#indiewebcamp 2014-09-02

2014-09-02 UTC
mdik and pbeaulieu joined the channel
#
KartikPrabhu rascul: until about 2 days back I could still use it trough pidgin
#
rascul ahh
Nabil and lukebrooker joined the channel
#
techlifeweb.com edited /WordPress (+201) "/* Other independents using it on their primary site */" (view diff)
lukebrooker and lukebrooker_ joined the channel
#
techlifeweb.com edited /User:Techlifeweb.com (+138) "/* Sites */" (view diff)
techlifeweb joined the channel
#
techlifeweb KartikPrabhu: I was able to log on to GTalk via Pidgin just now
gRegor`, crossdiver, JonathanNeal and paultibbetts joined the channel
#
mko !tell kylewm Your site is 502'ing.
#
Loqi Ok, I'll tell them that when I see them next
fmarier, KartikPrabhu, j12t and KartikPrabhu1 joined the channel
#
Loqi [mention] https://brid-gy.appspot.com/like/twitter/jimgroom/506249216763908096/783092 linked to http://indiewebcamp.com/2014/UK (webmention)
#
kylewm thx mko, seeking wifi
#
Loqi kylewm: mko left you a message 1 hour ago: Your site is 502'ing.
#
mko kylewm: No worries. Was starting my Like implementation and noticed your site was down while perusing Like examples.
#
kylewm KartikPrabhu: I'm still able to connect to google talk through pidgin
#
KartikPrabhu weird
#
mko KartikPrabhu: And I'm on Google Talk (or "Hangouts") via Jabber on Adium.
#
KartikPrabhu blergh
wolftune, colintedford, crossdiver, KartikPrabhu, ScruffyDan, snarfed, irdan and tantek joined the channel
#
tantek Loqi, any messages?
#
tantek s/any/any !tell
#
Loqi tantek meant to say: Loqi, any !tell messages?
#
tantek apparently not.
tecgirl and friedcell joined the channel
#
tantek good night!
#
Loqi goodnight!
glennjones, crossdiver, ShaneHudson, plieuse and alanpearce joined the channel
#
neuro` Good morning #indiewebcamp
petermolnar, carlo_au, krendil and friedcell joined the channel
#
Loqi [mention] http://michael.silverton.palo-alto.ca.us linked to http://indiewebcamp.com/ (webmention)
Sebastien-L and fofr joined the channel
#
petermolnar hi all, question about the upcoming UK event: I've over calculated my spare time a bit and it seems I could only join for Saturday. Would it be an issue if I cannot join on Sunday?
#
Loqi petermolnar: GWG left you a message on 8/15 at 12:25pm: I have a question for you about your full page cache plugin
#
petermolnar !tell GWG I was out for vacation, please poke me about wp-ffpc any time
#
Loqi Ok, I'll tell them that when I see them next
#
@dkernohan @dompates I'm attracted by the ideas around the #indieweb - stuff like @withknown , the #webmention protocol. See: http://followersoftheapocalyp.se/youll-never-hear-surf-music-again-altc-altc2014/ (twitter.com/_/status/506739160213102592)
#
petermolnar.eu edited /2014/UK/Guest_List (-59) "/* Volunteers */" (view diff)
alanpear_, wagle, friedcell and pbeaulieu joined the channel
#
tommorris petermolnar: nope, turning up for Saturday only is fine. ;-)
#
tommorris is excited about IWCUK
#
tommorris Hotel booked. And not only that, I also defrosted my freezer. I am beginning to suck less at life. ;-)
#
petermolnar ok, thank you :)
alanpearce, adactio, Sebastien-L, friedcell, squeakytoy, tantek, glennjones, scor and Nadreck joined the channel
#
tantek.com edited /https (+731) "/* Level 2 security */ added instructions for https-only just for your admin UI (e.g. with self-signed cert), which I first tested by deploying to my own site" (view diff)
alanpearce and wolftune joined the channel
#
sammachin.com edited /2014/UK/Guest_List (+168) "/* Participants */" (view diff)
#
@sammachin Thankfully have arranged a few days off to sort out aftermath of @emfcamp and prepare for @dconstruct and @indiewebcampuk this weekend. (twitter.com/_/status/506802430399750145)
friedcell, ScruffyDan, Sebastien-L, barnabywalters, brianloveswords, adactio, mdik, eschnou and gRegor` joined the channel
#
@Uebyn @techlifeweb Yeah but with Tumblr I still dun own my own content. #indieweb is gr8 but still takes quite a bit of work compared to silos. (twitter.com/_/status/506819382522032128)
#
GWG Oh, petermolnar is back
#
Loqi GWG: petermolnar left you a message 5 hours, 33 minutes ago: I was out for vacation, please poke me about wp-ffpc any time
#
GWG petermolnar: I did.
