On Wed, 30 Aug 2023 03:38:02 +0100, musika <mUs1Ka@NOSPAMexcite.com>
wrote:

>On 29/08/2023 23:00, TonyCooper wrote:
>> On Tue, 29 Aug 2023 23:31:38 +0200, "Anders D. Nygaard"
>> <news2012adn@gmail.com> wrote:
>>
>>> Den 28-08-2023 kl. 17:39 skrev Ken Blake:
>>>> On Mon, 28 Aug 2023 00:13:31 -0400, TonyCooper
>>>> <tonycooper214@gmail.com> wrote:
>>>>
>>>>> Interesting contribution, but - as I mentioned - I cannot open http:
>>>>> sites with Chrome as my browser.
>>>>
>>>> I wanted to try that with Chrome, but I don't have Chrome installed
>>>> and didn't want to install it (I greatly dislike it), So I'm curious
>>>> as whether the same is true of other Chrome users here.
>>>
>>> I mostly use Chrome, and do not have that problem.
>>> Specifically, I tried just clicking on the link in PMoylans .sig,
>>> and got the expected result.
>>
>> I am not sure why the http: URLs will not open for me. It could be a
>> setting within Chrome that I'm unaware of or something entirely
>> different.
>>
>Hamburger menu <Settings> <Security> <Advanced> Turn off "Always use
>secure connections"
>
>Even with it turned on the warning page should give you the option to
>"Continue to Site"

I checked. Settings>Advanced>Always use secure connections

It was turned off. Actually, that's the default. It's not turned on,
though.

I figured out how to find this, but using "Hamburger menu" is using
jargon. Not good practice when you are providing instructions and
don't know the other person's familiarity with the terms. None, in my
case.

The menu is accessible when clicking three stacked dots. Where
"hamburger" comes from is beyond me.

--

Tony Cooper - Orlando,Florida

* Sam Plusnet <%RqHM.667312$TCKc.351821 @fx13.iad> :
Wrote on Tue, 29 Aug 2023 19:33:31 +0100:

> So far, every change I have found has been a downgrade in
> functionality and anything introduced is stuff I neither need nor
> want.

This is the same experience for all users on all browsers, on all OS.

The consolidation of technology[1] ownership enables the owners to
impose this user identical experience on all users, regardless of the
product the user chooses, while respecting the freedom of choice of the
user.

[1] part of the global endtimes kingdom of the antichrist.

Sam Plusnet wrote:

> I have used Opera for many years.
> Unfortunately it has been stricken by the
> "We must do a 'refresh'
> syndrome.

I tried it out a coupe of weeks ago. I have chosen to log in
automatically on my Linux system, but Opera insists on maximum security,
and that means that I have to use my login to activate Opera. So I
dropped it.

--
Bertel, Denmark

TonyCooper wrote:

> I checked. Settings>Advanced>Always use secure connections
>
> It was turned off. Actually, that's the default. It's not turned on,
> though.
>
> I figured out how to find this, but using "Hamburger menu" is using
> jargon. Not good practice when you are providing instructions and
> don't know the other person's familiarity with the terms. None, in my
> case.

I Think that I have met it once before, but I had to think a while until
I realised what it was.

> The menu is accessible when clicking three stacked dots. Where
> "hamburger" comes from is beyond me.

Other systems have three small lines stacked, and those could look like
a hamburger.

Introducing the term will have a long term effect since it replaces a
long explanation.

--
Bertel, Denmark

On Tue, 29 Aug 2023 19:33:31 +0100
Sam Plusnet <not@home.com> wrote:

> On 28-Aug-23 22:22, Bertel Lund Hansen wrote:
> >  Ken Blake wrote:
> >
> >> We're all different, but to me, Chrome and Edge are the two worst
> >> browsers. I greatly prefer FireFox, primarily because of its interface
> >> and the extensions available for it.
> >
> > I started with Netscape Navigator (like most people here I presume), but
> > when Opera appeared I tried it for 20 seconds and then I was hooked.
> > Opera 3.6 is the best browser I have ever tried, but it can't handle
> > modern pages and security protocols - not by far.
> >
> > I have installed the modern Opera on my mobile for one specific reason.
> > No matter which page or text you're looking at, you can zoom, and the
> > text will be reflown so you don't have to scroll sideways.
> >
> > I don't understand that the rest of the browsers haven't implemented
> > that feature as fast as possible.
>
> I have used Opera for many years.
> Unfortunately it has been stricken by the
> "We must do a 'refresh'
> syndrome.
>
> They auto-updated me to "Opera One" I knew that because instead of just
> starting up, it insisted on showing a shiny splash screen with "ONE" on it.
>
> So far, every change I have found has been a downgrade in functionality
> and anything introduced is stuff I neither need nor want.
>
I was a fan of Opera back when it was version 9.5? - it had a usenet client
'builtin'.

