Re: website security certificate
Dňa nedeľa, 22. február 2015 22:10 ,Andrea Pescetti pesce...@apache.org napísal: Marcus wrote: now the main and download webpage will be loaded via HTTPS only. Thanks Marcus, I confirm that https://www.openoffice.org now doesn't give either the HTTP components warning or the identity information warning any longer. So everything works for me with HTTPS. hrin Tested in hurry, for me, Google Chrome on Windows gives me notice that not all components on main and download page are secure. (the certificate isn t green, but gray, after click on it, gived me this info, yo know) /hrin Of course, http://www.openoffice.org/ continues to work normally via HTTP. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Am 02/23/2015 11:10 AM, schrieb Michal Hri: Dňa nedeľa, 22. február 2015 22:10 ,Andrea Pescettipesce...@apache.org napísal: Marcus wrote: now the main and download webpage will be loaded via HTTPS only. Thanks Marcus, I confirm that https://www.openoffice.org now doesn't give either the HTTP components warning or the identity information warning any longer. So everything works for me with HTTPS. hrin Tested in hurry, for me, Google Chrome on Windows gives me notice that not all components on main and download page are secure. (the certificate isn t green, but gray, after click on it, gived me this info, yo know) /hrin Of course, http://www.openoffice.org/ continues to work normally via HTTP. good hint. The links outside of the normal content had still HTTP. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Marcus wrote: now the main and download webpage will be loaded via HTTPS only. Thanks Marcus, I confirm that https://www.openoffice.org now doesn't give either the HTTP components warning or the identity information warning any longer. So everything works for me with HTTPS. Of course, http://www.openoffice.org/ continues to work normally via HTTP. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Am 02/20/2015 08:30 PM, schrieb Marcus: Am 02/20/2015 08:07 PM, schrieb Marcus: I've started with the download webpage as I know it very well. I don't see any errors as it looks like before. But I'll leave it for the moment and go on earliest on Sunday. now the main and download webpage will be loaded via HTTPS only. So, when we see the need to update further things, it should be easier now. Marcus Am 02/19/2015 11:49 PM, schrieb Marcus: Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
On 20 February 2015 at 00:34, Dave Fisher dave2w...@comcast.net wrote: Hi - We had a reason that we enabled https in the first place. I don't recall it now, but there was a reason. It may have had to do with update servers. The main web server on which we run, have always been enabled for both http: and https: but we have not been able to use it, due to a missing certificate. When we got the openoffice certificate, we had the possibility and at the same time we needed to change other services to https because the had a login facility. This lead to a decision, to do it but not officially support it. Someone (I think Markus or Rob) did a good job of removing http: on most tags, but some was to complicated to be removed automatically, hence we have some leftovers. Now with https: ranging high in google, we are effectively promoting that site, which is why I feel it should work or be removed (which I do not recommend). rgds jan i. Regards, Dave On Feb 19, 2015, at 2:49 PM, Marcus wrote: Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
I've started with the download webpage as I know it very well. I don't see any errors as it looks like before. But I'll leave it for the moment and go on earliest on Sunday. Marcus Am 02/19/2015 11:49 PM, schrieb Marcus: Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Am 02/20/2015 08:07 PM, schrieb Marcus: I've started with the download webpage as I know it very well. I don't see any errors as it looks like before. But I'll leave it for the moment and go on earliest on Sunday. grrr, some change was too much. So, I've reverted the changes for now and will investigate later on the weekend. Marcus Am 02/19/2015 11:49 PM, schrieb Marcus: Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Am 02/19/2015 08:08 PM, schrieb Keith N. McKenna: Marcus wrote: Am 02/19/2015 02:36 PM, schrieb jan i: On 19 February 2015 at 14:14, Simon Phippssi...