This is the support team you're looking for

A great support team

Doing a postmortem analysis of the crisis you’ve faced is not only a great way to understand what happened so it never happens again. It’s also the best way I know to improve crisis response management for the next time.

Because there’s always a next time.

Looking back at all the crises I’ve faced in the past 10 years, what I’ve missed the most to solve them efficiently was an awesome support team.

An awesome support is not (only) the one that answers you Saturday 9:00 PM and replaces your son’s Kindle within 18 hours so he can read during his vacation. An awesome support is also the front line that manages the client crisis side while you’re working.

The awesome support team is product and tech savvy, composed half of people with great empathy and engineers. It removes pressure from the crisis solving team both from the inside and the outside by filtering new tickets, understanding if they’re related to the problem you’re facing or something completely unrelated.

The awesome support team comes with the awesome product, not after it’s released. And as a front line team, it deserves its part of honor after the battle when the medals are given.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

The GPG Suite for Mac is not free anymore (and the sick sad future of personal cryptography)

Padlock

In An Open Letter About Our Future, the GPG Tools team announces the future versions of their software won’t be free anymore. The GPG Suit is the best personal PGP graphical interface on Mac OS X, and the only one that integrates well with Mail.

I understand the GPG Tools team position and I’ll even pay the price for a good personal cryptography experience. Since I’ve started using Max OS X 10.10 beta a few months ago, I’ve been using nerdy workarounds to keep using PGP with Mail. This is not the experience I want.

15 years ago, I had that no software but free software state of mind. I spent nights and days compiling and configuring poorly integrated software to make them work together and ensure a decent user experience. A young know it all, I considered code had to be free both as in freedom and free beer before everything else.

At 36, I’ve switched to a no software but good software (better if free) state of mind. I want to do things with my computer instead of doing things for my computer. I’ve been working in the software world for too long too understand the value of code and the value of a good user experience, and to pay for it or donate to my favorite project.

I understand the move of the GPG Suit team, but I strongly disagree with it.

I’m concerned it makes a precedent and becomes a major step back for the global personal cryptography use outside of the computer science sphere.

For a few years personal data protection has been a major concern. Wikileaks and Edward Snowden revelations have raised awareness of the data privacy situation outside of the nerdy and global conspiracy spheres. It raised an interest in what corporations and governments actually do with our communications and data far beyond the usual security scene. If it did not really change anything, at least people can’t say we didn’t know anymore.

However, I don’t feel like the use of personal cryptography has improved in any way in the general public neither for personal nor professional use.

Despite some user experience improvement, using personal cryptography is still a pain in the ass. You need to understand the basics of applied cryptography: public / secret key, key exchange, signature, expiry date… Signing or encrypting an email, connecting to a VPN still needs you to add some operations to your usual, simple workflow.

And no one wants you to use personal cryptography anyway. Your government doesn’t. Your ISP doesn’t. Your employer doesn’t.

A strong example is about man in the middle attack (MITM). MITM is a technique where an attacker intercepts a data stream, spoofing the emitter he’s the legitimate receiver before letting it go. In a corporate environment, MITM works even on encrypted trafic.

15 years ago, man in the middle was a strong little known attack. Today, it has turned into a corporate security measure. That’s why no one wants you to use encryption, and that’s why Google giving a better rank to SSL using sites makes corporate ITs crazy.

Personal cryptography is a pain, so no one wants to use it. Having to pay for it won’t improve anything. If we want a strong adoption, personal cryptography must be free, and being free is part of a good general user experience: it removes adoption friction.

12 years ago, I was doing lots of CSS. Internet Explorer 6 had 90% of the global market, people used table based layouts and Web standards was a geek thing.

Hopefully, Firefox came, and spread. Web standards started to spread too and most people quickly stopped using table based layouts. It was a hard time for evangelization, and even in 2006 I still had to develop for IE6, tables and inline style.

Geeks started to install Firefox on their friend’s, parents and school computers. They were able to do it because it was free, both as in free beer and free speech. What would have happened if they had to pay a small fee to use Firefox? It would have known the same fate as advertisement powered Opera.