Hardly any web browsers support XP these days. </sad old geek>

--
Bah, and indeed Humbug.

On Monday or thereabouts, Peter Moylan declared ...
> On 29/08/23 04:20, Pierre Jelenc wrote:
>
>> If you go HTTPS only, what happens when the certificate gets messed
>> up, or you forget to renew it, or there's a problem with the clock
>> at either the server or the client end? Nobody can get access to the
>> site, and since typically getting in touch with the administrator
>> involves filling a form on that very same, inaccessible site....
>
> Ah, yes, the certificate. Some companies are making big money selling
> those certificates, and that's a major part of the plan by some to make
> HTTPS the default and drive out HTTP sites. And the certificates have
> limited expiry dates, so the web server owners have to keep paying, and
> are trapped if the price goes up each year.
>
> On the other hand, small operators with HTTP web servers don't have to
> pay up, because there is no certificate needed. The original world-wide
> web was anarchist by design, with no overall controller standing behind
> a cash register.
>
> The certificate is supposed to verify that the certificate issue has
> checked the credentials of the web site owner and confirms that they are
> genuine. In practice, all it confirms is that someone has paid over the
> money. And the web browser makers support the standover tactic, by
> refusing to connect to any site whose payments are not up to date.

Free certificates are available, such as by a subsidary of the EFF.
They may be used on commercial sites as well as on small-holder sites,
and the updates can be automated, since there is already a trust
relationship between the CA and site.

The Firefox team strongly supports all-sites-use-https, and they don't
generally try to make people feed the wallets of big multinational
corporations. IIRC, Opera (the browser) is also supporting the same
policy.

/dps

--
You could try being nicer and politer
> instead, and see how that works out.
-- Katy Jennison

On 02/09/23 13:19, Snidely wrote:

> Free certificates are available, such as by a subsidary of the EFF.
> They may be used on commercial sites as well as on small-holder
> sites, and the updates can be automated, since there is already a
> trust relationship between the CA and site.
>
> The Firefox team strongly supports all-sites-use-https, and they
> don't generally try to make people feed the wallets of big
> multinational corporations. IIRC, Opera (the browser) is also
> supporting the same policy.

Thanks. So far I'd only gotten as far as self-signed certificates, and I
suspect that they are not good enough. I had started looking into free
certificates, but didn't know whether browsers would accept them.

--
Peter Moylan http://www.pmoylan.org
Newcastle, NSW

On Saturday, Peter Moylan exclaimed wildly:
> On 02/09/23 13:19, Snidely wrote:
>
>> Free certificates are available, such as by a subsidary of the EFF.
>> They may be used on commercial sites as well as on small-holder
>> sites, and the updates can be automated, since there is already a
>> trust relationship between the CA and site.
>>
>> The Firefox team strongly supports all-sites-use-https, and they
>> don't generally try to make people feed the wallets of big
>> multinational corporations. IIRC, Opera (the browser) is also
>> supporting the same policy.
>
> Thanks. So far I'd only gotten as far as self-signed certificates, and I
> suspect that they are not good enough. I had started looking into free
> certificates, but didn't know whether browsers would accept them.

I've had no trouble from the Big 3 browsers using Let's Encrypt.

/dps

--
There's nothing inherently wrong with Big Data. What matters, as it
does for Arnold Lund in California or Richard Rothman in Baltimore, are
the questions -- old and new, good and bad -- this newest tool lets us
ask. (R. Lerhman, CSMonitor.com)

On Monday or thereabouts, Peter Moylan asked ...
> On 28/08/23 17:17, Bertel Lund Hansen wrote:
>> Peter Moylan wrote:
>>
>>> .htaccess is a feature of the Apache web server, and I don't want
>>> to run Apache because it's a huge resource hog. Instead, I run a
>>> web server that I wrote myself.
>>
>> Respect.
>>
>> Which programming language did you use?
>
> Modula-2. Nearly everyone else uses C or C++, but I only touch those
> when I'm getting paid for it.
>
> I don't yet have TLS working. I know how to do the encryption; I had the
> encryption algorithms working years ago, for other reasons. The hard
> part is that complicated and messy initial negotiation, with a whole
> collection of messages flying backwards and forward.
>
> Tony asked about overheads. For SSH, which I do have working (it uses
> less baroque but more secure negotiation), a Diffie-Hellmann key
> exchange is taking 2 to 4 seconds. That's a lot. Admittedly my server
> hardware is old, but that sort of thing can make an https connection
> noticeably slower than an http one. And I do notice that lots of web
> sites are slow.