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan ij...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. @Brenda: Please delete your browser cache and reload the webpage. What do oyu see now? Thanks Marcus Marcus; When I delete the SeaMonkey cache and reload the page I still get the warning for a partially encrypted page. I think the content publish got stuck. Now I've also the graphic and links as HTTPS. Please try again. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Marcus wrote: Am 02/19/2015 08:08 PM, schrieb Keith N. McKenna: Marcus wrote: Am 02/19/2015 02:36 PM, schrieb jan i: On 19 February 2015 at 14:14, Simon Phippssi...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan ij...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. @Brenda: Please delete your browser cache and reload the webpage. What do oyu see now? Thanks Marcus Marcus; When I delete the SeaMonkey cache and reload the page I still get the warning for a partially encrypted page. I think the content publish got stuck. Now I've also the graphic and links as HTTPS. Please try again. Marcus Still getting the warning from SeaMonkey. Keith signature.asc Description: OpenPGP digital signature
Re: website security certificate
On Thu, Feb 19, 2015 at 07:10:56PM +0100, Marcus wrote: I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. The correct solution is to use src=/path/to/image, not forcing the protocol on the url. Regards -- Ariel Constenla-Haile La Plata, Argentina signature.asc Description: Digital signature
Re: website security certificate
Am 02/19/2015 09:09 PM, schrieb Keith N. McKenna: Marcus wrote: Am 02/19/2015 08:08 PM, schrieb Keith N. McKenna: Marcus wrote: Am 02/19/2015 02:36 PM, schrieb jan i: On 19 February 2015 at 14:14, Simon Phippssi...@webmink.comwrote: On Thu, Feb 19, 2015 at 6:26 AM, jan ij...@apache.orgwrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. @Brenda: Please delete your browser cache and reload the webpage. What do oyu see now? Thanks Marcus Marcus; When I delete the SeaMonkey cache and reload the page I still get the warning for a partially encrypted page. I think the content publish got stuck. Now I've also the graphic and links as HTTPS. Please try again. Marcus Still getting the warning from SeaMonkey. just to be sure. Do you see/get a HTTPS URL for the graphic and link in thegrey box? What do others get when they reload the webpage? Thanks Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
On Thu, Feb 19, 2015 at 6:26 AM, jan i j...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? S.
Re: website security certificate
On 19 February 2015 at 14:14, Simon Phipps si...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan i j...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. rgds jan I. S.
Re: website security certificate
Am 02/19/2015 02:36 PM, schrieb jan i: On 19 February 2015 at 14:14, Simon Phippssi...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan ij...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. @Brenda: Please delete your browser cache and reload the webpage. What do oyu see now? Thanks Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Marcus wrote: Am 02/19/2015 02:36 PM, schrieb jan i: On 19 February 2015 at 14:14, Simon Phippssi...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan ij...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. I've changed all links for the grey box from HTTP to HTTPS. Let's see if this will help to solve the problem. @Brenda: Please delete your browser cache and reload the webpage. What do oyu see now? Thanks Marcus Marcus; When I delete the SeaMonkey cache and reload the page I still get the warning for a partially encrypted page. Regards Keith signature.asc Description: OpenPGP digital signature
Re: website security certificate
On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
On Thursday, February 19, 2015, Andrea Pescetti pesce...@apache.org wrote: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. two things I agree they cannot blame us, but since we have a https: site it should work. A simple alternative is to add a .httpaccess and route https: to a single dummy page saying unsupported. just my 2ct. rgds jan i Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow. png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Sent from My iPad, sorry for any misspellings.