This was made possible because despite many people working full time on Firefox, they found another way (I.E. Google) for funding. As Truecrypt is dead, we need more general public level cryptographic projects, and we need them to be free. It’s a question of freedom.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

Enseignement et acquisition

Easier to ask for forgiveness than permission. This common Python coding style assumes the existence of valid keys or attributes and catches exceptions if the assumption proves false. This clean and fast style is characterized by the presence of many try and except statements. The technique contrasts with the LBYL style common to many other languages such as C.

EAFP

J’ai appris qu’il y avait eu une suite à l’intervention de SudWeb au sujet de l’enseignement de l’intégration lors de ParisWeb (merci Boris !). On peut dire que ça tombe au bon moment. Tout cela m’amène à faire un parallèle entre des paradigmes de langages de programmation (EAFP vs. LBYL) et l’opposition pratique vs. théorique que l’on rencontre forcément lorsque l’on souhaite transmettre ses connaissances. À quel point faut-il prévenir plutôt que guérir ? Qu’est-ce qui est le plus formateur ?

J’ai pour l’instant pris l’option très expérimentale : produisez, je vous corrige. Et j’espère bien arriver jusqu’à un point où cela deviendra : produisez, corrigez-vous ! Ce vous correspondant au groupe et aux connaissances accessibles en ligne. Mais je suis tiraillé. Ces étudiants ont la chance d’avoir une formation et je leur propose de devenir autodidactes. Est-ce que je ne les prive pas ainsi d’une théorie qui m’a manquée pour pouvoir progresser plus rapidement il y a 10 ans ? Est-ce que les trentenaires du Web (huhuhu) ne se cachent pas derrière cette mise en pratique car ils n’ont connu que ça ?

Et puis je me raccroche à la permissivité du Web, à cette inconsistence inscrite dans son ADN, à ces paquets qui errent entre 2 continents avec l’espoir d’arriver quelque part. J’imagine ces étudiants qui souhaitent à tout prix être autonomes alors qu’il va leur falloir apprendre à faire ensemble. Qui veulent appliquer de la bonne pratique sans forcément en comprendre le sens et le besoin. Je les observe, perdus mais volontaires, et je garde espoir. Ils ont encore le temps pour faire des erreurs et l’énergie pour se relever.

It's a book about a corporation family kid who starts his own company

Jonathan Livingston Seagull

It took me 20 years to understand why I was offered Jonathan Livingston Seagull for Xmas 1991. My parents had been giving me one book every year ever since before I could read, but it was the first time my mother wrote something on the first page.

Xmas 1991. This book and Jonathan look like you.

If I wanted to completely ruin the plot, I’d say Jonathan is a book about a seagull who want to fly.

It’s much more than this.

It was my first book about entrepreneurship and startups. It’s a book about someone who decide to follow his dreams despite everybody around him saying he’s a fool. He focuses on his dream and eventually makes it a reality, inspiring people around him to do the same.

It’s the book every teenager should read if they don’t feel like being like everyone else around them. If you’re a non conformist, it will help you passing those difficult years even though you won’t realize it.

Last week, something happened in my boy’s class. He just had a 17/20 and was given a chance to change his mark for the better or for the worst. His friends told him 17/20 was good enough and he should stop. He didn’t and scored 20/20. After that, his best friend told him:

You were right not to listen to what everybody said. If you do what everybody tells you to do, you’ll become like everybody. Don’t.

Telling me that story with the fear I was about to yell at him for endangering a good mark, he didn’t realize how proud of him I was. He knew it was something important and I can’t wait for him to grow up and read that book.

This book is not only about corporate family kid who starts his own company.

It’s a book about freedom.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

Cours IUT : les bases

The plan is a lie.

Retours sur mon premier cours à l’IUT d’Arles. La journée a assez mal commencée avec l’impossibilité de retrouver mes adaptateurs DVI-miniDVI… ce qui ajoutait une légère contrainte en plus. Du coup après un petit tour de classe où j’ai pu confirmer que les niveaux étaient vraiment disparates ET que le cours précédents sur les bases de HTML/CSS n’avait pas été assimilé, on est partis sur un petit projet qui nous a servi de fil rouge tout au long de la matinée. J’ai retenu 2 volontés fortes de la part des étudiants : devenir plus autonomes et améliorer la qualité de leurs productions. Yay!