They should only be slow on the first hit, if key exchange is the
reason.

/dps

--
But happiness cannot be pursued; it must ensue. One must have a reason
to 'be happy.'"
Viktor Frankl

Snidely explained :
> On Saturday, Peter Moylan exclaimed wildly:
>> On 02/09/23 13:19, Snidely wrote:
>>
>>> Free certificates are available, such as by a subsidary of the EFF.
>>> They may be used on commercial sites as well as on small-holder
>>> sites, and the updates can be automated, since there is already a
>>> trust relationship between the CA and site.
>>>
>>> The Firefox team strongly supports all-sites-use-https, and they
>>> don't generally try to make people feed the wallets of big
>>> multinational corporations. IIRC, Opera (the browser) is also
>>> supporting the same policy.
>>
>> Thanks. So far I'd only gotten as far as self-signed certificates, and I
>> suspect that they are not good enough. I had started looking into free
>> certificates, but didn't know whether browsers would accept them.
>
> I've had no trouble from the Big 3 browsers using Let's Encrypt.

3/4, because I've not tried Edge. I mainly use Edge for reading about
the photographs the idle and login screens show me.

> /dps

^^^

--
Rule #0: Don't be on fire.
In case of fire, exit the building before tweeting about it.
(Sighting reported by Adam F)

On 2023-09-02 03:54, Snidely wrote:
> On Saturday, Peter Moylan exclaimed wildly:
>> On 02/09/23 13:19, Snidely wrote:
>>
>>> Free certificates are available, such as by a subsidary of the EFF.
>>> They may be used on commercial sites as well as on small-holder
>>> sites, and the updates can be automated, since there is already a
>>> trust relationship between the CA and site.
>>>
>>> The Firefox team strongly supports all-sites-use-https, and they
>>> don't generally try to make people feed the wallets of big
>>> multinational corporations.  IIRC, Opera (the browser) is also
>>> supporting the same policy.
>>
>> Thanks. So far I'd only gotten as far as self-signed certificates, and I
>> suspect that they are not good enough. I had started looking into free
>> certificates, but didn't know whether browsers would accept them.
>
> I've had no trouble from the Big 3 browsers using Let's Encrypt.
>

I've been thinking about setting up a web server for family use, but I
am not very conversant with network protocols.

Let's Encrypt sounds like a good way to protect it, but I am wondering
if there is any way to securely limit the access.

Is there a way, for instance, to not send a key on first login, but to
send keys prior to first login, to family members manually? Or perhaps
to limit it to particular IP addresses?

--
Osteopornosis: A degenerate disease.

On 02/09/2023 17:36, lar3ryca wrote:
> On 2023-09-02 03:54, Snidely wrote:
>> On Saturday, Peter Moylan exclaimed wildly:
>>> On 02/09/23 13:19, Snidely wrote:
>>>
>>>> Free certificates are available, such as by a subsidary of the EFF.
>>>> They may be used on commercial sites as well as on small-holder
>>>> sites, and the updates can be automated, since there is already a
>>>> trust relationship between the CA and site.
>>>>
>>>> The Firefox team strongly supports all-sites-use-https, and they
>>>> don't generally try to make people feed the wallets of big
>>>> multinational corporations. IIRC, Opera (the browser) is also
>>>> supporting the same policy.
>>>
>>> Thanks. So far I'd only gotten as far as self-signed certificates, and I
>>> suspect that they are not good enough. I had started looking into free
>>> certificates, but didn't know whether browsers would accept them.
>>
>> I've had no trouble from the Big 3 browsers using Let's Encrypt.
>>
>
> I've been thinking about setting up a web server for family use, but I
> am not very conversant with network protocols.
>
> Let's Encrypt sounds like a good way to protect it, but I am wondering
> if there is any way to securely limit the access.
>
> Is there a way, for instance, to not send a key on first login, but to
> send keys prior to first login, to family members manually? Or perhaps
> to limit it to particular IP addresses?
>

If you're using lighttpd you can restrict access to your website by
username/password.
Add something like this to end of lighttpd.conf
(Simple setup; could be better, perhaps.)