Re: website security certificate
On Thu, Feb 19, 2015 at 5:33 PM, jan i j...@apache.org wrote: On Thursday, February 19, 2015, Andrea Pescetti pesce...@apache.org wrote: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. two things I agree they cannot blame us, but since we have a https: site it should work. A simple alternative is to add a .httpaccess and route https: to a single dummy page saying unsupported. Not sure thats a good idea. I mean we already have https working perfectly for most people. Why should we have everyone get an unsupported message? just my 2ct. rgds jan i Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow. png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Sent from My iPad, sorry for any misspellings. -- Alexandro Colorado Apache OpenOffice Contributor 882C 4389 3C27 E8DF 41B9 5C4C 1DB7 9D1C 7F4C 2614
Re: website security certificate
Andrea Pescetti wrote on 19/02/15 23:14: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. https://www.google.com/search?q=openofficegws_rd=ssl 1st result is: https. Why? Probably because since August 2014 google uses https as a ranking signal: http://googlewebmastercentral.blogspot.it/2014/08/https-as-ranking-signal.html So, even if you do not advertise the URL, google does it for you, and you can't blame users that arrive from google and find the page broken. ;) - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
I tried it on 2 different computers and both got the error. Brenda From: jan i Sent: Thursday, February 19, 2015 1:26 AM To: dev@openoffice.apache.org ; dennis.hamil...@acm.org Cc: blissfulh...@live.com Subject: Re: website security certificate On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: With Brenda's permission, I am reporting her direct replies to me back to the list. I also have a jpg screen image that I will need to upload somewhere, such as into a Bugzilla issue. In a follow-up along with the message below I learned that 1. The browser is Firefox 2. The URL is https://www.openoffice.org 3. From the screen capture, the message that arrives most-recently is as follows, with the home page visible and a pop-under beneath the address bar (which has a caution ! sign in front of the URL): 3.1 This website does not supply identity information. 3.2 and beneath that, The connection to this web site is not fully secure because it contains unencrypted elements (such as images). 3.3 There is a help button and a More Information ... button. Now that I think about it, that is all you would see that is relevant in the .jpg, so I won't bother to upload it. .jpg did not make it to the list, which is normal. More or less all attachments get stripped off. however I checked on the vm, the certificate is active. 2 good possibilities: - firefox dns caching does not resolve to our machine -- solution clear the firefox history and try again. - Firefox has the old certificate stored and for some reason did not update it. -- the certificate was changed some 5-6 month ago, due to a security fix. rgds jan i in any way - Dennis -Original Message- From: Brenda [blissfulh...@live.com] Sent: Wednesday, February 18, 2015 13:07 To: dennis.hamil...@acm.org Subject: Re: website security certificate It said something like the security certificate was for another website, I think. I tried it twice and it did it both times but once I decided to go ahead to the website, since I had been on it before, it hasn't done it again (I'm assuming b/c my browser saved my preferences) but it is showing a warning up near the domain address bar. I attached a screen shot of the warning. Normally, I wouldn't go on a website if I got that warning (b/c the warning screen from google recommended NOT continuing to the site) but since I've used Open Office before I did. Brenda -Original Message- From: Dennis E. Hamilton Sent: Wednesday, February 18, 2015 1:12 PM To: dev@openoffice.apache.org Cc: brendaleewilk...@hotmail.com Subject: RE: website security certificate [ ... ] - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Sent from My iPad, sorry for any misspellings.
Re: website security certificate
jan i wrote: On 19 February 2015 at 14:14, Simon Phipps si...@webmink.com wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan i j...@apache.org wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. rgds jan I. S. I get the following warning with SeaMonkey 2.32.1. You have requested a page that is only partially encrypted and does not prevent eavesdropping. Keith signature.asc Description: OpenPGP digital signature
Re: website security certificate
On Thursday, February 19, 2015, Keith N. McKenna keith.mcke...@comcast.net wrote: jan i wrote: On 19 February 2015 at 14:14, Simon Phipps si...@webmink.com javascript:; wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan i j...@apache.org javascript:; wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org javascript:; wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. rgds jan I. S. I get the following warning with SeaMonkey 2.32.1. You have requested a page that is only partially encrypted and does not prevent eavesdropping. that is the error I expected due to the img src calling http and not https. rgds jan i Keith -- Sent from My iPad, sorry for any misspellings.