Par groupe de 4 ou 5, les étudiants ont créé une page selon le brief précédemment décrit avec pour consigne de se répartir en groupes de niveaux homogènes. Après 45 minutes, l’un des étudiants (pas celui qui était sur le clavier) présente le travail du groupe à toute la classe. On part ensuite sur l’itération suivante avec des contraintes supplémentaires (dont celle permanente d’avoir une rotation au niveau de la personne qui code). On a pu faire 4 itérations sur la matinée avec les contraintes suivantes :

  • démarrage libre ;
  • repartir sur des bases saines comme HTML5Boilerplate avec les avantages/inconvénients associés, rappels sur les reset (connu) et le centrage des éléments ;
  • ne pas utiliser les attributs id/class pour styler la page (merci Vincent !) et donc mieux utiliser les balises HTML 5 et les sélecteurs, introduction aux sélecteurs + et > notamment ;
  • réorganiser sa CSS pour avoir quelque chose de propre et transmissible, introduction aux frameworks CSS.

Les itérations se sont fluidifiées au cours de la matinée avec des rappels et des conseils au fil de l’eau de ma part. Les résultats étaient finalement assez différents en fonction de la priorité du groupe : transmettre et homogénéiser les connaissances (collaboration) ou arriver à un résultat en se répartissant les tâches (coopération). Les deux approches étaient intéressantes car elles sont représentatives de ce qu’ils pourront rencontrer par la suite.

Quelques réflexions en vrac :

  • tous les groupes ont commencé par faire un menu alors qu’une seule page était demandée, assez marrant ;
  • aucun groupe ne s’est préoccupé du contenu sur la première itération, l’attention était entièrement sur les images et la CSS ;
  • aucun échange n’a été fait entre les groupes, ni même un coup d’œil pour se rendre compte qu’ils avaient pris la même image sur Google pour illustrer le site ;
  • j’aurais dû changer l’étudiant qui a initialement pris le clavier (le plus compétent) pour laisser mettre en place les bases par quelqu’un de moins expérimenté ;
  • les étudiants ont maintenant leur propre machine (majoritairement des Macbook) et passent par des bidouilles à base de clés USB et de connexions 3G pour travailler alors qu’il y a des machines connectées en Windows juste à côté, je vais essayer d’apporter mon propre réseau local la prochaine fois car la situation est assez hallucinante.

Globalement les étudiants avaient l’air assez satisfaits. La mini-rétrospective en fin de cours a fait émerger 2 propositions pour le prochain cours :

  • travailler en plus petits groupes (2/3) ;
  • plancher sur un sujet plus proche de leurs intérêts.

Ce sera donc adopté en repartant des bases acquises pour aller vers un peu plus de dynamisme vu qu’ils sont friands d’effets en JavaScript/jQuery, il faut aussi que je leur parle de Flexbox et qu’on prenne le temps de faire une introduction aux différentes méthodes pour initier un site. J’ai reçu 3 emails d’élèves qui souhaitaient me montrer ce qu’ils avaient déjà produit (à mon initiative), c’est peu sur un effectif de 24 mais c’est déjà ça :-).

SimCity that I used to know

Simcity 2000

If I fell in love with a computer in 1984, meeting Maxis SimCity at a friend’s place in September 1991 was my second honeymoon. I wasn’t in video games at all if you except a form of jealousy towards my friends who owned a NES, but SimCity changed the deal a deep way. I’m still not sure if it ruined my social life for half a decade or saved me from killing myself for too much loneliness.

My relation with Sim City quickly became passionate. Reading Will Wright’s 25th anniversary interviewpretty much sums up why, pointing fingers at many things I had never thought about before that day.

In 1992, my uncle gave me an antique Thomson TO16 XPDD under the condition it would stay at my grandmother’s place. Its 4.77 MHz 8088 CPU, 512 Kb RAM, 4 colors 320x200 CGA graphic card and 2 5.25 inches floppy disks had been out of date for a while, but they meant more than a treasure to me.

Thomson TO16

Take a 14 years old nerdy urban teenager to spend every weekend gardening in a cold country house, you’ll turn his life into a nightmare. Promise him a computer, a book about BASIC and some ultimately geeky games, he’ll follow you in hell. That’s what happened to me.

I spent my week-ends building cities I named from the girl I was about to get a refusal from – or already had as far as I remember – on a black and white screen. The color version of the game required buying a new screen and an expensive 16 colors EGA card that was way beyond what I could afford, but I was OK with it anyway.

My towns were all variation a perfectly aligned versions of a dystopian nightmare that would turn Epcot Center into a messy fantasy. Elodie / Oriane / Aurélie city were the combination of a perfect lack of soul an freedom, standardized places for perfectly normal people that were meant to end in an ecologic nightmare after all my nuclear power plant meltdown.

It’s also the time I first switched from GWBASIC to hexadecimal representation of binary code. Resources on that topic were extraordinary hard to find, and you could only rely on word to mouth to learn anything about it or, it you were lucky, on a passionate teacher eager to give you extra lessons out of school time. I can’t remember who taught me about PCTools and how I was able to modify my SimCity files to get more cash. but I still remember the excitement that paved the path for many unexpected, untold things.

The release of SimCity 2000 in 1994 was even more a blast for me.

For the first time my old 8088 was not enough. I spent the whole summer working in a factory to earn enough cash 80386 DX 33 with a 120MB hard drive, a 3.5 inches floppy disk and 2MB RAM. I remember paying it 3500 francs (717 € after converting from 1994 value). It was not enough, and I had to spend another 500 francs (102 €) for a 1 MB Vesa Local Bus graphic adapter and 600 francs (122 €) for 2 MB of RAM. It’s still less than 1000 €, but it was more than the 16 years old teenager I was had ever earned.

My SimCity 2000 towns were even more the image of a perfect dystopia than ever. The game was richer, adding a complexity level my perfectly regular cities could not support anymore. They looked much more like what you would expect in the real world, except it was clear they were the fruit of the mind of a twisted powerful divinity. I had just read Gibson’s Sprawl trilogy and archologies mixed with a drop of Huxley’s Brave New World were no secret to me.

I stopped naming my cities after girls I’d never have. I actually didn’t need a girl anymore, spending too much time playing. Instead most of them were called « Paradise City » after Guns and Roses Appetite For Destruction. My cities had nothing of paradise, and they were so perfectly balanced most human beings would have killed themselves of depression.

I played until 1996, the year I discovered Elite2 Frontier, a game I still play from time to time today.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

Would you recommend your company to your best friend?

Working nightmare

Years ago, I asked a friend who was working in a trendy Parisian restaurant if it was the good place to take my wife for her birthday.

Don’t go there, it’s terrible.

He was of a striking honesty and left him with lots to think about. If asked, would I recommend my own company to my best friend?

Even though our product may fit their needs, there’s no such thing like a disastrous experience involving money to ruin a long established friendship.

I thought about that a couple of times since then. I had many opportunities to hire good friends to sell them our product or services. It happened when I was working for a Web agency, at blueKiwi, and at Botify. Many times I had to balance my loyalty between my company and my friends.

It had an interesting outcome. I realized my work / life ethics was more balanced than I thought. When you join a new company, trying to please everyone is a common mistake, improving the overall sales or hire new people whatever the way an easy way to achieve it.

I started to ask myself many questions. Was our product good enough to be sold to my mum? Did I really want my best friends to mess with our salespeople? Did I really want my wife to experiment our support, then complain about me all day? Was the pricing fair and adapted to the needs we wanted to fulfill?

Answering to these questions led to 2 unexpected things. I became a better, more loyal friend, and the quality of what I was delivering improved drastically.

Answering these questions went far beyond the « will we still be friends after that? » question. They dealt with my core values and what (who) I really am.

I remember the first time I refused to recommend my company to someone I know. It was an easy sell, but both the product and customer experience were terrible. To be honest, the whole company was terrible and the only way to fix it was to replace everybody – including me – and rewrite the product from scratch.

I realized the company did not fit my core values. I liked lots of my coworkers, but I didn’t belong to this place. I was working for a company I despised and refused to identify myself up to the point I stopped mentioning where I was working at when asked.

I think I would have been more comfortable admitting I was working for an animal porn company than telling the truth to people who had experienced us.