## authorisation bits
server.modules += ( "mod_auth", "mod_authn_file", )

auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.htpasswd/user_list"
auth.require = ( "/MyFamilySite =>
(
"method" => "digest",
"realm" => "My Family",
"require" => "valid-user"
),
)

Then you can make .htpasswd/user_list with
#!/bin/sh
[ -z "$1" -o -z "$2" -o -z "$3" ] && {
echo "Please supply user, realm and password"
exit
} user=$1
realm=$2
pass=$3
hash=$(echo -n "$user:$realm:$pass" | md5sum | cut -b -32)
printf '%s\n' "$user:$realm:$hash"

Distribute username/password pairs to your users by whatever means at
your disposal.

Web site will ask for username and password before allowing entry.

It's really up to you to how you set it up.
See: https://redmine.lighttpd.net/projects/lighttpd/wiki/Mod_auth

--

Chris Elvidge, England
A BELCH IS NOT AN ORAL REPORT

On 03/09/23 05:44, Chris Elvidge wrote:
> On 02/09/2023 17:36, lar3ryca wrote:
>> On 2023-09-02 03:54, Snidely wrote:
>>> On Saturday, Peter Moylan exclaimed wildly:
>>>> On 02/09/23 13:19, Snidely wrote:
>>>>
>>>>> Free certificates are available, such as by a subsidary of
>>>>> the EFF. They may be used on commercial sites as well as on
>>>>> small-holder sites, and the updates can be automated, since
>>>>> there is already a trust relationship between the CA and
>>>>> site.
>>>>>
>>>>> The Firefox team strongly supports all-sites-use-https, and
>>>>> they don't generally try to make people feed the wallets of
>>>>> big multinational corporations. IIRC, Opera (the browser) is
>>>>> also supporting the same policy.
>>>>
>>>> Thanks. So far I'd only gotten as far as self-signed
>>>> certificates, and I suspect that they are not good enough. I
>>>> had started looking into free certificates, but didn't know
>>>> whether browsers would accept them.
>>>
>>> I've had no trouble from the Big 3 browsers using Let's Encrypt.
>>>
>>
>> I've been thinking about setting up a web server for family use,
>> but I am not very conversant with network protocols.
>>
>> Let's Encrypt sounds like a good way to protect it, but I am
>> wondering if there is any way to securely limit the access.
>>
>> Is there a way, for instance, to not send a key on first login, but
>> to send keys prior to first login, to family members manually? Or
>> perhaps to limit it to particular IP addresses?
>>
>
> If you're using lighttpd you can restrict access to your website by
> username/password.

[details snipped]

It's also possible to have password-only access to a particular set of
pages. That's how I hide the confidential parts of my web site. See RFC
7235, 7616, 7617.

(It's also how I mapped my FTP site to HTTP, after the browser-makers
dropped support for the ftp:// protocol but decided not to add sftp://
and similar options.)

--
Peter Moylan http://www.pmoylan.org
Newcastle, NSW

On 2023-09-02 18:39, Peter Moylan wrote:
> On 03/09/23 05:44, Chris Elvidge wrote:
>> On 02/09/2023 17:36, lar3ryca wrote:
>>> On 2023-09-02 03:54, Snidely wrote:
>>>> On Saturday, Peter Moylan exclaimed wildly:
>>>>> On 02/09/23 13:19, Snidely wrote:
>>>>>
>>>>>> Free certificates are available, such as by a subsidary of
>>>>>> the EFF. They may be used on commercial sites as well as on
>>>>>> small-holder sites, and the updates can be automated, since
>>>>>> there is already a trust relationship between the CA and
>>>>>> site.
>>>>>>
>>>>>> The Firefox team strongly supports all-sites-use-https, and
>>>>>> they don't generally try to make people feed the wallets of
>>>>>> big multinational corporations.  IIRC, Opera (the browser) is
>>>>>> also supporting the same policy.
>>>>>
>>>>> Thanks. So far I'd only gotten as far as self-signed
>>>>> certificates, and I suspect that they are not good enough. I
>>>>> had started looking into free certificates, but didn't know
>>>>> whether browsers would accept them.
>>>>
>>>> I've had no trouble from the Big 3 browsers using Let's Encrypt.
>>>>
>>>
>>> I've been thinking about setting up a web server for family use,
>>> but I am not very conversant with network protocols.
>>>
>>> Let's Encrypt sounds like a good way to protect it, but I am
>>> wondering if there is any way to securely limit the access.
>>>
>>> Is there a way, for instance, to not send a key on first login, but
>>> to send keys prior to first login, to family members manually? Or
>>> perhaps to limit it to particular IP addresses?
>>>
>>
>> If you're using lighttpd you can restrict access to your website by
>> username/password.
>
> [details snipped]
>
> It's also possible to have password-only access to a particular set of
> pages. That's how I hide the confidential parts of my web site. See RFC
> 7235, 7616, 7617.
>
> (It's also how I mapped my FTP site to HTTP, after the browser-makers
> dropped support for the ftp:// protocol but decided not to add sftp://
> and similar options.)