#
GWG pokes petermolnar
#
petermolnar yep, I'm here, just working meanwhile :)
#
GWG petermolnar: Nice to have you back.
#
petermolnar thanks, how can I help with wp-ffpc?
#
petermolnar ah, ok, the mail
#
petermolnar I remember now
#
@ShaneHudson @johnoxtonking Absolutely agree. You should pop down to @IndieWebCampUK this weekend :) (twitter.com/_/status/506827047776583680)
#
petermolnar I have no idea so far what's causing it, I'll definitely take a closer look
#
Loqi [mention] https://kylewm.com/reply/2014/09/02/1/uebyn-techlifeweb-definitely-even linked to http://indiewebcamp.com/generations (webmention)
#
@kyle_wm @Uebyn @techlifeweb definitely! even the most readily-available #indieweb platforms (e.g. @withknown) are still very…https://kylewm.com/reply/2014/09/02/1/uebyn-techlifeweb-definitely-even (twitter.com/_/status/506827550203858944)
#
barnabywalters okay, who thought it was a good idea to subscribe to http://shrewdness.waterpigs.co.uk/test/?url=https://kartikprabhu.com/notes/ *in shrewdness*? :P
#
kylewm hahaha
#
Loqi hehe
#
aaronpk good morning!
#
Loqi aaronpk: jonnybarnes left you a message 1 day, 3 hours ago: https://github.com/indieweb/mention-client-php/blob/master/src/IndieWeb/MentionClient.php#L98 failes with the HTML from http://waterpigs.co.uk/notes/4Xu9i0/
#
barnabywalters morning kylewm, aaronpk!
#
petermolnar good morning
#
kylewm although tthat gives me an idea...
#
kylewm good morning barnaby :)
ShaneHudson joined the channel
#
barnabywalters just been improving the way shrewdness (and taproot/subscriptions) subscribes to non-PuSH-enabled content, to reduce server load (and load on my wallet)
#
barnabywalters kylewm: you’re not going to try to create a recursive subscription now are you?
#
petermolnar GWG so far I was not able to reproduce the draft saving issue with wp-ffpc, could you please give me a few more details about your wordpress setup & the backend?
#
GWG petermolnar: I also found it wasn't necessarily beating fastcgi_cache on a tmpfs in page serving
#
kylewm barnabywalters: nooo not that devious! i subscribed to http://indiewebcamp.com/irc/today to see if it would show up in search results
#
GWG petermolnar: But that is unrelated.
#
barnabywalters oh wow ha ha okay
#
barnabywalters this could have entertaining results
#
aaronpk I'm gonna have to set up the PuSH thing for the IRC logs again aren't i
#
petermolnar GWG: fastcgi_cache on a tmpfs is an insanely fast thing, as it is in-memory and nginx built-in thing, no network connection to anywhere, I do not expect a mere WP plugin to be faster than a C code :)
#
barnabywalters aaronpk: well by default I just fall back to superfeedr subscriptions, but I also encourage you to set up PuHS 0.4 (the new, good variety) and will help if I can
#
barnabywalters basically: add two link elements to the page, then send a HTTP request whenever the content updates
#
@benwerd Visions of Known: an awesome convergence of thought between #edtech and #indieweb http://bavatuesdays.com/visions-of-known/ (twitter.com/_/status/506830799375593472)
#
aaronpk barnabywalters: is there a hub we can use? or should I set one up
#
barnabywalters https://pubsubhubbub.appspot.com/ or https://pubsubhubbub.superfeedr.com/ should work
#
GWG petermolnar: I did want to test it though. I thought maybe direct nginx memcache serving could beat fastcgi serving
#
barnabywalters I’d like to write a PHP one though, in the same style as taproot/authentication or taproot/subscriptions so it can either be set up on it’s own or bolted onto an existing application
#
aaronpk yeah totally
#
aaronpk i'd be up for that
#
barnabywalters actually maybe I’ll just add it to taproot/subscriptions
#
barnabywalters as taproot/authentication already serves double duty as indieauth client/resource provider
#
aaronpk I think a hub should be its own thing
#
kylewm I was getting SSL errors from Superfeedr recently and disabled PuSH, need to try turning it back on...
