[ciphershed] Re: Website & publicity

  • From: "Alain Forget" <aforget@xxxxxxx>
  • To: <ciphershed@xxxxxxxxxxxxx>
  • Date: Wed, 18 Jun 2014 12:10:26 -0400

Right, but we wouldn't want our website to introduce any client-side 
vulnerabilities to any users visiting us. However, particularly since we're not 
hosting any third-party content on our website, I admit that I can't think of 
how a basic use of JavaScript could introduce a vulnerability. Still, just 
because I can't think of any vulnerabilities doesn't mean they couldn't exist. 

In any case, perhaps it's such a low-likelihood and low-risk situation that we 
needn't worry too much, unless anyone else is concerned?


-----Original Message-----
From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed-bounce@xxxxxxxxxxxxx] 
On Behalf Of Rocki Hack
Sent: Wednesday, June 18, 2014 12:02
To: ciphershed@xxxxxxxxxxxxx
Subject: [ciphershed] Re: Website & publicity

It's javascript not java and it's running in the clients browser.

On server side everything is static html, thus secure as your webserver (apache 
/ lighttpd / nginx).

2014-06-18 17:57 GMT+02:00 Alain Forget <aforget@xxxxxxx>:

        Oooo, neat! I'm happy with the functionality bootstrap.js appears to 
give us, if we're comfortable with its security.
        I'm not sure how easy/hard this would be or if it would be overkill, 
but I wonder if it would be easy to use it with OWASP's Enterprise Security 
API: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API  I 
suspect that if it wasn't inherently build with ESAPI, Bootstrap.js would 
essentially need a fork to use ESAPI, which I think is could be another whole 

        -----Original Message-----
        From: ciphershed-bounce@xxxxxxxxxxxxx 
[mailto:ciphershed-bounce@xxxxxxxxxxxxx] On Behalf Of Rocki Hack
        Sent: Wednesday, June 18, 2014 11:44
        To: ciphershed@xxxxxxxxxxxxx
        Subject: [ciphershed] Re: Website & publicity
        You could use bootstrap.js. It's pure "meta" html and it makes the 
website "responsive" to your viewing device.
        Look at the examples: http://getbootstrap.com/getting-started/#examples
        2014-06-18 17:35 GMT+02:00 Alain Forget <aforget@xxxxxxx>:
                Nice; overall, I like it. Clean, simple, and straightforward. 
We can get fancier/prettier if there's ever someone with the skills, desire, 
and time to do so.
                A few suggestions:
                * Regarding the Home, News, Download, About, Wiki, Forum links:
                ** They should be left-aligned instead of right-aligned
                ** The About link should either be the left-most, second 
left-most (if we keep the Home link), or right-most link.
                * I would change the text to something like:
                CipherShed is completely free data encryption software for 
keeping your data secure and private. Learn how to use CipherShed. [Make the 
aforementioned sentence a link to the Truecrypt User Guide documentation, our 
wiki, or whatever will most quickly and easily/painlessly show users what 
CipherShed is and how to use it. It would be ideal if we could rebrand and 
re-publish the TrueCrypt User Guide from v.7.1a]
                CipherShed is available for Windows, Mac, and Linux. [I 
deliberately ordered them like this because I think (but may be wrong) that 
this is most common, and ordered by overall OS market share]
                The CipherShed project is open-source, which means everyone is 
encouraged to examine how it works and contribute new ideas and improvments. We 
believe greater participation leads to greater security and usability for 
everyone. To get involved, check out our mailing list, forum, source code [link 
to github], or come chat on IRC.
                For more information about the CipherShed project, please visit 
our Wiki.
                Hm, good point, Stephen. Niklas, how hard do you think it would 
be for us to have a nicely-stylised page like your screenshot without WordPress?
                -----Original Message-----
                From: ciphershed-bounce@xxxxxxxxxxxxx 
[mailto:ciphershed-bounce@xxxxxxxxxxxxx] On Behalf Of Stephen R Guglielmo
                Sent: Wednesday, June 18, 2014 11:32
                To: ciphershed@xxxxxxxxxxxxx
                Subject: [ciphershed] Re: Website & publicity
                On Wed, Jun 18, 2014 at 12:23 AM, Niklas Lemcke - 林樂寬
                <compul@xxxxxxxxxxxxxx> wrote:
                > I did a quick "proof of concept" kind of page, which is only 
                > locally so far. here's a screen:
                > https://ciphershed.org/moin_static197/wp_screen_01.png
                > I believe that looks far more professional and inviting. It 
runs on WP,
                > so others can edit, write new status updates, update download 
links etc.
                I think that looks good.
                I'm sort of concerned about security running both a big PHP 
                (WordPress) and a Python app (MoinMoin). Both WordPress [1] and 
                [2] itself have had a history of security issues. I'm not as 
                with MoinMoin/Python, but looking at their site [3], they have a
                history too.
                [1] https://en.wikipedia.org/wiki/WordPress#Vulnerabilities
                [2] https://en.wikipedia.org/wiki/PHP#Security
                [3] http://moinmo.in/SecurityFixes
                I dunno, we're supposed to be sticking with a "KISS" 
philosophy. It
                makes me feel like we should be using plain old .html files 
                with vi. The more complicated things are, the more things that 
can go

Other related posts: