It has taken waaaay longer than I wanted but the site is finally migrated to a new blogging system. The whole backend has been redone, and most of sites hosted here are now SSL. This post is mostly a test to see if it's all working correctly. If it is it should auto-post to the blog in less than 30 minutes of setting it as publishable.

New blogging software

I liked Darby Lines' description of the Pelican blogging platform so selected this as my blogging platform as well. As Darby did, Dropbox is used to get content to my site where it is then processed by Pelican into this web site.

Most blogging systems store content to be displayed in a database. When somebody opens a page, the content for that page is retrieved from the database and displayed. To use Pelican, on the other hand, the files that make up a site are stored in a content directory. Mostly stored as Markdown or other supported file formats, plus images. Pelican takes these files and processes them into a website of all static HTML content. Creating rss/atom feeds, index pages, archive pages, etc... as required.

There were several reasons for going with a static site. Primarily security but also perfomance. While I've not suffered large loads on the site, database backed dynamic sites can be overwhelmed by a large traffic spike. Web servers perform at their best with static content so this leverages this feature.

A dynamic site typically requires a scripting language such as PHP, Ruby or perl. Plus a database like MySQL, SQLite or, Postgres SQL. Including the web server this means you have to keep all required components patched for security reasons. Each patch update can cause conflicts with other installed components. Reducing a site to just the web server reduces the number of things that can be attacked.

New virtual machine

Instead of using a hosted web service I have a virtual server from Host Virtual. I prefer running a virtual machine, it gives me flexibility to run the services and software I want. I can host multiple domains and sub-domains without paying extra. I get to pick, and maintain the Linux distribution I want (Gentoo) and my choice of web server. Keeping up to date with security patches and new versions is my responsibility, but I prefer it this way and Gentoo's package management makes it pretty easy.

SSL

I used SSL on my old server, mainly with the mail server and a sub-domain site I had setup. I decided to expand my use of SSL because I think there should be more encrypted traffic flowing on the net. The NSA gathers as much as possible, and is especially interested in encrypted traffic. Might as well fill their drives with my pointless blog.

I didn't just throw a self-signed SSL certificate on the server and call it good. I wanted a truly signed SSL certificate, but I'm cheap, so I went with a free certificate from StartSSL. They provide a basic domain signed public key for free. Although they offer to create a private key for you, if you create the key yourself on your own equipment then they never have to see it and you don't need to worry about the security of their service.

Once I had an officially trusted public/private key pair I wanted to make sure SSL was setup correctly. I used SSL Labs SSL site tester to verify I was doing it right. After some experimentation I got all the current best practices working. Forward secrecy is supported so that even if my private key has been compromised the encrypted traffic can't be broken. According SSL Labs Internet Explorer really won't like this site, although the IE 9 I use in the office seems to work OK.


Copyrighting Stupidity

Sun 23 March 2008 by Kevin van Haaren

The level of stupidity on the internet knows no bounds, but occasionally there are individuals that descend below even the typical train wreck mentality of the average internet user. And they usually start a blog.

Eventually the worst of the stupidity will get called out, usually by holding it up to the light, pointing and laughing in derision. And in typical fashion the derided will shake their little fists and stamp their little feet in anger and claim copyright violation.

Case in point. Global Geek News, a lie in every word as the site has nothing global in scope, the ...

read more

Apple vs. Think Secret

Wed 26 December 2007 by Kevin van Haaren

Mac rumor site Think Secret recently shutdown as part of an agreement with Apple. Apple sued Think Secret on January 5, 2005 after they published rumors about Apple’s plans to announce the iPod mini at the 2005 Macworld. Think Secret wasn’t the only rumor site at the time publishing rumors about Apple’s announcements, but Apple sued them to get the names of those that had leaked the information, and no one else, before actually making their announcments. This of course immediately lent credence to all of Think Secret’s claims, including claims that were wrong (such as ...

read more

Finally, secure e-mail connections

Thu 09 October 2003 by Kevin van Haaren

Took me a few days to figure out what I was doing but I’ve now got my external server offering pop3 and smtp over ssl connections. Since I don’t use FTP (hmmm, need to look into SFTP next) I’ve eliminated all cleartext password passing from my server (well, except for the password for this web site. Guess I’ll work on that in a couple of months)

My smtp server has always used CRAM-MD5 authentication so that password was never cleartext, but my pop server has been.

An added advantage of moving to SSL connections is that ...

read more