#
barnabywalters Superfeedr’s been having a bunch of load balancer problems recently but they’re sorted now
Sebastien-L joined the channel
#
kylewm nice, looks like it worked. my favorite kind of bug
friedcell joined the channel
#
barnabywalters kylewm: the IWC IRC log subscription? cool!
tantek joined the channel
#
kylewm barnabywalters: oh oops no, I turned push back on for kylewm.superfeedr.com. haven't seen anything come through for irc yet
#
barnabywalters I just resubscribed to a bunch of stuff with fragment subscriptions and am not sure if they’re working properly
#
kylewm ah interesting, IRC doesn't work becuase it sends plain-text when the user-agent is curl
#
aaronpk haha yeah
#
barnabywalters oh yeah I remember that now
#
barnabywalters I’ll set a proper Accept: header
#
aaronpk hm not sure I'm looking at the accept header. let me check.
#
aaronpk nope
npdoty joined the channel
#
barnabywalters kylewm: what resources on your site are PuSH-supported? ATOM feeds? I’m not seeing rel=self and rel=hub links on your HTML feed pages
#
kylewm err, what's rel=self?
#
kylewm thanks for pointing that out, I think rel=hub didn't make it into my new theme
#
kylewm oh I see rel=hub is in the Atom feeds, yes
#
barnabywalters so to make an arbitrary resource PuSH 0.4 enabled requires two <link> elements or HTTP headers: rel=self to the canonical URL of the current page, and rel=hub to the hub used for subscriptions
#
kylewm barnabywalters: and shrewdness will use those if the normal h-feeds have them?
#
tantek ooh - is someone here actually consuming PuSH updates?
#
barnabywalters yep, shrewdness will attempt to subscribe at the designated hub, falling back to using superfeedr’s polling service
#
tantek is there any indicator in the UI that it is seeing PuSH updates directly from the source (rather than superfeedr) ?
#
barnabywalters tantek: yep, shrewdness has supported it from the beginning, and I open sourced the library for it which takes about 3 lines of code to set up: https://github.com/taproot/subscriptions
#
tantek i.e. I post PuSH notifications from tantek.com but ever since status.net went down I have no idea if anyone is consuming them
#
kylewm ok that's awesome, right now I'm only sending PuSH notifications for Atom feeds, but I will add the h-feeds in ASAP
#
barnabywalters tantek: your homepage doesn’t have link rel=self so doesn support PuSH 0.4 — it should be really easy to enable it though! just add the link element/header and send pings for your homepage
scor joined the channel
#
kylewm btw, an embarrassing thing is when you meet julien51, and ask him a question about PuSH and he asks which hub you are using and you say pubsubhubub.appspot.com
#
barnabywalters I would have thought he’d be happy about it — he genuinely cares about decentralisation
#
kylewm I mean he didn't flip over the table or anything
#
kylewm he just chuckled and said he couldn't help debug it then
#
kylewm or rather couldn't look at the logs to see why it wasn't pinging IFTTT immediately
#
tantek it shouldn't matter which hub you use
#
tantek barnabywalters: why do I need rel=self?
#
barnabywalters tantek: so that if someone subscribes to (for example) http://tantek.com/notes but you send pings to https://tantek.com/notes/ (note s and /), they’ll still get notified
#
barnabywalters it makes sure that the subscribed-to URL and the pinged URL are the same
#
tantek barnabywalters: that makes no sense as neither of those URLs are for real on my site
#
barnabywalters it was an example
#
aaronpk maybe the IRC logs are a better example?
#
tantek I don't understand why tantek.com in particular needs a rel=self to *anything*
#
aaronpk since there is no actual fixed URL for a feed
#
tantek what's the use-case?
#
tantek aaronpk - you mean someone's home page?
#
aaronpk no I mean if you wanted to get PuSH updates from the IRC logs
#
aaronpk http://indiewebcamp.com/irc/today is the URL you could subscribe to, but it's just a 301 redirect
#
tantek I'm still trying to work out why barnabywalters is asking for a rel=self, and to where
#
barnabywalters okay, how about this scenario:
#
tantek (from the publisher)
#
aaronpk that's what I mean, is the rel=self useful for the IRC log use case?
