Privacy-aware search engine to replace Scroogle

[Tom T.]

I allow all blocked objects but use the new interface. That one is so much better than the old one because the old interface has so many blank frames for some reason. The applet frame I think I notice but there is nothing in it.

I use the old interface. After entering username, I'm taken to a page with a password field. I looked at this from JAWS point of view [smile] and hit "tab" past the empty password field. Next was "Authenticate", which means "log in" or "send your password". DON'T. Tab one more time. Focus is now on what looks like a link, labeled "Enable Java", but hovering there shows a destination without any reference to Java, just a session ID number. I click this. You do whatever Jaws does to click stuff. Now, NoScript by default is blocking Java, so after a second or two, you'd have to open the Blocked Objects menu and allow it, but I think the following ABE rule will work.

Noscript options advanced ABE. Five tabs to focus on USER (meaning, user-defined rules). Move to the textarea, field, edit box, whatever JAWS calls it. The first line, by default, reads, "# User-defined rules. Feel free to experiment here.". In this particular case, yes, the hash tag indicates a comment or remarks and is not parsed. Move to a blank line, and copy/paste this:

Code: Select all

Site java-vm@https://www.hushmail.com/*
Accept from https://www.hushmail.com/*
Deny

Unless JAWS or NVDA can find the OK button for you directly, I count eight clicks of Tab key to the OK button. Click it, and you are done. But close the NS menu, re-open, and go back there, to make sure the new rule saved properly. Compare the JAWS readback to what's posted above.

This should be a one-time only thing, in which Noscript will continue to block java everywhere else, but will auto-allow that particular applet from that particular source at that particular site, without further action on your part.

Unfortunately, I don't get an audible alert when the applet has finished loading. (Feature request to Hush?) While it's loading, the screen changes, showing images of permission boxes, "If you are asked to run software from Hush Communications, please say yes", and non-URL clicks to disable Java. The loading takes about 15 seconds with my typically 5-10Mbps download speed. When loaded, it reverts to the original password screen, with password field and authenticate button, black text on gray background, and again, it's the next tab after P W field. So type your password, or paste it from Password Safe (thought I forgot about that, eh? [wink], then the next tab focus is Authenticate. Activate that to log in, knowing that your password has been further encrypted so that neither an eavesdropper nor Hush can read it.

I believe that you can configure the account to always use Java, but I do not store permanent cookies on my machine. Also, there is something in the URL I have stored in Password Safe,

Code: Select all

https://www.hushmail.com/?hush_force_java=true 

, but it doesn't work for me, probably because of the no-permanent-cookie issue, or other reasons not worth going into.

I am not doing anything illegal under Canadian law; I just want to be more safe than I was the last 5 years. Nothing wrong with that.

Then Hush has no reason or motivation to tamper with your encryption, and they lose every single customer if word gets out that they compromised an account without a court order targeting that particular account. I'm counting on that being good enough, and so are a lot of other people. But you have to be comfortable with it yourself.

[Identities Infinite]

Thanks for that tutorial. When I go to that URL I type in the e-mail address and press the Sign In button. There is a screen that contains the same thing but with the passphrase field. I press Tab and it has a check box that says 'Stay signed in for one week’ and when I press Tab 2 more times it says 'Sign in' which is a button then goes to the Home link. When I use the Arrow keys whilst focused on the Sign in button and press Down Arrow it says 'appletFrame' and when I do it again it says the frame ended. JAWS tells me when a frame begins and ends but 'appletFrame' is the name of the frame. There is nothing in that frame as far as I know. When something invokes the Java Virtual Machine I would think something else would happen. It is as if the Java thing does not work. I also unblocked 'unknown' object when on that page and maybe that is the applet's frame. There is also a blank frame with the title of 'hushmail/blankiframe' right under it separated by a blank line. I will tell the Hushmail people this because something is not right.

When I press the Select All link on these codes how do I copy? There is no button to copy and I assume Ctrl+C copies the entire page or whatever JAWS thinks is selected. It would be useful if the BBcode tag included a copy link. I copied line for line and the ABE rule was accepted. The nice thing about Giorgio's design is when I press Tab it returns an alert if a syntax error is present; if not nothing happens. Maybe the OK and Cancel buttons should have Alt+O and Alt+C shortcuts respectively.

I will contact Hushmail and submit that audio alert request. They are counting on my feedback so I will make it worth the 100% discount. The problem with the old interface is they have all kinds of onmouseover links and they are not easy with which to interact. I hope they incorporate all that is there in the new interface but still there are 2 blank frames at the bottom [they could be iframes but I can not remember].

[Tom T.]

When something invokes the Java Virtual Machine I would think something else would happen.

