPlugin)
yeah, fun times
said customer has all employees' PCs firewalled off from the internet
[09:08]
MichaelDaumthats a very good outcome of the audit
is it possible for you to blog about this success story?
[09:09]
jastthere are "internal terminals" in all departments which allow surfing but can't reach the corp network
I could, I suppose... but I think the customer doesn't want to be mentioned by name
[09:09]
MichaelDaumthey are damn right
... to restrict internet access
[09:09]
jastsimilarly, we don't have remote access to the wiki server, and the wiki server is not connected to the internet either
makes upgrades fun :)
[09:10]
MichaelDauma friend of mine just hacked chrome using 3 new exploints and earned $30k . [09:10]
jastcool [09:10]
MichaelDaumit was the highest reward payed by google so far [09:11]
jastreminds me... I'm gonna raise the issue of wrapping up the SafeWikiPlugin release in our next meeting
gotta spend a couple hours going through its docs and code comments and such
[09:11]
MichaelDaumplease also mention writing up some open source success story
it really would be nice to get some more coverage of foswiki of that kind
[09:11]
jastwill do. I suppose it would be okay to mention modell aachen...? :) [09:12]
MichaelDaumof course
the only thing I beg for is that it is mentioning Foswiki in the headline
not q.wiki
[09:12]
jastof course [09:12]
MichaelDaum:/ [09:12]
jastthe interest in Q.Wiki is rather restricted to a specific domain... the foswiki blog would be the wrong place for focusing on that aspect
and, well, it's just basic common sense to talk about foswiki on the foswiki blog :)
[09:13]
MichaelDaummodell aachen not mentioning q.wiki is build on foswiki is a pity. [09:14]
jastwe do mention that, I'm fairly sure [09:15]
MichaelDaumnope [09:15]
jastin all of our presentations, definitely
hang on
[09:15]
MichaelDaumit once was mentioned on http://www.modell-aachen.de/open-source according to google's cache [09:16]
jastright, the website rewrite apparently lost that piece of information
I'm going to bring that up, too
[09:16]
MichaelDaumthe only notion is in one pdf on the site [09:17]
jastack, our internal wiki is down
I'll have to write it down on _paper_. crazy!
apparently one of the host servers for our VMs has gone away
[09:17]
MichaelDaumand then modell aachen should publish q.wiki sources ... as a consequence of being based on gpl'ed software.
just to put my fingers into the wounds
[09:19]
CDotsoftware based on GPL software doesn't have to be published. That's up to the authors. [09:21]
jastyeah, legally we're in the clear, of course
it's just that our code is often fairly specific and fairly messy, too
[09:21]
CDotCDot had noticed >:-) [09:21]
jastwe do try to contribute back reasonably general code [09:21]
CDotsure, and the most important thing - bugfixes [09:22]
jastCKEditorPlugin, for instance, would be great to contribute back [09:22]
CDoteveryone ebnefits from those [09:22]
jastbut we have added a lot of dialogs tailored towards Q.Wiki
and there is no equivalent in the vanilla CKEditor
we do contribute back bugfixes whenever possible
I don't think we're sitting on any right now
definitely nothing in foswiki core, because we don't deploy a patched core anywhere
except for a few things have been in trunk for a long time already
[09:22]
MichaelDaumyou should patch TablePlugin memory-leaking [09:25]
jastI've heard TablePlugin is... interesting to debug [09:26]
MichaelDaumCDot, oh gpl'ed software has indeed to be published if somebody asks for the code. [09:26]
jastnope [09:27]
CDotno. If someone asks for the code you have to supply it. You do *not* have to publish it. [09:27]
jastpreface for explanation: I'm not a lawyer and this is not legal advice :)
when I distribute a non-source version, I have to give that same person the source version upon request
when I'm not giving you *anything* in the first place, I don't have to give you the source either
OTOH, if our customers wanted to, *they* could publish our source code
[09:27]
CDotcorrect. And when you supply te source to them, you can make a reasonable charge for doing so. [09:33]
jastif you want a license that forces people to publish their changes, check out the MPL
personally I find that a bit extreme
[09:35]
........ (idle for 39mn)
MichaelDaumCDot, do you know of any pgp key management browser plugin accessible via javascript?