#
barnabywalters * I publish updates to a URL at https://waterpigs.co.uk/
#
barnabywalters * Someone visits http://waterpigs.co.uk/# (they got to the # URL by clicking my mobile nav-to-top button)
#
barnabywalters * They copy+paste that URL into their feed reader to subscribe to it
#
tantek so I have no such # links on my home page ok
#
barnabywalters * If their feed reader subscribed to http://waterpigs.co.uk/# it doesn’t match the pinged URLs so they won’t get updates
#
barnabywalters tantek: well, take it up with the PuSH developers or make a better version
#
tantek servers by default are supposed to ignore #fragment part of URLs
#
barnabywalters I have no particular interest in arguing about it right now
#
tantek so that's a server error if it is treating http://waterpigs.co.uk/# differently
#
barnabywalters bbiab
#
aaronpk goes and reads the 0.4 spec
#
tantek still waits for a use-case that justifies rel=self in the specific example of tantek.com
#
tantek who are the PuSH developers?
#
tantek what is the PuSH developers?
#
Loqi It looks like we don't have a page for "the PuSH developers" yet. Would you like to create it? http://indiewebcamp.com/wiki/index.php?action=edit&title=the+PuSH+developers
#
aaronpk https://pubsubhubbub.googlecode.com/git/pubsubhubbub-core-0.4.html
#
aaronpk looks like Brad Fitzpatrick, Brett Slatkin, Julien, and I don't know M. Atkins
tecgirl joined the channel
#
aaronpk there's nothing in the spec indicating the motivations for the rel=self value
#
aaronpk "The most common issue is that subscriber tend to subscribe to a url
#
aaronpk that is not the "self" when feedburner only 'pings' the hub for the self
#
aaronpk url."
#
aaronpk https://groups.google.com/forum/#!searchin/pubsubhubbub/rel$3Dself/pubsubhubbub/rwa0BW_6KJQ/Z-YFoo0Krw0J
#
aaronpk still not sure why that would be the case
#
tantek isn't feedburner dead?
dysfun joined the channel
#
aaronpk this was a post from Jan 2013
#
tantek M. Atkins is Martin Atkins
#
tantek who also worked on ActivityStreams
Sebastien-L joined the channel
#
tantek anyway I can see a need for rel=canonical if someone gets a fudged version of a URL with ?wtm_blah whatever track crap on the end
#
tantek but my point was if a subscriber subscribes to "tantek.com" then why does it need a rel=self to anywhere?
#
tantek hopes barnabywalters can help simplify PuSH 0.4 from the publisher perspective.
#
tantek.com edited /https (+122) "/* Level 2 security */ cite derivation of htaccess rules" (view diff)
#
aaronpk here's another case where rel=self was mentioned https://groups.google.com/d/msg/pubsubhubbub/J_fyhZ3388w/CCh6wXCCnIwJ
#
tantek yeah this seems like dumb spec think. if there's no rel=self, why not just use the URL that is given? what am I missing?
#
tantek why the extra work for no reason in the simple / default / obvious case that your home page is your feed?
#
aaronpk I'm trying to figure that out because at first glance it seems unneeded
#
aaronpk doesn't even need to be your home page, should just work with any URL
#
aaronpk like if you wanted to subscribe to http://example.com/stuff/here?and=here why wouldn't that just work?
#
tantek sure. I mean even for that thread. on your home page there is no case-sensitivity issue because the domain name is case-insensitive!
#
aaronpk I bet it's legacy from atom
#
tantek seriously tired of legacy spec over-engineering by architecture astronauts.
#
bear use of rel="self" is used in Atom only within the feed's xml - to help identify which of the many links are for the feed itself
#
bear it really doesn't have any atom specific use in html land
#
tantek bear my point is that it should be *optional* in PuSH
#
bear yep, just answering the atom piece :)
#
bear PuSH may have it for the same reason it was added as a warning within Atom's validator - described here http://feedvalidator.org/docs/warning/MissingAtomSelfLink.html
#
bear "According to the RSS Advisory Board's Best Practices Profile, identifying a feed's URL within the feed makes it more portable, self-contained, and easier to cache. For these reasons, a feed should contain an atom:link used for this purpose."