I didn’t leave immediately though. I have kids to feed, and starting over was leaving a very comfortable familiar zone. There are lots of reason why you keep working at a place you don’t like: comfort zone, job scarcity, lack of time. But in the end, it’s about defining who you are.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

Cours IUT Arles

De toute façon, celui qui donne des conseils cherche d’abord à s’éduquer lui-même. Parler à quelqu’un est une manière détournée de se parler à soi. Ne croyez pas que j’aie une triste vision des rapports humains. Certes, je pense que l’autre nous permet d’accéder à notre propre intimité. Mais se comprendre est le meilleur service qu’on puisse rendre à ceux qu’on aime.

Manuel d’écriture et de survie, Martin Page

Je vais donner des cours à partir de lundi à des étudiants de licence à l’IUT d’Arles. Officiellement, il faut que je leur transmette des connaissances en CSS avancées, JavaScript, jQuery et PHP en 6 demi-journées. J’ai lu avec grand intérêt les témoignages de Romy et Rémi à ce sujet et je me pose encore de trop nombreuses questions. Les participants auront un bagage technique assez hétérogène et auront plutôt une culture design que code d’après ce qui m’a été dit.

Je compte utiliser la première matinée pour prendre la température et m’adapter par la suite. Je souhaiterais avoir le déroulé suivant :

  1. Nous sommes le 20 décembre 2014, cette formation s’est déroulée jusqu’à son terme, imaginez 2 scenarios (l’un positif, l’autre négatif) de ce que vous allez dire à la promotion suivante sur ce cours.
  2. Parcours personnel et compétences transmissibles.
  3. Envoyez-moi une URL dont vous êtes fier/heureuse par email.
  4. Vous allez être évalués (malheureusement requis) sur votre coopération, votre curiosité, votre bienveillance et votre énergie.
  5. Faites des groupes de 4/5 personnes. Vous venez d’intégrer une agence et on vous donne le brief suivant : Nous sommes une association de triathlon/autre qui souhaite montrer ses résultats et son ambiance conviviale sur le net. Vous avez 45 minutes et toutes les ressources que vous voulez pour produire quelque chose ensemble.
  6. Présentation et débriefing groupe par groupe. Discussion et corrections pour la fois suivante.
  7. Qui connait ParisWeb ? Qui a participé au hackathon OpenData ce weekend organisé dans les locaux de l’IUT ?
  8. Culture web et apprentissage.
  9. Quelles améliorations pour la prochaine fois ?
  10. Des liens à consulter/comprendre/discuter d’ici le prochain cours : The End of Design As We Know It, High-level advice and guidelines for writing sane, manageable, scalable CSS, Designer’s guide to DPI, Responsive Web Design Tips, La méthode Daisy, Solved by Flexbox, jQuery, c’est bien, le DOM moderne, c’est mieux !, les vôtres ?

Je vais essayer d’être rigoureux au sujet de mes retours sur cette nouvelle expérience pour les publier ici tout au long du processus. Les commentaires sont évidemment bienvenus.

A Poodle proof, bulletproof Nginx SSL configuration

My little Poney

2014 has been an annus horribilis (yes, with 2 « n ») for SSL. Both protocols and implementations have known several critical vulnerabilities from Heartbleed to Poodle. The good news is: SSLv3 is finally dead, it’s time to move to something else.

I’ve recently added https support to my blog, and I thought it would be a good idea to share my SSL Labs A+ (with a SHA256 key) Poodle proof, Beast proof, Heartbeat proof configuration for Nginx. It was implemented on FreeBSD, which means you’ll have to change a few things here and there if you’re running on Linux, but most things are exactly the same.

Remember our pon.ey domain we recently added DNSSEC to? We’re now going to give him some https love.

Generate a strong SSL private key

First, you need to generate a strong sha256 private key for your SSL certificate. We won’t use the -des3 option to protect it with a password (you would need to type it every time you start Nginx, like after a random reboot), but we’ll use -rand/var/log/messages for some more randomness.

Don’t waste CPU cycles generating a 8196 bytes key, most SSL certificate resellers won’t accept it.

  # cd /usr/local/ssl
  # openssl genrsa -rand/var/log/messages 4096 -out pon.ey.key
  # chmod 400 pon.ey.key

Create a CSR with a SHA256 signature algorithm

You’re now going to generate the Certificate Signing Request you’ll send to your SSL reseller. Before chosing one, carefuly check he supports SHA256 CSRs.