Thanks!

And thanks to Peter as well.

I'll look into it.

--
The other day I... no wait, that wasn't me.
~ Steven Wright

On Tuesday, August 29, 2023 at 11:58:15 PM UTC-7, Bertel Lund Hansen wrote:
> Sam Plusnet wrote:
>
> > I have used Opera for many years.
> > Unfortunately it has been stricken by the
> > "We must do a 'refresh'
> > syndrome.
> I tried it out a coupe of weeks ago. I have chosen to log in
> automatically on my Linux system, but Opera insists on maximum security,
> and that means that I have to use my login to activate Opera. So I
> dropped it.

You can create a user that does not do automatic login, and try installing from there. I hope it isn't your root user that is logging in automatically, and that to su you still need a password.

/dps

On Monday, August 28, 2023 at 5:43:50 PM UTC-7, Peter Moylan wrote:
> On 29/08/23 04:20, Pierre Jelenc wrote:
>
> > If you go HTTPS only, what happens when the certificate gets messed
> > up, or you forget to renew it, or there's a problem with the clock
> > at either the server or the client end? Nobody can get access to the
> > site, and since typically getting in touch with the administrator
> > involves filling a form on that very same, inaccessible site....
> Ah, yes, the certificate. Some companies are making big money selling
> those certificates, and that's a major part of the plan by some to make
> HTTPS the default and drive out HTTP sites. And the certificates have
> limited expiry dates, so the web server owners have to keep paying, and
> are trapped if the price goes up each year.
>
> On the other hand, small operators with HTTP web servers don't have to
> pay up, because there is no certificate needed. The original world-wide
> web was anarchist by design, with no overall controller standing behind
> a cash register.
>
> The certificate is supposed to verify that the certificate issue has
> checked the credentials of the web site owner and confirms that they are
> genuine. In practice, all it confirms is that someone has paid over the
> money. And the web browser makers support the standover tactic, by
> refusing to connect to any site whose payments are not up to date.

This bogus money argument is already addressed in this thread, but here's a reason to prefer HTTPS:

an exploit that makes visiting *ANY* HTTP site, even Peter Moylan's, dangerous:
<URL:https://arstechnica.com/security/2023/09/how-the-iphone-of-a-presidential-candidate-in-egypt-got-hacked-for-the-2nd-time/>

/dps

Just this Sunday, Dave S puzzled about:
> On Monday, August 28, 2023 at 5:43:50 PM UTC-7, Peter Moylan wrote:
>> On 29/08/23 04:20, Pierre Jelenc wrote:
>>
>>> If you go HTTPS only, what happens when the certificate gets messed
>>> up, or you forget to renew it, or there's a problem with the clock
>>> at either the server or the client end? Nobody can get access to the
>>> site, and since typically getting in touch with the administrator
>>> involves filling a form on that very same, inaccessible site....
>> Ah, yes, the certificate. Some companies are making big money selling
>> those certificates, and that's a major part of the plan by some to make
>> HTTPS the default and drive out HTTP sites. And the certificates have
>> limited expiry dates, so the web server owners have to keep paying, and
>> are trapped if the price goes up each year.
>>
>> On the other hand, small operators with HTTP web servers don't have to
>> pay up, because there is no certificate needed. The original world-wide
>> web was anarchist by design, with no overall controller standing behind
>> a cash register.
>>
>> The certificate is supposed to verify that the certificate issue has
>> checked the credentials of the web site owner and confirms that they are
>> genuine. In practice, all it confirms is that someone has paid over the
>> money. And the web browser makers support the standover tactic, by
>> refusing to connect to any site whose payments are not up to date.
>
> This bogus money argument is already addressed in this thread, but here's a
> reason to prefer HTTPS:
>
> an exploit that makes visiting *ANY* HTTP site, even Peter Moylan's,
> dangerous:
> <URL:https://arstechnica.com/security/2023/09/how-the-iphone-of-a-presidential-candidate-in-egypt-got-hacked-for-the-2nd-time/>
>
> /dps

Admittedly, an exploit that isn't quite easy for angry ex's to use, but
I'm sure someone will find a cheaper way eventually.

/dps

--
Rule #0: Don't be on fire.
In case of fire, exit the building before tweeting about it.
(Sighting reported by Adam F)