ShaneHudson and KartikPrabhu joined the channel
#
tantek should != must. thus implementations must NOT require rel=self from a publisher.
paulcp and paulcp_ joined the channel
#
bear I'm in complete agreement with you about rel=self being over-engineered cruft that we should actively disabuse folks from using
#
bear it's just process noise and needs to be hacked out of daily use IMO
#
KartikPrabhu morning people
paulcp and paulcp_ joined the channel
#
ben_thatmustbeme morning KartikPrabhu
#
KartikPrabhu hi ben_thatmustbeme how goes the fragmention experiments?
#
ben_thatmustbeme i had some issues getting it worked out, i put it aside for now
#
ben_thatmustbeme This is where i had been playing with it http://students.cs.uri.edu/~ben/break.html
#
ben_thatmustbeme i was trying to do #id#start+of+text#end+of+text
#
ben_thatmustbeme for example http://students.cs.uri.edu/~ben/break.html#some+id#start#end
#
KartikPrabhu ben_thatmustbeme: the start end bit seems complicated
#
KartikPrabhu and I'm not sure there is a use-case
#
KartikPrabhu but the id examples are interesting
#
ben_thatmustbeme yeah, i tried to force weird situations. the original idea for start and end was that you could site exact phrases rather than it assuming the whole paragraph.
#
ben_thatmustbeme The ability to get an exact sentence
#
ben_thatmustbeme plus I figured with that format it falls back to ##something as a fragmention as previously defined
#
ben_thatmustbeme its just a blank ID (so search body tag) and no end text (so assume the entire parent entity)
npdoty, colintedford and jonathanfrei1 joined the channel
#
KartikPrabhu I am quite concerned about Firefox accepting the + symbol in the id without encoding. Can't seem to find a definitive spec for URL fragments
#
bear could the fragment be implied by what element the anchor is relative to?
#
bear hmm, thinking about it - probably not because fragments could be pulled from inside of a long <p> item
#
KartikPrabhu bear: as in?
#
bear goes back to lurking
#
bear I was thinking like how folks use <span/> to isolate items within <p/>
#
KartikPrabhu bear: yes :) and that would the most useful case.... linking to deep inside a <p>
#
bear to avoid having to encode the start/stop in the url
tilgovi and hober joined the channel
#
KevinMarks Why not just put the whole quote in the fragmention?
#
KevinMarks I can see a desire to abbreviate the quote with ellipses
pauloppenheim joined the channel
#
KevinMarks But I really can't see any case for combining with an id at all
bear and crossdiver joined the channel
#
tantek KevinMarks: because shorter URLs work better
#
KevinMarks Simpler urls work better too
#
tantek simpler is arguable (what is simple?) where as shorter is objective metric
paulcp joined the channel
#
ShaneHudson There may be a potential problem with the entire quote, especially if using a CMS. Not only do shorter work better but URLs do have a max char limit, which may be reached by accident with the entire quote
barnabywalters and gRegor` joined the channel
#
KevinMarks Ok, so that gives a case for ellipses of some kind
#
ShaneHudson As in wherefore..capulet to quote shakespeare? That would certainly make it shorter
mcepl, glennjones and smcgregor joined the channel
#
KevinMarks I'm thinking about quoting practice. I use ellipses in tweeted quotes all the time
dysfun joined the channel
#
KevinMarks And often in blog ones too
#
KevinMarks There are conventions for this [] around rephrased words (usually replacing a pronoun with a noun), ellipses… for omitted words
#
ShaneHudson Ah yeah, I do that quite often too now I think about it!
verdi, ShaneHudson, caseorganic, eschnou, TimAbraldes and fmarier joined the channel
#
@artwisanggeni #python ronkyuu 0.2.10: Webmention Manager https://pypi.python.org/pypi/ronkyuu/0.2.10 (twitter.com/_/status/506885759387697152)
#
@kevinmarks The underlying truth of Norton's law of data seems very relevant today: https://twitter.com/kevinmarks/status/332556089310732291 #indieweb (twitter.com/_/status/506887665946353664)
#
@rbonini RT @kevinmarks: The underlying truth of Norton's law of data seems very relevant today: https://twitter.com/kevinmarks/status/332556089310732291 #indieweb (twitter.com/_/status/506887722003603456)
#
@confusedgeek RT @kevinmarks: The underlying truth of Norton's law of data seems very relevant today: https://twitter.com/kevinmarks/status/332556089310732291 #indieweb (twitter.com/_/status/506887749220433920)
paulcp joined the channel
#
@bear RT @kevinmarks: The underlying truth of Norton's law of data seems very relevant today: https://twitter.com/kevinmarks/status/332556089310732291 #indieweb (twitter.com/_/status/506888020705169408)
glennjones joined the channel
#
ben_thatmustbeme KevinMarks, I moved on from the ellipses in the fragmention because it could easily by in the text. i figure better to use something that should encoded in the URL, thus the #start#stop
#
ben_thatmustbeme the biggest issue i saw with using this type of fragmention is what happens if the start and stop are actually in different elements
#
barnabywalters aaronpk: did you get anywhere with your turn-any-resource-into-an-image thing?
