26 Nov 2014, 09:30

Around the Web - November 2014

DNS

HTTPS

MySQL

HTML5/CSS/Responsive Web Design

  • 7 CSS Units you may not know about : rem, vh, vm, vmin, vmax, ex and ch. I did not know the two latter. Some more examples for the vh/vm and vmin/vmax.
  • About rem and em more specially, if you want to move from a fixed approach (ie pixel one) to a more fluid/adaptive one (em/rem), you should read this article  and then this one which explain the issue with pixels and the new way to manage it. You can also use em/rem for positionning content ; em/rem are not only about text.
  • 5 obsolete features in HTML5: hgroups tag, pubdate and scope attributes, command and center elements. With the good way to implement them and/or some workaround if you still need them.
  • RWD adoption 2014 : top 100/1000/10.000 sites are evaluated - from to what extend is RWD implemented to mobile site vs RWD benchmarks in terms of performance.
  • 6 technologies that will change the web platform : asm.js, paralleljs, ECMAScript 6, web components, installable webapps, CSS Grid layout
  • The state of Web Animation 2014 : Between the post-Flash area and the Web Animation API to be implemented in all browsers, a review of current challenges and polyfill to bring animations into the browsers. Comments are also worth to read to get more resources.
  • If you are interested in a book about RWD, seems the latest book from A book apart may interested you : Responsible responsive web design (related review)

Browser

Web Performance

  • M6 Tech team made a review of their participation to Velocity conf (day 1, day 2, day 3), a web performance oriented conference. Even if their synthesis is in French, related slides and video are in English. You can also find the one of 2013 (day 1, day 2, day 3)

AngularJS

React (Facebook)

  • React through the ages : an interesting introduction (from origin to what's coming) about React, a JS library to build user interfaces.

12 Nov 2014, 11:15

HTTPS Certificates : some changes in the coming months

When you issue a certificate, there are some encryption mechanism under the hood. One of them is "SHA-1" and it has been declared as weak some months ago.

As a consequence :

  • Certificates should be issued using SHA-2 encryption mechanism instead of SHA-1
  • Main browsers are to drop progressively the support of SHA-1 certificates by lowering their level of security til they consider it as untrusted.
  • There are some incompatibility issues, mainly with Windows XP which does not support SHA-2 ; so as Microsoft no longer supports Windows XP and unless your are in China, you should be safe :-)

You can test your certificate for ex with SSL Labs or Shaaaaaaaaaaaa (a dedicated site on the topic).

So the action plan could be :

  1. Test your site to check if you use SHA-A1 certificates or not
  2. Depending on your audience, define a migration strategy depending on
    1. The expiration date for your certificates ; it may change the behavior on browsers side ; more details on Chrome/Firefox timeline mentioned above
    2. The browser's roadmap
  3. Don't forget to update the whole certificate chain ie get your new SHA-2 signed certificates but also the intermediary and root certificates from your certification authority. You can mix both (SHA-2 certificate with SHA-1 authorities certificates) but it's better to have a full SHA-2 certificate chain.
  4. Migrate to SHA-2

25 Sep 2014, 21:49

SSL, SHA-2 pour des certificats plus sûrs

En discutant certificats ssl avec @nhoizey, @vr m'a fait remarquer que Gandi et StartSSL (et d'autres) généraient des certificats en utilisant le protocol SHA-1 et que cela était "mal" car ce protocole est considéré comme "faible".

Je me suis alors souvenu que j'avais généré mon certificat en SHA-2. Toutefois, en testant, il se trouvait qu'un bout de la chaîne de certification était encore en SHA-1 même si mon certificat était en SHA-2.

N'écoutant que mon courage post-dinatoire, j'ai donc repris la procédure d'installation du certificat sous nginx fournie par StartSSL et ensuite j'ai adapté pour utiliser des certificats au format SHA-2.

En lieu et place de :

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

il faut faire :

wget http://www.startssl.com/certs/ca-sha2.pem
wget http://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
cat ssl.crt sub.class2.server.sha2.ca.pem ca-sha2.pem > /etc/nginx/conf/ssl-unified.crt

Cela demande bien sûr que votre fichier ssl.crt soit déjà au format SHA-2 ; s'il est au format SHA-1, il faut en regénérer un nouveau avec les éventuels frais de révocation/renouvellement.

Relancer nginx, refaire le test et le tour est joué :)

Donc si vous générez des certificats, vérifiez les options de votre autorité de certification ; apparemment StartSSL fait du SHA-2 par défaut pour les nouveaux certificats comme indiqué sur le site fournissant le test ; Pour Gandi, c'est en cours de développement.

25 Sep 2013, 09:30

Once upton a time : Internet (a ConfsFR initiative)

First I apologise to my english readers but it would be a French resources only but which is worth being mentioned.

So the initiative ConfsFR aims to explain and make understand how internet works ; Two sessions happened since early september : the first one was about DNS and the second one about SSL/TLS and it was introduced by brilliant people on each matter. I don"t know to what extend it is accessible for novice but if you have some technical background or some knowledge about these topics, you will learn a lot.

On the site, you will find link to slides, to the video recording of the session, etc. For videos, you can see them on the dedicated channel (site is not yet updated)

If you can't attend next conference, it may be broadcasted when the event is located at "La Cantine" (co-working place in Paris). It's how I managed to watch most of the SSL/TLS session.

[Edit 1] Resources were added for :

19 Jun 2013, 23:13

Firefox 23 to block by default Mixed Active Content

What is the issue ?

A few definitions to start with :

  • Mixed content is when within a https page some content are displayed coming from a http one. The consequence is that the whole page is not encrypted and that it could be used for Man in the middle attack or other malicious code.
  • Mixed passive content (aka Mixed Display Content) : it is content that will not impact/alter your page except the portion of the page it is rendered ; you can safely think about images, video, audio and such contents. They are called inactive as when they are loaded, they will not change the behaviour of the page.
  • Mixed active content (aka Mixed Script Cotent) ; this content, on the opposite, has the ability to change the way the page is rendered and thus potentially get data from the user. It is about Javascript, CSS files, XHR requests (ajax), iframes or fonts

So from Firefox 23, only the Mixed Active Content would be blocked by default and reported to the user, which may allow you to load the blocked content. Mixed passive content will be still authorised

How can I test it ?

You can test before Firefox 23 is released by going to : about:config => promise => set "security.mixed_content.block_active_content" to true

You can also see it with the dev tools, you may see some [MIXED CONTENT] warnings in the web debug console.

How are you impacted you will ask ?

So if for your site you use https url, you definitely have to run some tests to check if you have some mixed content and fix it especillay if you have mixed active content.

Regarding Firefox Release

  • Current stable  release is Firefox 21
  • Firefox 22 is to be released on 24th June
  • No date yet for Firefox 23 but it will be for Q3 I think

Source