PrivateEye 3.10

PrivateEye is a viewer for Sprites, DrawFiles, JPEGs, ArtWorks, GIFs and PNGs. It also has editing features including bitmap effects and rotation.

Version 3.10 is an update which enhances its handling of JPEGs:

• Progressive JPEGs are now passed straight through to the OS when it is capable of decoding them. This requires RISC OS Select with SpriteExtend 1.30 [circa 2002] or RISC OS 5 with SpriteExtend 1.73 [circa 2016], or later. You can still force JPEG cleaning on from the choices if you wish.
• The information given on JPEGs is enhanced. The source info window will show the details of the file format, being JFIF, Exif, Adobe or a combination thereof; Baseline, Extended Sequential or Progressive DCT coding and whether the packing was Huffman or Arithmetic.
• Hand-in-hand with the above is enhanced colourspace reporting. The “Colours” field will show whether the JPEG is encoded as YCbCr (the most common), YCCK (like CMYK), RGB or CMYK. It will report the number of components used, and the depth of those components too.

And in addition to those tasty JPEG goodies:

• Multiple effect windows may now be open concurrently.
• PrivateEye is now cross-compiled using GCCSDK.
• It is now supplied as a RiscPkg package.

PrivateEye is freeware.

It’s available to install via PackMan, or directly from this download link:
http://www.davespace.co.uk/software/privateeye310-2.zip

Reading the manual is strongly recommended:
http://www.davespace.co.uk/software/privateeye310manual.pdf

If you want to contribute its source code is hosted on github:
https://github.com/dpt/PrivateEye

Great news but I found the direct download link did not work.

All three links work correctly for me.

I successfully downloaded it using Iris but Google Chrome was not interested. Well done Iris.

Downloaded yesterday with Netsurf. Just did it again with Android Chrome.

The server sends the following:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 21 Sep 2021 12:06:27 GMT
Content-Type: application/zip
Content-Length: 569432
Connection: close
Last-Modified: Sun, 19 Sep 2021 23:14:50 GMT

So if it’s not working, check your browser configuration as there’s nothing odd here, other than it being served over http. Overly paranoid browsers may elect to block this as “insecure”…?

I successfully downloaded it using Iris but Google Chrome was not interested. Well done Iris.

The reason for Google Chrome, having an issue, is due to David Thomas’s site using http rather the the more secure https protocol. Chrome now by default, will barf at sites that are http as they are less secure, there is an option within Chrome’s settings to turn that checking off.

Firefox and Safari will also soon be enforcing this check, I know Firefox already has the option within its settings, but it not the default at the moment

I successfully downloaded it using Iris but Google Chrome was not interested. Well done Iris.

Well done for failing to recognise that the site isn’t properly configured by the ISP? I think not.

Chrome now by default, will barf at sites that are http as they are less secure,

Chrome, as of version 90 is supposed to default to HTTPS first and fail through to HTTP.

Firefox has a similar feature (I mentioned it a few months back) but some sites don’t manage to trigger the fail to HTTP because they have a partially implemented HTTPS.

www.davespace.co.uk when scanned for SSL use gives “Certificate name mismatch” – this is because the only certificate on the pepperfish.net domain is valid for: admin.pepperfish.net, listmaster.pepperfish.net, pepperfish.net, platypus.pepperfish.net, www.pepperfish.net and not www.davespace.co.uk

The pepperfish.net domain should not give a HTTPS response for davespace if it does not have a matching certificate

I recommend that everyone running their own web site check its secure connection status by scanning the server with https://www.ssllabs.com/ssltest/index.html

It doesn’t break anything, and it will give you pointers to what you need to change / have changed for you.

We all should be running https websites nowadays.

(It’s all very well, and true, to say that the information we put there is freely available. https makes it difficult to redirect a site to a nefarious destination, and thus possibly compromise the client, because the certificate name has to match the site name. Certificate issuers have steps in place to prevent certificates being issued to entities other than the correct one.)

Certificates are available at no cost, are easy to obtain (even I managed to do it), and are easy to renew. I even get timely reminders by email from the certificate issuer.

The above applies to sites hosted by a hosting company. If anyone is privately hosting a site with Webjames, for example, then we need to see if the source for Webjames is available and can be modified to use https. I can certainly make server versions of the AcornSSL module available.

and are easy to renew. I even get timely reminders by email from the certificate issuer.