#
barnabywalters I just raised https://github.com/barnabywalters/shrewdness/issues/28 and am wondering if there’s an existing solution I can plug and play
#
@ayirpelle RT @kevinmarks: The underlying truth of Norton's law of data seems very relevant today: https://twitter.com/kevinmarks/status/332556089310732291 #indieweb (twitter.com/_/status/506889251326136320)
KartikPrabhu and paulcp_ joined the channel
#
@johnoxtonking @ShaneHudson Ah if only I was so young and free! ;) @IndieWebCampUK (twitter.com/_/status/506890826094764032)
#
voxpelli @barnabywalters Perhaps Embed.ly if you don't want code to host yourself?
petermolnar, glennjones_ and scor joined the channel
#
tantek any https / apache / .htaccess experts in the house? looking for a quick review of: https://indiewebcamp.com/https#Level_2_security in particular that grey code block
#
ShaneHudson I wouldn't call myself an expert, but it looks good to me
#
bear it looks sane to me
#
bear i'm curious if it would be better to point to /apache
#
bear otherwise it will be crowded when the nginx bits are added
#
jonnybarnes is aaronpk around?
#
jonnybarnes wondering if he got my msg
#
ShaneHudson I need to sort out SSL on my site, I bought the cert for the wrong domain (my primary .co.uk instead of my website's .net)
#
jonnybarnes ooh, also, guys about https, check out https://shaaaaaaaaaaaaa.com/
krendil joined the channel
#
jonnybarnes maybe we should add it to the wiki
#
bear jonnybarnes - yes, that would be a great mention for https page
#
ShaneHudson Not sure I trust that... "Nice. shanehudson.net is using a certificate signed with SHA-256, a form of SHA-2.", shanehudson.net doesn't have a cert at all
#
bear ShaneHudson - your site is returning a cert for .co.uk
#
jonnybarnes ill open an issue on the github repo for that ShaneHudson
#
bear I don't think it's an error
#
ShaneHudson bear, that's correct. Or do you mean it is returning .co.uk for .net?
#
ShaneHudson It shouldn't do that, since it isn't a wildcard (they cost a fortune)
#
bear I typed in https://shanehudson.net and it returned a cert for *.co.uk
#
bear the * part is me being lazy
#
ShaneHudson Oh I see
#
ShaneHudson It returns but the URL is not valid (due to not using a wildcard), so chrome moans
#
ShaneHudson Explains why that site shows it as working though :) I think that can be classed as my fault! Cheers
#
bear yea, I checked on safari - it shows bad CN's cleaner
#
bear np - always glad to help debug ssl/site problems
snarfed joined the channel
#
snarfed.org edited /https (+225) "/* Level 2 security */ tweak redirect details. redirecting alone still leaks cookies" (view diff)
#
snarfed tantek: yay https! made a minor tweak to the redirect language
#
Loqi :D
#
bear.im edited /https (+127) "add reference to https://shaaaaaaaaaaaaa.com" (view diff)
#
tantek snarfed, I don't understand the "MAY" part
#
tantek nor how to do it for just the admin page/path
#
tantek (shouldn't that be a SHOULD instead of a MAY?)
#
snarfed HSTS is just an HTTP response header, you can definitely set it on a per path basis
#
snarfed oh i see what you mean, since it applies to the domain…?
#
jonnybarnes.uk edited /https (+18) "/* Production */ change jb.net to .uk, make sha... link more visible" (view diff)
#
tantek snarfed, right
#
tantek this was specifically just for achieving Level 2
#
tantek I'm both unsure what setting HSTS *does* for your admin page, nor how to.