SHA1 collision have occured since almost 10 years, and most vendors won’t accept SHA1 certificates anymore after 2016. If like me you’re chosing StartSSL you’ll have to renew your certificate when the implement SHA256.

# openssl req -new -nodes -sha256 -out pon.ey.csr  

Answer the few questions and send your CSR to your SSL reseller.

Nginx basic SSL configuration

Here’s the time to add some SSL love to your vhost. Here’s a basic Nginx vhost configuration. The first part is not SSL related but ensures your pon.ey lovers will use a secure connection.

server {
  listen  62.210.113.68:80;
  listen [::]:80;

  server_name  pon.ey;

  return 301 https://pon.ey$request_uri;
}

server {
  listen  62.210.113.68:443;
  listen [::]:443;

  server_name  pon.ey;

  ssl  on;
  ssl_certificate  /usr/local/etc/ssl/pon.ey.pem;
  ssl_certificate_key  /usr/local/etc/ssl/pon.ey.key;
  ssl_session_timeout  10m;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'AES256+EECDH:AES256+EDH';
  ssl_session_cache shared:SSL:10m;

  location / {
    root   /data/t37.net/public;

    access_log /data/t37.net/log/access.log;
    error_log 
  }
}

Note how we’re using a return 301 in the http only vhost instead of the classical rewrite rule relying on an often confusing regular expression (trick courtesy of Les Aker).

Let’s have a look at a few options there.

ssl_ciphers enables only AES256 with Ephemeral Diffie-Hellman and Ephemeral Elliptic-Curve Diffie-Hellman key exchange. It generates session keys so only the two parties involved in the communication can get them. No one else can, even if they can access the server’s private key. After the session is over and the session keys are destroyed, the only way to decrypt the communication is to break the session keys themselves. This protocol feature is called as forward secrecy.

ssl_protocols avoids broken SSLv1, SSLv2 and SSLv3 and enables TLS only. This means your site breaks with Internet Explorer 6, which may cause trouble in some corporate environment.

ssl_session_cache sets the type and size of caches that store session parameters. We’re using a shared cache named SSL and having a value of 10 megabytes. One megabyte can store about 4000 sessions, which should be enough for our pon.ey Web site.

ssl_session_timeout specifies the time during which the client is allowed to reuse the session parameters stored in cache.

Hardening EDH and EDCH

When using Ephemeral Diffie-Hellman ciphers, a prime number is shared between the client and the server to perform the key exchange. Nginx lets you specify the prime number you want the server send to the client, the bigger the better:

# openssl dhparam -out dh4096.pem -outform PEM -2 4096

Once you’re done (it can be long), add the following to your vhost:

ssl_dhparam /usr/local/etc/nginx/ssl/dh4096.pem;

HTTP Strict Transport Security

Next thing is to enable HTTP Strict Transport Security. This makes Nginx declare to users that he’ll use only HTTPS secured connections.

The HSTS policy is communicated to the client by the server using a HTTP response header named Strict-Transport-Security. HSTS policy specifies a period of time during which the user agent needs to access the server in a secure-only way.

Edit your vhost file, and add the following line just under the SSL configuration:

add_header Strict-Transport-Security max-age=535680000;  

Be careful when you add a long max age period: this means you’ll have to renew your SSL certificate if you want returning visitors to access your site during that period.

Configure SSL stapling

The Online Certificate Status Protocol (OCSP) is a protocol to check if a SSL certificate has been revoked. It’s been created to reduce the SSL negotiation time as an alternative to the Certificate Revocation List (CRL).

With CRL, the client downloads a list of revoked certificate and checks which can be huge and take lots of time to process. With OCSP, the client sends a request to a URL that returns the validity information of the certificate.

OCSP stapling is an alternative to OCSP that delegates the check to the certificate user instead of the Certification Authority.

Download the root CA and intermediate CA’s certificate of your SSL certificate in PEM format and save them in the same file. Save it as /usr/local/etc/pon.ey.trusted.pem

Add the following to your vhost configuration, following your SSL section.

ssl_trusted_certificate /usr/local/etc/ssl/pon.ey.trusted.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

Here, you’ll use Google DNS resolvers to query your certification authority for validity information.

