Experience Vault Micro Update: Published Date Added

Summary: Added a new field “Date Published” to Experience Reports and moved all code over to use that instead of “Date Reviewed”. If anyone sees errors in the Experience Vault lists or What’s New, please let me know.

tl;dr

Changes to the Experience Vaults are hard because I wrote the code for almost all of it back in 2000 and then a major update in 2004. All written in ancient Perl that’s extremely fragile and a pain to set up as a development environment. On the plus side, it mostly works.

As a preliminary step towards a couple of other new features for crew and public, yesterday I added the very obvious “date published” field. We’d been skating by using Reviewed Date (the date that the first reviewer edited the report and marked it ready to be live) as the date published. But there are lots of reasons why one doesn’t want to have a single value for editing history and publication date. So, editing history is now properly just editing history and we don’t have to jury-rig and falsify the editing date in order to have the date of publication be correct. woo. :]

Date published is now the primary sort.

It’s a tiny update, but because of the complexity and fragility of the old code, the perl library I chose to use was failing in weird ways and it took five hours to debug to the point where I realized I could solve the problem by moving the logic out into a separate library (namespace) and it all magically just started working.

Woohoo! New SSL Cert (4096 key)

Since all of our HTTPD traffic is forced SSL, valid credentials are required to prevent visitors to Erowid.org and EcstasyData.org from seeing a very nasty error message when trying to access the sites. With an expiration date looming, it was time to renew Erowid.org’s low-end SSL certificate. Why low end? Because we consider the browser certificate authority to be an illegal global racket.

First, the good news. Check out our “A” rating from Qualys SSL Labs:

SSL Labs A Rating of Erowid HTTPD Server Security
SSL Labs A Rating of Erowid HTTPD Server Security

We mostly achieved this a couple of years ago when our sysadmin team worked to eliminate all of the basic problems, like removing support for dangerously weak encryption ciphers and forcing more secure handshake methods. But, if you look at the Qualys report, you’ll see that our server doesn’t allow the known-broken encryption algorithms.

And, as of today, we’re trying out a 4096 bit key. Many of the sites I looked at suggested that the CPU load cost of doing the key negotiation wasn’t worth the extra security, but JL, our main sysadmin, said we should give it a try. We’ll watch the server load over the next week or two, but right now it seems fine.

As far as the rant about the global criminal conspiracy that is the certificate authority, well, I will leave that to others. To be clear, I think it’s all a money scam, facilitated by the browser folks.

We choose to buy a cheap chained certificate because of the usurious pricing of the better, greener, happier certificates. They punish us by making the URL bar not as pretty and also making the certificate viewing experience worse. Despite the CSR having all the right info, the $50-100 per year wildcard-SSL certs don’t display our organization name or location properly. Pay $200-1000 per year and, with no additional security, we would get a happy-looking green bar and Erowid displayed in the browser URL bars.

Snake oil forever.

As I was searching for an example of an expensive green bar, I discovered that trying to view the front page of CNN via SSL resulted in terrifyingly bad browser behavior. It looks like a hijack (MTM) or just fails.

I'm Glad I'm Not a CNN Sysadmin
I’m Glad I’m Not a CNN Sysadmin

In early 2015, Erowid joined EFF’s HTTPS Everywhere campaign, because we believe that, today, virtually no communications should occur online in clear text. It is a sad statement about humanity that most of us, including institutions handling sensitive data about us, still use  unencoded plaintext email that requires no warrant and is, essentially, a public broadcast.

P.S. In an insanely conspiratorial way, I believe that the NSA and other anti-public-crypto agencies have worked to torpedo efforts over the last twenty years to get email more secure. In the United States, a fig leaf of privacy is enough to trigger Fourth Amendment protections.

Experience Vault List Minor Update : Cellar Button

After a phone call with an expert earlier this month where Earth was reminded how few people understand the more technical options in the Experience Vaults, we decided to try adding a button to the bottom of search results and lists to show Cellar reports.

So, now viewing search results lists will tell the reader whether there are matching results in the Cellar:

Search Experiences for 1,4-Butanediol

Before this week, the “Show Cellar” button only showed up if there were no reports matching a given search. There has always* been an Advanced Search option to include Cellar reports in a search, but very few people used this option.

We’re not 100% certain this is a good idea, because we don’t want to highlight Cellared reports too much. We don’t want to shame authors for writing reports our triagers and editors consider below our cutoffs, nor do we want people to have to slog through reading reports that are considered to contain data but have some serious problem that caused them to be relegated to the Cellar.