#
snarfed sure. i'm happy to drop the HSTS part. my main goal was to revise the language about leaking cookies, since the first request will often still leak credential cookies
#
snarfed we can instead say explicitly to mark the login cookies with the secure flag, to achieve the same goal
#
snarfed (should be obvious, but too many servers still don't)
#
tantek ooh - how do we do that?
#
tantek mark cookies with a secure flag?
#
snarfed iirc ";secure" at the end of the set-cookie header
#
snarfed i'll revise
#
bear +1 to having SHOULD for secure cookies
brianloveswords joined the channel
#
bear snarfed++ for the cookie-leak catch
#
Loqi snarfed has 41 karma
#
snarfed.org edited /https (-94) "/* Level 2 security */ drop hsts, add secure flag" (view diff)
#
tantek interesting. now I'm curious how to do that in PHP
#
snarfed some frameworks/libs do it automatically if they can tell they're currently serving over https
#
tantek it's like I got the first two, and now the bar's been raised (to achieve the objective of preventing someone from sniffing / signing-in as me.)
#
snarfed sorry :/
#
bear :)
#
bear i'm doing some session cookie tightening myself - making sure they are cleared for any bad calls, errors or mismatched anything really
#
snarfed bear++
#
Loqi bear has 19 karma
#
bear \o/
#
tantek.com edited /https (+187) "/* Level 2 security */ numbered list, has a logical order of implementation, expand/explain why for #2 and #3" (view diff)
#
@JosephRooks It's going to be fun following @benwerd's journey with this. Can't wait to see how it affects the way I use the web. http://werd.io/2014/known-taking-a-big-bet-on-the-indieweb (twitter.com/_/status/506909529540673539)
#
tantek snarfed++ for the nicer language used in Bridgy Publish POSSE to FB posts! "(Originally published at: PERMALINK)" e.g. https://www.facebook.com/tantek.celik/posts/10101258438830293
#
tantek what no karma loqi?
#
Loqi snarfed has 42 karma
#
Loqi woot!
#
tantek hah
#
snarfed thanks!
friedcell, Aeyoun and KartikPrabhu joined the channel
#
KevinMarks_ interesting move back to the web: http://www.theverge.com/2014/9/2/6096609/welcome-to-verge-2-0
barnabywalters and tilgovi joined the channel
#
pdurbin "our dedicated apps and API for third-party apps will be going away. Apps are great, but The Verge is a website"
#
pdurbin yes, very interesting
#
tantek nice
#
KartikPrabhu just wait till readership drops
#
gregorlove.com edited /MySQL (-2) "/* Lack of timezone in date columns */ heading level" (view diff)
barnabywalters joined the channel
#
tantek.com edited /blogroll (+23) "/* Related */ see also nicknames cache" (view diff)
#
tantek.com edited /nicknames-cache (+15) "/* See Also */ blogroll" (view diff)
#
tantek.com edited /2014/indie-contacts (+74) "see also blogroll, nicknames cache etc." (view diff)
#
gregorlove.com edited /MySQL (+295) "/* Criticism */ Stopwords" (view diff)
KevinMarks joined the channel
#
tantek.com edited /autosuggest (+826) "dfn, clean-up/cluster examples by platform, silo web, note no IndieWeb examples (yet?), add FB silo example" (view diff)
#
tantek.com created /indie_autosuggest (+25) "r" (view diff)
#
tantek.com edited /indie (+24) "indie autosuggest as used in the 2012 sessions" (view diff)
lukebrooker, grantmacken, KevinMarks and verdi joined the channel
#
GWG Was someone talking SSL?
#
tantek GWG yes
#
tantek is still figuring out how to secure his cookies (not a euphemism).
#
tantek thinks it's too bad that Firesheep wasn't named "CookieMonster"
#
GWG I had a SPDY problem with my site when I tried turning it on
#
tantek GWG, in particular I did some updates here: https://indiewebcamp.com/https#Level_2_security and snarfed fixed my text, and then gave me another task :)
#
GWG tantek: Interesting
#
tantek hence, working on #3, securing my cookies
#
GWG I need to look into that
#
GWG snarfed would know how, as he runs Wordpress
#
aaronpk here this might help http://pin13.net/HRC
#
tantek hmm that chain looks loose enough for someone to still sniff the cookies
#
aaronpk bahaha
#
aaronpk tantek++
#
Loqi tantek has 74 karma
#
tantek.com created /you_doing_this_week (+20) "r" (view diff)
#
aaronpk lol
sparverius joined the channel
#
tantek.com edited /Events (+64) "reword summary to read better, and disambig indie evets" (view diff)
#
tantek.com edited /you_doing_this_week (+0) "r" (view diff)
#
tantek.com edited /Events (+11) "strong" (view diff)
#
tantek.com edited /Events (+1) "sp" (view diff)
#
tantek.com edited /Events (-11) "'" (view diff)
#
aaronpk IWC UK is this weekend!!
