Nginx reverse proxy SSL security issue

Until today the example Nginx reverse proxy config for Etherpad allowed for weaker SSL encryption than is acceptable.

You can see if your instance is vulnerable by checking your instances SSL cert

Check your Nginx config to see if this line exists:

ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

If so replace with:

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 ECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

Restart Nginx then check your instances SSL cert

We updated the wiki to reflect this change.

Skype and Hangouts alternative

We’re tired of being spied upon and we’re tied of tech companies colluding.

With no sign of an end we think it’s time to take control.

So.. We’re Introducing an Etherpad instance to serve as an alternative to Microsoft Skype and Google Hangouts, we’re using it internally but we’re inviting you to try it out too for your own chats and let us know what you think..

Try out Vetherpad at https://v.etherpad.org/

Naturally no plugins or extensions are required, just a gool ‘ol modern browser..

Wanna host your own? Just install Etherpad and the webrtc plugin, it takes minutes then you will have your own secure, private video chat and document editing facilities.

Found a bug and wanna fix it? Awesome! We gots the bug trackers.

Looking to see what else Etherpad can do? Check out our beta instance..

Try out Vetherpad at https://v.etherpad.org/

Etherpad for the masses

Over time Etherpad has grown, it’s become more than we aimed for it to ever be with many large tech and activist organizations deploying their own instances. However, one problem we have is the ability for smaller organizations to easily roll their own Etherpad instance on the web.

Don’t get us wrong, there are some great services such as PrimaryPad that exist and cater for individual markets but we feel we feel that as a community we can provide a richer, more configurable service that contributes more back to our core open source project.

So we’re considering building an easy way to deploy a private Etherpad instance for your organization on Etherpad.com

We don’t know exactly how this Etherpad as a Service will look like, but we will probably take inspiration from WordPress.com

We want everything to be kept open source, not just what we choose to push back to the core project.

We want to provide confidence that activists groups anonymity and data will be kept safe.

We want to create an ecosystem that has some finance involved but we want to keep the uptake for small organizations costs at a minimum. We have a small pool of start-up funds available. We’re not sure yet how we will go about assigning stakeholders for this new venture.

Services we have been offered help with so far..

  • Hosting: Rackspace
  • SSL Certificates: GlobalSign
  • Automated Testing: SauceLabs
  • Etherpad Development: Etherpad Foundation (naturally)
  • Ticketing and Support: Primary Technology
  • Security Auditing: Mozilla
  • Translations: Wiki Media Foundation
  • Etherpad.com: Google

Services we’re looking for help with, maybe your organization can help?

  • Pen testing (Security penetration testing, ensuring our overall service is as safe as possible from attackers)
  • Marketing (Press release drafting, branding etc.)
  • Management and business strategy (Deciding the best approach for us to ensure we’re providing the best service)
  • Billing and Invoice handling (Allowing for simple online payments(including crypto-currencies), creating invoices and chasing them when they are unpaid)
  • Sales consultancy (Discussing payment options with potential and existing Etherpad.com users)
  • Data analysis(Looking at our collected stats/data and provide Management with decisions to help them improve their overall strategy)

Our big problem is going to be monetization. We have a few options we want to get your feedback on…

Charge per changeset: 1M or so changesets free then 0.001p per changeset after. We think this will confuse too many people and potentially scare people off using the service.
Flat fee per month: 1 month free then pay per month. We feel we can do better than this.
Free to use with micropayments for plugins: Something along the lines of $0.50 for each plugin you enable. We’re keen on this model as it funds new plugin development.
Ad supported: We’re not overly keen on spamming your page with ads, we think it devalues the service.
Pay per user: Monthly Micro payment for each user account you add / uses Etherpad.
A choice of any of the above: This may be the most complex model for us to achieve technically but it might be the best for large and small organizations as they will be able to switch between payment options to secure the best deal for them.

So that’s our general goal, to create an ecosystem around Etherpad development to encourage more developers to take up Etherpad as their full time development job and to empower smaller organizations will the ability to quickly throw their own Etherpad instance up on the Web so they are in control.

Please do let us know your thoughts, we appreciate this isn’t ground breaking stuff but if we can build a stronger ecosystem it should lead to a more rapid release cycle and more innovation around Etherpad.

Say hello to Etherpad 1.4

Today we’re proud to announce Etherpad 1.4. Let’s be honest here, there are no killer features in this release however this release does contain LOTS of bug-fixes and security patches. All of the killer features exist as Plugins, once you upgrade Etherpad we suggest you check out the available plugins because some really great ones exist.

Why should I upgrade?

  • Various server and client stability patches
  • Various security patches
  • Various new hooks and methods (to support the plugins we talked about earlier)
  • Internal stats and metrics
  • Improved Docs
  • Moar

Anything special worth noting?

The introduction of a more modular toolbar means you might want to upgrade your settings.json, adding the new toolbar objects. To do this simply copy the toolbar objects from the settings.json.template, this is optional though and not required.

Why so long?

We have been crazy busy. We have hundreds of organizations that now run Etherpad and our team has mostly been focusing on integrating with their platforms and resolving their issues. Thankfully those companies have allowed us to commit back to the open source project both to core and as plugins, also John got busy with a new startup.

How do I upgrade

Simple.
git pull && /etc/init.d/etherpad restart

Show me the money!

Grab Etherpad 1.4 now

SSL on beta.etherpad.org

We just implemented SSL / HTTPS by default for all connections to beta.etherpad.org

Thanks to GlobalSign for the free cert.