or any other client certificate
[10:14]
CDotcommercial or free? [10:14]
MichaelDaumso things can be de/encrypted clientside
for a password formfield or so
free preferably
there are two or three but all bound to web mailers
[10:14]
CDotI did find and tried several, but never found one that actually worked :-( [10:15]
MichaelDaumya [10:15]
CDotthis is some time ago (years) so they may be better now [10:15]
MichaelDaumso the easier way would be to encrypt before storing on the serverside using a private server key
just a formfield or so
[10:16]
CDoty, it's an obvious thing to do
question you have to ask is "why bother". if the communication is over SSL, then encryption buys you nothing
[10:17]
MichaelDaumI was pondering the wallet idea
store a bunch of passwords to be used by the server on behalf of the user
[10:18]
CDothmmmm [10:18]
MichaelDaumfor instance to solr-index an imap folder [10:18]
CDotso you want the PW's on the *server* to be stored encrypted? Using a key that the *server* doesn't know? [10:19]
MichaelDaumor to just keep my passwords docu'ed securely
using a private server key
there are two use cases:
(1) save a password only the server can unlock ever
(2) save a password that the user can unlock whenever he has got edit rights on the topic storing them
[10:19]
CDotok. So case (1) is trivial - and possibly pointless, as if the server is comprimised then so is the password store [10:21]
jastif the server can unlock, there's no need to store it in encrypted form on the server (given a database not directly accessible from the internet)
and I'd generally be wary of making sensitive data public, *even if* it's encrypted
[10:22]
CDotcase (2) is more interesting. The key becomes part of their session. [10:22]
MichaelDaumwhen the server can't unlock a password as required in (1), then it wont be able to use it to access an imap folder [10:23]
jastI think the point is that it's not useful to require unlocking in the first place if the server can do the unlocking itself [10:24]
CDotbut as jast says, why bother encyrpting the passwords? [10:24]
MichaelDaumit is more about the user to store a passwd once and never be able to get it back in cleartext even though stored in a formfield [10:24]
jastessentially you're just obfuscating the passwords
and, as I said, I wouldn't put an encrypted password in a place where other people can look at the encrypted form
at least not if I can help it
[10:24]
MichaelDaumthey'd only see the crypt text...what would they do with it [10:25]
jastcollect a bunch and use crypto weaknesses to derive the crypto key, for instance
or get information about places that use the same password
no matter what you do, you leak some bits of information
that's what makes crypto Hard(tm) :)
[10:25]
MichaelDaumhow could that be when the server uses an unknow private key to lock them [10:26]
CDotI'm not sure why the browser needs to do any crypt. If a user enters a PW in a formfield, it is only communicated to the server in plain once. After that, some abstract token identifies the password to the browser.
when combined with the user id/authenticated session, the server can open the PW store and get the PW for that token.
[10:26]
jastbrowser-side encryption is only useful if the server never gets the private key
(TLS is useful, too, of course)
[10:27]
MichaelDaumbrowser-side encryption makes a hell of a sense [10:27]
jastyes, but not if the server can decrypt anyway [10:27]
CDotnot sure how, if you have TLS. [10:28]
MichaelDaumhowever nobody but the same user could decrypt ever [10:28]
jastthen it's only end-to-end security, and TLS already does that [10:28]
MichaelDaumokay so instead of storing the crypt text into a password formfield, it would only be an index into a crypt-text collecton [10:29]
CDotright [10:29]
MichaelDaummakes sense [10:29]
jastgenerally, storing decryptable passwords anywhere that can be compromised is risky
this is why oauth (at least v1) is really a pretty good idea
[10:29]
MichaelDaumssl keys being passphrased help [10:30]
jastit's based on revokable access tokens [10:30]
CDotthe bit that troubles me is the initial "password in plain" transaction [10:30]
jastthat's what TLS is for [10:30]
MichaelDaum... was going to say [10:30]
CDotit's a small attack surface, but highly vulnerable to phishing. [10:31]
jastrelies on non-broken CAs, of course
(which is utopic)
*utopian
[10:31]
CDotthere are non-broken CAs? Where? I want one! (Free, of course ;-) [10:31]
jastcurse you, foreign languages [10:31]
MichaelDaumcus people click away certificate warnings all the time [10:32]
CDotyup [10:32]
jastCDot: https://bugzilla.mozilla.org/show_bug.cgi?id=647959
oh wait, you want free
[10:32]
MichaelDaumthey are fighting back these kind of modal dialogs all of the time [10:32]
jastfor free ones, check out https://bugzilla.mozilla.org/show_bug.cgi?id=233458
(also startssl gives out actual free certs)
[10:33]
MichaelDaumhttp://www.cacert.org/ [10:33]
jastcacert is still not included in many browsers
but startssl is
the IE cert error page is kind of cool in that
[10:33]
MichaelDaumI had lots of problems with startssl [10:34]
jastthere's a green check mark next to "go away" and a red cross next to "load this insecure page anyway"
nice trick
startssl works fine for me
what issues did you have?