#
tantek.com edited /Events (+1) "adjust the emojicon" (view diff)
lukebrooker joined the channel
#
tantek.com created /ring (+79) "stub" (view diff)
#
aaronpk !tell adactio I would like to paypal you ££ to cover coffee and/or other food for IndieWebCamp UK! We should talk!
#
Loqi Ok, I'll tell them that when I see them next
#
aaronparecki.com edited /2014/UK (+34) "/* Sponsors */ add Esri as a sponsor" (view diff)
#
tantek Esri++
#
Loqi Esri has 5 karma
#
tantek so first question about secure cookies, looks like I can inspect whether or not a cookie is secure in the Firefox preferences / Privacy / Cookies… button/dialog
#
tantek if it says "Send For: Any type of connection" that's not secure
#
tantek if it says "Send For: Encrypted connections only" presumably that's secure
#
tantek any cookie / security experts want to verify those assertions?
#
tantek checks his twitter.com cookies and sees that e.g. _twitter_sess shows "Send For: Encrypted connections only"
#
tantek looks for calls to setcookies and finds none.
#
tantek s/setcookies/setcookie
#
Loqi tantek meant to say: looks for calls to setcookie and finds none.
#
tantek wonders if session.cookie_secure = 1; is sufficient per https://www.simonholywell.com/post/2013/05/improve-php-session-cookie-security.html
#
aaronpk I'm going to guess yes
#
aaronpk based on the description of "secure" here http://us2.php.net/manual/en/function.setcookie.php
#
aaronpk found it http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
#
aaronpk "session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off."
#
tantek I'm going to make the policy decision that relmeauth.php should require secure cookies by default.
#
rascul that would only secure the transmission of the cookie? i'm not really sure what "secure cookie" means
#
tantek "only send on https connections"
#
aaronpk it tells the browser not to send the cookie when making a regular http request, only if the request is https
#
KevinMarks_ what's the easy way of adding images? reference hem first then upload?
#
rascul nothing different about the cookie itself though?
#
tantek aaronpk - thought it was a server thing
#
tantek so the server doesn't e.g. send a session cookie
#
tantek insecurely
#
aaronpk I think it causes the server to add the ;secure flag to the cookie it send
#
aaronpk s
#
rascul http://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
#
tantek "and is only used via HTTPS" - makes me think it's only *sent* back via https
#
aaronpk hmmm now I may need to test this
#
rascul tantek right after that "ensuring that the cookie is always encrypted when transmitting from client to server"
#
kevinmarks.com uploaded /File:gplusfail.png "Google+ profile preview fails when a person has 2 accounts as it doesn't show the email or profile URL to disambiguate"
#
kevinmarks.com edited /autosuggest (+467) "/* Silo Examples */ add G+" (view diff)
#
kevinmarks.com edited /autosuggest (-5) "/* Google+ */" (view diff)
#
KevinMarks_ is the 2nd Image param in the wiki width?
#
aaronpk it doesn't matter particularly where the width param is, it just needs to be in the format NNNpx
#
KevinMarks_ OK, just making sure it's width and not height - I have retina screengrabs so need to shrink 'em
#
kevinmarks.com uploaded /File:circledpeople.png "People from circles"
#
kevinmarks.com uploaded /File:publicpeople.png "circles plus public"
#
kevinmarks.com uploaded /File:publicpages.png "Public pages above public people"
#
tantek is hoping these images are all fair-use ;)
#
kevinmarks.com edited /autosuggest (+96) "/* Google+ */" (view diff)
#
KevinMarks_ I think so, I assume g+ profile pix count
#
KevinMarks_ though it does leak 2 of my circle names
#
KevinMarks_ does that look OK?
#
KevinMarks_ just realised that my dead father's domain has link rotted.
#
tantek wonders what the best way is to set session.cookie_secure = 1 in PHP