Re: website security certificate
On Thu, Feb 19, 2015 at 6:01 PM, jan i j...@apache.org wrote: On Thursday, February 19, 2015, Keith N. McKenna keith.mcke...@comcast.net wrote: jan i wrote: On 19 February 2015 at 14:14, Simon Phipps si...@webmink.com javascript:; wrote: On Thu, Feb 19, 2015 at 6:26 AM, jan i j...@apache.org javascript:; wrote: On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org javascript:; wrote: The connection to this web site is not fully secure because it contains unencrypted elements (such as images). Perhaps the line: img src=http://www.openoffice.org/images/2014-eu-234x60.png; alt=Logo ApacheCon Europe 2014 / is causing this? A very good idea...since this will cause a jump from HTTPS to HTTP. I had however expected another error for this. Funny thing is, that I do not get an error on that page, even with my Certificate analyzer. rgds jan I. S. I get the following warning with SeaMonkey 2.32.1. You have requested a page that is only partially encrypted and does not prevent eavesdropping. that is the error I expected due to the img src calling http and not https. Is there someone with commit access who could change that IMG tag to use https so Brenda Keith can check if that's the problem? S.
Re: website security certificate
Hi - We had a reason that we enabled https in the first place. I don't recall it now, but there was a reason. It may have had to do with update servers. Regards, Dave On Feb 19, 2015, at 2:49 PM, Marcus wrote: Am 02/19/2015 11:14 PM, schrieb Andrea Pescetti: On 19/02/2015 Marcus wrote: OK, next try. Still an error message? Well... we NOWHERE, and I repeat NOWHERE, advertise the URL https://www.openoffice.org ; as a courtesy to those people who prefer HTTPS, we make it available, but if they use broken extensions or paranoid security settings they cannot blame us too much. then the solution would be to make it unavailable. ;-) Seriously, I agree with Jan. When it's available then it should work. Furthermore, there is also involvement of SEO: Google prefers the availability of HTTPS over HTTP. Then: 1) I also get (Firefox) the warning about This website does not supply identity information; I didn't investigate this one. 2) We still load components from HTTP. Marcus, the Net panel in Firebug will show you the URLs to all components. You will see that starting with a 404 (?) for http://www.openoffice.org/images/formElementDropShadow.png?2011060812 you have a series of action buttons that are all included via HTTP. This is because lines 56- of https://www.openoffice.org/home.css contain explicit HTTP links. You may fix it (but I would need to check the CSS syntax for the url() parameter) by: - Using /path/to links as Ariel suggested - Using // URLs (e.g., //www.openoffice.org will point to https://www.openoffice.org when called in a https page and to http://www.openoffice.org when called in a http page) ; I'm not a big fan of this solution, I would prefer the former one. All of this would anyway fix an undocumented, unpublished URL that we make available just to please people (remember, this is a static HTML site with no interactive server-side functionality or logins). I don't want to stress a new topic. :-P However, wasn't there a discussion to request a SSL certificate from Infra and the point was IMHO the difficulty to get this as a wildcard certificate? Anyway, I volunteer to do fixes where they a re needed (yes, I know we have a big wesite. ;-) ) Thanks for your valuable hints. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: website security certificate
I just checked https://openoffice.org and https://www.openoffice.org and saw no certificate problems. I also did a Google search on Open Office and saw no suspicious links in the first results. All the ones to Apache OpenOffice locations work just fine. Your search will also produce results for organizations and sites that have nothing to do with Apache OpenOffice. Please redo the google search and tell us the URL that you attempted to access. That is, can you see what the link is in the entry. It is usually right under the heading of the search-result entry. If that doesn't work, tell us what the search term was (what you typed to Google) and what the heading of the result you tried is. Also, what browser are you using? This is usually what determines there is a security certificate discrepancy. -Original Message- From: Brenda Bergman [mailto:brendaleewilk...@hotmail.com] Sent: Wednesday, February 18, 2015 07:28 To: dev@openoffice.apache.org Subject: website security certificate When I was trying to go onto your website from a google search is said their was an issue with your security certificate and recommended not continuing to the site. Thought I'd let you know in case it's killing your traffic. Brenda - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: website security certificate