Conclusion

Here you are. Your perfect Nginx SSL configuration is almost over. Before I let you go, here’s the complete vhost configuration as it should be:

server {
  listen  62.210.113.68:80;
  listen [::]:80;

  server_name  pon.ey;

  return 301 https://domain.com$request_uri;
}

server {
  listen  62.210.113.68:443;
  listen [::]:443;

  server_name  pon.ey;

  ssl  on;
  ssl_certificate  /usr/local/etc/ssl/pon.ey.pem;
  ssl_certificate_key  /usr/local/etc/ssl/pon.ey.key;
  ssl_dhparam /usr/local/etc/ssl/dh4096.pem;
  ssl_session_timeout  10m;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'AES256+EECDH:AES256+EDH';
  ssl_session_cache shared:SSL:10m;
  ssl_trusted_certificate /usr/local/etc/ssl/pon.ey.trusted.pem;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
  add_header Strict-Transport-Security max-age=535680000;
  
  location / {
    root   /data/t37.net/public;

    access_log /data/t37.net/log/access.log;
    error_log 
  }
}

If you have implemented DNSSEC, you can add your certificate fingerprint to your zone using a TXT field:

openssl x509 -in pon.ey.pem -outform DER | sha256 | awk '{print $1}'

Don’t forget to resign your zone after doing this!


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.

3 quick tips to improve a low self confidence

As you wish

Daria is one of my favorite cartoon ever. It’s been 17 years since it was first broadcasted on MTV, but everything is still relevant and incredibly funny.

If you don’t know Daria, you’re really missing something. Daria is a cartoon about a smart, acerbic, and somewhat misanthropic teenage girl who observes the world around her. S1E1 Esteemsters give the tone with a quote I used as a mail signature for years.

I don’t have low self-esteem. It’s a mistake. I have low esteem for everyone else

I know what low self esteem and low self confidence are about. I’ve worked on both topics a lot a few years ago and it helped me a lot both in my family and work life.

I also know how it’s hard to chose where to start. If you’ve ever read a productivity book, you already know aiming at the stars brings you nowhere when you’re in the gutter.

Talking or smiling to random people in the street is a classical advice but it was too much for me. I had to focus on small achievements that would kick me out of my comfort zone and I could easily turn into habits.

1. When in group, makes suggestion that concern everyone

At work, I used to follow my colleagues where they wanted to it. Not having to take a single decision was easy as there was always someone deciding for me.

When someone asked where we wanted to eat, I started suggesting some popular places. I didn’t take any risk as I knew most of us liked to eat there, but I was expressing my point of view in front of the group.

Taking this kind of small decisions is important. They don’t turn you into a leader, far from that, but you stop being a simple follower. The first times are hard and you barely hear your own voice, then you gain in self confidence and suggest more and more, sometimes controversial things.

2. Stop saying « up to you »

Unless you’re The Dread Pirate Robert or Boba Fett, « as you wish » is something you should ban from your vocabulary.

Just like the « where shall we eat » question, it’s very easy to let someone else decide for yourself. It’s incredibly comfortable as you’re sure you’ll never fail. If something gets wrong, it’s someone else’s fault.

Unfortunately, it brings you nowhere. Or, more exactly, it will bring you to many places you don’t want to go.

3. Start saying no to thing that matters

Speaking of going to places I didn’t want to go, I found myself in many uncomfortable situation because I did not say « no » in time.

I used to hate confrontation, and saying no to someone, even for a very small thing was hard to me. Accepting everything was a way to stay in my comfort zone and avoid a fight that rarely occurred.

As I started to say « no » more often, I realized there was no or very little confrontation. Most of the time, people would simply say « ok » and moved to something else.

It’s critical to say « no » to things that really matters to you, or your « no » will have little to no value. That’s exactly like saying « yes » too often: your « yes » has no value anymore.

There’s something so simple it’s stupid I took years to understand. People don’t expect you to always rely on them, and they even don’t expect you to please them. Don’t expect to be the next Captain Kirk type leader with this, but those small exercises are a good start.


Cet article a été publié par Frédéric de Villamil sur Le Rayon UX | Si vous l'avez lu ailleurs sans qu'un lien ait été fait vers l'article original, c'est qu'il a été reproduit illégalement.