[10:34]
MichaelDaumforgotten [10:35]
jastright [10:35]
MichaelDaumsince cacert is on I havent had any probs [10:35]
jastthe way they structured CNs and subject alternative names didn't work with what is now debian oldstable
apart from that everything is fine
[10:36]
MichaelDaumah now I remember why startssl didnt work out: wildcard domains [10:36]
jastactually I think the issue was in what was called debian oldstable until a week ago :}
yeah, wildcard certs aren't free with startssl
that is, you need to get your identity verified for them... the certs themselves are free
[10:36]
MichaelDaumbut in cacert they are
free
[10:37]
jastand cacert is still not in most root CA stores [10:37]
MichaelDauminteresting to read why [10:38]
jastthe reasons are stupid for the most part [10:38]
MichaelDaumyep [10:38]
jastI bet CACert has a better verification process than some commercial CAs [10:38]
MichaelDaumoh not stupid. just greedy.
CDot, thanks for your input on passwd formfields. will follow your suggestion.
[10:38]
CDotyrw [10:40]
............. (idle for 1h1mn)
***Babar sets mode: +v WikiRingBot
Babar sets mode: +oo Colas uebera||
[11:41]
........................................................... (idle for 4h53mn)
ChanServ sets mode: +o CDot [16:34]
.... (idle for 19mn)
foswiki_irc4Can anybody tell me what is wrong with this SEARCH? Need extract the 1.st column from an 2 column table
%SEARCH{text="\|[^\|]*\|[^\|]*\|" topic="CountryCode" type="regex" nonoise="on" multiple="on" separator="," format="$pattern(^\|\s*(\w+)\s*\|.*)"}%
[16:53]
.................. (idle for 1h26mn)
foswiki_irc3hi guys, In the data forms the "select+value" is broken or only badly understand how it works? Ib my form i have | Code | select+values | 1 | one=1, two=2, three=3 | Code | | it displays nice select pulldown with one,two,three but doesn't saved the VALUE (not not saved 1,2,3 but the one,two,three... PLEASE HELP - i'm trying nearly two hours solve this... ;(
basically need in the form "somewhat" display select pulldown with one,two,three but want SAVE the coresspondent selected VALUE, so 1,2 or 3...
[18:19]
jastwhat version of foswiki are you using? [18:21]
foswiki_irc31.1.5 [18:21]
jastthat's weird, because it works fine for me in 1.1.5 [18:22]
foswiki_irc3hm... have no idea what is wrong with my installation. ;( [18:23]
jastthe only difference I can see to my form definitions is that I leave the 'size' field empty [18:25]
foswiki_irc3sec - going to check [18:25]
jastshouldn't really make a difference though :) [18:26]
foswiki_irc3no, it was my stupidity - but YOU helped me at least with "working for me" ;) - it was enough to chech the RAW file - here is really the code, only in the VIEW showing the name and not the value ;) so IT IS WORKING - sorry for disturbance - only needed anter to url raw=debug to show the SAVED values ;) [18:29]
jastah, right
phew :)
[18:29]
foswiki_irc3sorry - and thank you :) [18:29]
jastthat's okay... still better than obscure bugs in foswiki ;) [18:29]
foswiki_irc3;) ;) foswiki is great - only sometimes a bit cryptic ;) [18:30]
........... (idle for 53mn)
***ChanServ sets mode: +o gac410 [19:23]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)