It has taken waaaay longer than I wanted but the site is finally migrated to a new blogging system. The whole backend has been redone, and most of sites hosted here are now SSL. This post is mostly a test to see if it's all working correctly. If it is it should auto-post to the blog in less than 30 minutes of setting it as publishable.

New blogging software

I liked Darby Lines' description of the Pelican blogging platform so selected this as my blogging platform as well. As Darby did, Dropbox is used to get content to my site where it is then processed by Pelican into this web site.

Most blogging systems store content to be displayed in a database. When somebody opens a page, the content for that page is retrieved from the database and displayed. To use Pelican, on the other hand, the files that make up a site are stored in a content directory. Mostly stored as Markdown or other supported file formats, plus images. Pelican takes these files and processes them into a website of all static HTML content. Creating rss/atom feeds, index pages, archive pages, etc... as required.

There were several reasons for going with a static site. Primarily security but also perfomance. While I've not suffered large loads on the site, database backed dynamic sites can be overwhelmed by a large traffic spike. Web servers perform at their best with static content so this leverages this feature.

A dynamic site typically requires a scripting language such as PHP, Ruby or perl. Plus a database like MySQL, SQLite or, Postgres SQL. Including the web server this means you have to keep all required components patched for security reasons. Each patch update can cause conflicts with other installed components. Reducing a site to just the web server reduces the number of things that can be attacked.

New virtual machine

Instead of using a hosted web service I have a virtual server from Host Virtual. I prefer running a virtual machine, it gives me flexibility to run the services and software I want. I can host multiple domains and sub-domains without paying extra. I get to pick, and maintain the Linux distribution I want (Gentoo) and my choice of web server. Keeping up to date with security patches and new versions is my responsibility, but I prefer it this way and Gentoo's package management makes it pretty easy.

SSL

I used SSL on my old server, mainly with the mail server and a sub-domain site I had setup. I decided to expand my use of SSL because I think there should be more encrypted traffic flowing on the net. The NSA gathers as much as possible, and is especially interested in encrypted traffic. Might as well fill their drives with my pointless blog.

I didn't just throw a self-signed SSL certificate on the server and call it good. I wanted a truly signed SSL certificate, but I'm cheap, so I went with a free certificate from StartSSL. They provide a basic domain signed public key for free. Although they offer to create a private key for you, if you create the key yourself on your own equipment then they never have to see it and you don't need to worry about the security of their service.

Once I had an officially trusted public/private key pair I wanted to make sure SSL was setup correctly. I used SSL Labs SSL site tester to verify I was doing it right. After some experimentation I got all the current best practices working. Forward secrecy is supported so that even if my private key has been compromised the encrypted traffic can't be broken. According SSL Labs Internet Explorer really won't like this site, although the IE 9 I use in the office seems to work OK.


In-App Web Viewers vs. Safari

Fri 15 April 2011 by Kevin van Haaren

I recently got into a bit of a twitter argument with Dan Frakes of Macworld about apps that have links to web pages and open those pages in their own web viewer within the app, instead of handing the link to mobile Safari (hereafter just called Safari as this is an all iOS discussion) and letting it handle it.

Most apps do this because it became the norm when there was no multitasking on iOS. Switching away from an app meant shutting it down. Reopening it sent you back to the beginning. Apps avoided this 'return to the beginning' by ...

read more

The New AppleTV and Ping

Thu 02 September 2010 by Kevin van Haaren

Apple's iPod event was yesterday. As usual rumors abounded before hand, and failed to come through. The funniest was Apple didn't rename Apple TV to iTV as every-freaking person in the world predicted. Apple TV also didn't become a touch driven interface (touch provided via the Magic Trackpad Apple introduced). This is a good thing, mostly. I don't recall hearing too much that Apple might roll-out a social networking deal (Ping), so I guess most people missed that too.

I'm going to confine my comments to just 2 things: Apple TV and Ping. Most of ...

read more

Finally, secure e-mail connections

Thu 09 October 2003 by Kevin van Haaren

Took me a few days to figure out what I was doing but I’ve now got my external server offering pop3 and smtp over ssl connections. Since I don’t use FTP (hmmm, need to look into SFTP next) I’ve eliminated all cleartext password passing from my server (well, except for the password for this web site. Guess I’ll work on that in a couple of months)

My smtp server has always used CRAM-MD5 authentication so that password was never cleartext, but my pop server has been.

An added advantage of moving to SSL connections is that ...

read more