Thanks to Nginx for making it easy to implement.

Thanks to Jesus for staying holy.

Enjoy and remember beta.etherpad.org is a play-ground, don’t use it for any real science.

1.4 is due soon, feel free to help us push it out, it’s crowning.

Etherpad 1.4 — RC1 available for testing

You can now test the first release candidate of the upcoming 1.4 release!

The most apparent change should be stability. We have tried to take care of lots of bugs that caused frequent crashes and corrupt pads in the past. Still, a few new features have made it in, such as support for recording metrics. Other new features are mostly under the hood to make the lives of admins and plugin developers easier. For details refer to the preliminary list of changes.

If you want to test this release, fetch the latest changes from github and checkout tag “1.4.0-rc1″. A list of things that need testing is available on the following pad. Please report your findings on github (or drop us a note on the pad). Also, if you have successfully tested an item on the list, please add a note there, too.

Things to test: http://beta.etherpad.org/test-release-candidate

Thank you, everyone!

Etherpad One Line Install

I read recently Etherpad is more difficult than other collaborative editors to install. Before today it took a whole 2 lines.. Today it’s one line for Debby/Ubuntu/Linux Mint heros..

Copy / Paste below to your CLI to install Etherpad:

wget etherpad.org/downloads/etherpad-1.3.deb -O etherpad-1.3.deb && sudo dpkg -i etherpad-1.3.deb

Hopefully we will have an apt package / ppa repo sorted soon but for now this should suffice :)

If this doesn’t work for you please let us know.

Getting started contributing

So you are new to Etherpad or contributing to Open source and you want to know how you can get started helping out the Etherpad foundation spread the goodness that is Etherpad. We’re always looking for new people to join our fellow Etherpadians, we have one motto of “Ask forgiveness not permission” so get started doing your thing and don’t be scared of doing something wrong.

Here are some things we need help with..

Writing blog posts

Knowledge required: General Etherpad knowledge, good writing skills and experience with publishing content on WordPress
Getting started: Draft a blog post and email it through, if we like it we will publish it on blog.etherpad.org. Alternatively self publish on your own blog and bump us and we will help promote it. If we’re comfortable after a few posts with you we will give you author access on blog.etherpad.org.

Engaging with potential Etherpadians on Social Media

Knowledge required: General Etherpad knowledge and experience with Social Media platform strategies such as Faceache, Reddit and Twitter
Getting started: Scan Social networks for people chatting about Etherpad or Etherpad alternatives and engage with them to inform them of what they can/can’t use Etherpad for and how they can leverage Etherpad to improve their life, forever.. Create new conversations with the goal to enlighten people to how awesome Etherpad.

Answering questions

Knowledge required: General Etherpad knowledge and experience with QA platforms such as Quora & stack overflow
Getting started: Hunt down people questions being asked about Etherpad and provide a clear answer to their question. Earn badges, free princesses.

Running Tests and replicating issues

Knowledge required: General Etherpad knowledge, Basic Github user experience and git experience
Getting started: Find open issues and try to replicate them on your own Etherpad instance. Update the issue to confirm the issue if the issue does exist. You may be asked by a code contributor to test a fix too, for this you may need basic git experience but it’s not required.

Creating tutorial and demonstration videos

Knowledge required: General Etherpad knowledge and experience with video publishing platforms such as Vimeo or that one that got f***** in the a** by Google+
Getting started: Review existing tutorial videos, find some ones we’re missing, create some video guides and upload them to your favorite video sharing website. We don’t have an official channel or anything fancy, feel free to make one!

Writing plugins

Knowledge required: General Etherpad Knowledge, Javascript, jQuery, NodeJS, Npm and Git experience
Getting started: Look at some example plugins and modify them to do what you want. Look at the open plugin requests on Github and the Etherpad feedback/voting platform. Once you are happy with your plugin publish it to npm and ask the mailing list for feedback.

Contributing code

Knowledge required: Javascript, NodeJS, Git
Getting started: Read the wiki articles and contributing guidelines first, then look through the open issues and submit pull requests for anything you can resolve.

Creating marketing tools such as infographics

Knowledge required: General Etherpad knowledge and experience with image manipulation packages such as Gimp
Getting started: Create some marketing material such as memes from the 90s, put it online and send it through to us and we will spam it about on social media and other places.

Providing Translations

Knowledge required: Fluent in more than one language, minor experience with using the TranslateWiki service
Getting started: Find something that is missing a translation and add it on our translation page.

Writing Tests

Knowledge required: General Etherpad Knowledge, Javascript, jQuery, Travis, Mocha, NodeJS and Git experience
Getting started: Look at the frontend tests that already exist and search through the issues and wiki for outstanding issues

Security testing

Knowledge required: General security / pen testing knowledge and ideally general Javascript, HTTP and Git knowledge.
Getting started: Install Etherpad locally and attack it, patch Etherpad Develop Branch and submit a pull request with a fix then let us know before going public as per a relatively sensible security disclosure policy.

Releasing new versions of Etherpad

Knowledge required: Basic writing experience, some windows experience, basic Etherpad experience, git experience.
Getting started: Create a release pull request following our release guide.

General Foundation Admin

Knowledge required: General Etherpad knowledge and Basic Admin knowledge
Getting started: Contact us and when a general inquiry/request hits our inbox we will forward it through to you to forward through to the correct party.