On Thursday, February 19, 2015, Dennis E. Hamilton dennis.hamil...@acm.org wrote: With Brenda's permission, I am reporting her direct replies to me back to the list. I also have a jpg screen image that I will need to upload somewhere, such as into a Bugzilla issue. In a follow-up along with the message below I learned that 1. The browser is Firefox 2. The URL is https://www.openoffice.org 3. From the screen capture, the message that arrives most-recently is as follows, with the home page visible and a pop-under beneath the address bar (which has a caution ! sign in front of the URL): 3.1 This website does not supply identity information. 3.2 and beneath that, The connection to this web site is not fully secure because it contains unencrypted elements (such as images). 3.3 There is a help button and a More Information ... button. Now that I think about it, that is all you would see that is relevant in the .jpg, so I won't bother to upload it. .jpg did not make it to the list, which is normal. More or less all attachments get stripped off. however I checked on the vm, the certificate is active. 2 good possibilities: - firefox dns caching does not resolve to our machine -- solution clear the firefox history and try again. - Firefox has the old certificate stored and for some reason did not update it. -- the certificate was changed some 5-6 month ago, due to a security fix. rgds jan i in any way - Dennis -Original Message- From: Brenda [blissfulh...@live.com javascript:;] Sent: Wednesday, February 18, 2015 13:07 To: dennis.hamil...@acm.org javascript:; Subject: Re: website security certificate It said something like the security certificate was for another website, I think. I tried it twice and it did it both times but once I decided to go ahead to the website, since I had been on it before, it hasn't done it again (I'm assuming b/c my browser saved my preferences) but it is showing a warning up near the domain address bar. I attached a screen shot of the warning. Normally, I wouldn't go on a website if I got that warning (b/c the warning screen from google recommended NOT continuing to the site) but since I've used Open Office before I did. Brenda -Original Message- From: Dennis E. Hamilton Sent: Wednesday, February 18, 2015 1:12 PM To: dev@openoffice.apache.org javascript:; Cc: brendaleewilk...@hotmail.com javascript:; Subject: RE: website security certificate [ ... ] - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org javascript:; For additional commands, e-mail: dev-h...@openoffice.apache.org javascript:; -- Sent from My iPad, sorry for any misspellings.
RE: website security certificate
With Brenda's permission, I am reporting her direct replies to me back to the list. I also have a jpg screen image that I will need to upload somewhere, such as into a Bugzilla issue. In a follow-up along with the message below I learned that 1. The browser is Firefox 2. The URL is https://www.openoffice.org 3. From the screen capture, the message that arrives most-recently is as follows, with the home page visible and a pop-under beneath the address bar (which has a caution ! sign in front of the URL): 3.1 This website does not supply identity information. 3.2 and beneath that, The connection to this web site is not fully secure because it contains unencrypted elements (such as images). 3.3 There is a help button and a More Information ... button. Now that I think about it, that is all you would see that is relevant in the .jpg, so I won't bother to upload it. - Dennis -Original Message- From: Brenda [blissfulh...@live.com] Sent: Wednesday, February 18, 2015 13:07 To: dennis.hamil...@acm.org Subject: Re: website security certificate It said something like the security certificate was for another website, I think. I tried it twice and it did it both times but once I decided to go ahead to the website, since I had been on it before, it hasn't done it again (I'm assuming b/c my browser saved my preferences) but it is showing a warning up near the domain address bar. I attached a screen shot of the warning. Normally, I wouldn't go on a website if I got that warning (b/c the warning screen from google recommended NOT continuing to the site) but since I've used Open Office before I did. Brenda -Original Message- From: Dennis E. Hamilton Sent: Wednesday, February 18, 2015 1:12 PM To: dev@openoffice.apache.org Cc: brendaleewilk...@hotmail.com Subject: RE: website security certificate [ ... ] - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