If you’re using Let’s Encrypt (a well-known free certificate issuer) and a reasonable shared hosting provider, they’re probably already set up to auto-renew the certificate 60 days into the 90 day lifetime. The more cynical providers may not advertise this fact (as it presumably takes away from their own paid-for certificates), but a quick message to support asking if Let’s Encrypt is available can’t hurt.

In my case, there’s no mention of the facility in CPanel, but it was up and running after a 30 second web-chat with support. For the RISC OS edge, then if you’re with Xencentric, I think – but can’t be bothered to check just now – that there’s a big “configure Let’s Encrypt” button in the CPanel dashboard.

You also want to redirect HTTP traffic to HTTPS. If this isn’t a check box in the CPanel setup wizard, again a competent hosting provider should offer when manually setting things up. If not, it’s “just” some cryptic runes in the .htaccess file.

If anyone is privately hosting a site with Webjames

Then all bets are off because you don’t “own” the domain. There’s no way I’m going to be able to register a certificate for ddns.net.
So, how are people using dynamic IP services supposed to go all shiny-https?

PS: WebJames source is available. Never managed to build it as I never found the RegEx library it was expecting, and wasn’t familiar enough with that to fix what it was tripping up over. So, alas, I never updated anything.

Try asking the person running riscosports, there’s an ARMv7 build there, so I’m guessing he did find all the right bits. ;-)

There’s no way I’m going to be able to register a certificate for ddns.net.

There is. I can say this with certainty because I’ve done it, and renewed it several times. That’s what I use to test AcornSSL server.

If not, it’s “just” some cryptic runes in the .htaccess file.

There’s a lot of weird on the internet. This method should redirect everything tidily, using a 301 (redirect) so the likes of Google will pick it up and stop pointing at the older location. It’s also self contained so you don’t need to psych in your hostname or anything.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Andrew and Steve: thank you for your helpful, informative and supportive contributions!

(Edit: And just in case my words above are misinterpreted, I’m not getting at Rick in any way. He’s clearly just learned something surprising and useful!)

There is. I can say this with certainty because I’ve done it

Well that’s very good to hear! ;)

but a quick message to support asking if Let’s Encrypt is available can’t hurt.

In the case of pepperfish.net – that’s exactly what they have on the server instances I listed.
As a result, I’m pretty sure they know how to handle Let’s Encrypt certificates.

I recommend that everyone running their own web site check its secure connection status by scanning the server with https://www.ssllabs.com/ssltest/index.html

If only they maintained their own site.

When I scan my site, it has “DNS CAA: No”, with a “more info” link. This links to https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum which in turn redirects to a random search results page for “ssl labs”. Helpful.

Aside from that, my site gets an “A” :)

https://www.davespace.co.uk/ is now updated with the correct certificate.

Glad to say we have an ‘Overall Rating of A’ https://www.ssllabs.com/ssltest/analyze.html?d=cjemicros.co.uk though I think all credit should go to xencentric!

A and A. ;)
https://www.ssllabs.com/ssltest/analyze.html?d=heyrick.eu

Glad to see so many have their SSL configuration correct and certificates valid :)

Package distribution server for my RISC OS Community on Github and my own RiscPkgs gets almost all A+ and we also got PCI-DSS compliant status, together with a solid server security configuration. Hopefully it’s enough for RISC OS package distribution.

https://observatory.mozilla.org/analyze/zfpsystems.com

I would also recommend to test usign Mozilla Observatory, not just SSLLabs. Moz Observatory runs more tests, however both of them are related to surface and encryption testing, not Server Security testing (just to be clear)

Well done everyone!

Just so people don’t feel that their “home” efforts don’t compare well with commercial offerings:-
(name withheld to protect the guilty) shows an “F” and the TLS observatory tab which uses SSL Labs and shows a “B”

Had I mentioned medically related sites and why I need to check such sites?
One (other) site just updated their certificate – not bad considering it expired in 2016 :(

One of the sites I maintain for work got A from SSL Labs and F from Mozilla :( (I’ve subsequently brought it up to C without too much trouble, but any further is going to need more thorough testing).

Edit: Apologies for being way off topic here…

I can say this with certainty because I’ve done it

I got a reminder email from Let’s Encrypt a few hours ago, and I’ve just auto-renewed my cert and key for my ddns.net domain again.

I scripted the auto-renewal process some time ago so that I don’t have to go look it up every 90 days (that’s plenty long enough for me to forget). The auto-renewal takes about 10 seconds. It takes longer to open up the firewall and close it again.