Yes. The Java icon, of a cup of steaming coffee ["java" is colloquial for "coffee", as the island of Java is, or was, a major producer of it], appears in the system tray in the lower right of Windows [not the browser itself]. But IIRC [= If I Remember Correctly, another common time-saving acronym], those icons are not readable by either JAWS or NVDA. Perhaps one or both could be convinced to add recognition for the most common system tray icons. Various anti-virus programs, firewall programs, connection icon, and - Java? However, they do produce a tooltip on mouseover, called a "balloon tip" in Windows-speak, which might be read by one or both. On my setup, the balloon tip on the Java icon is "Java (TM) Platform, Standard Edition", where (TM) = trademark. Reminding one that Java is a registered trademark. (Nasty court battle between them and Microsoft. MS lost, but off-topic.) Can this tooltip be read?

It is as if the Java thing does not work. I also unblocked 'unknown' object when on that page and maybe that is the applet's frame. There is also a blank frame with the title of 'hushmail/blankiframe' right under it separated by a blank line. I will tell the Hushmail people this because something is not right.

Sounds like the new GUI, which I haven't tried, because I'm Okay with the old GUI. By all means, let them know of your concerns.

When I press the Select All link on these codes how do I copy? There is no button to copy and I assume Ctrl+C copies the entire page

Good news! When Select All is pressed inside a code box, only the code inside is highlighted and selected. Therefore, Ctrl+C indeed copies only the contents of the code box -- that which was wrapped in code tags by the poster.

For future reference, pressing Ctrl+C copies *only* selected stuff, whether in a browser, a document, or whatever. If nothing is selected (highlighted), it copies nothing. This is why the Edit menus in text editors generally have a "Select all" entry, and the shortcut Ctrl+A = Select All in whatever is active (in focus) at the time, be it a browser tab or window, a document, etc. As I type this, the Compose box is active, so Ctrl+A selects everything in that box. If I click elsewhere on the page, then Ctrl+A selects everything else on the page, *including* images, but *not* the compose box, because that is a user-input text area, and thus is regarded as a separate frame or whatever from the HTML page itself. This is very good to know!

Maybe the OK and Cancel buttons should have Alt+O and Alt+C shortcuts respectively.

When I pressed Alt+O a paypal window tried to open, so presumably that is the shortcut to the Donate button. Alt+C does nothing that I could see. Giorgio knows the extensive list of existing shortcuts, including those used by Firefox -- not an easy trick, avoiding collisions -- so rather than specify the exact shortcut keys, let's just add that to your growing RFE wish list. [Remember "RFE"? smile]. It will be much easier on Giorgio to sit down with a list of ten or fifteen requests and implement all possible ones in one large code edit than to open up the code and edit it on fifteen separate occasions. Also, in the case of keyboard shortcuts, they're best done in one sitting, to avoid creating further collisions and while the already-used list is still fresh in his mind. I'm sure he'll choose the closest mnemonic he can. OK?

I will contact Hushmail and submit that audio alert request. They are counting on my feedback so I will make it worth the 100% discount. The problem with the old interface is they have all kinds of onmouseover links and they are not easy with which to interact. I hope they incorporate all that is there in the new interface but still there are 2 blank frames at the bottom [they could be iframes but I can not remember].

That's the attitude. They gave you a freebie so that they could get accessibility feedback from an expert. Give them their money's worth, and it's win-win. You get a better product; they enhance their product's appeal to the visually-impaired market. I love win-win solutions!

If I find time, I may check out the new GUI. The screenshots didn't appeal to me, but if they'll let me go back to the old one, I can do it to research what you mentioned about the blank frames and such. Please give me a few days on that. US Income Tax deadline is sneaking up....

[Identities Infinite]

System tray items can be accessed easily. The help balloons are read too but the Java item does not make itself known. I am guessing the ABE rule although syntactically correct does not work because I still allowed the blocked objects. The 2 frames are found in the old GUI. Clicking the link to return to the old GUI is as easy as clicking the one to preview the new.

I did not know textarea fields are not copied when Ctrl+A is used but not focused on it; I thought everything was copied so that is good to know. I should make a list of all the RFEs [feels strange typing that] and submit them to Giorgio via e-mail I guess. He can sort all the fine details after that.

I will give them more than their money's worth. I told them about how onmouseover links are troublesome for me, hence I use the new interface whenever possible. I also told them I hope they implement everything from the old in the new because all those black frames and iframes make it messy for me. Kelly G. is the support specialist I think and they said they are forwarding my suggestions to the product manager. It feels good knowing I am being heard and all good things are worth their wait.

[Tom T.]

System tray items can be accessed easily. The help balloons are read too but the Java item does not make itself known.

These balloons just identify the icon. Mouseover on the clock time (far right, usually) shows current date and time. Mouseover on battery icon (laptop) shows percent of charge remaining. On ZoneAlarm icon, just reads "ZoneAlarm". On Password Safe icon, shows which passoword database is currently open, if any. I have only one database, but it's possible to create more than one, for multiple users with different master passwords, etc. I don't understand why the Java balloon is not readable when the JVM is active. The balloon stays open for only 5 seconds onmouseover, but clicking away or focusing elsewhere, then back there, should pop it up again. I have a hunch that it's not loading, but hold that thought.

I am guessing the ABE rule although syntactically correct does not work because I still allowed the blocked objects.

Delete the ABE rule for now, but save a copy of it somewhere convenient. Let's just see if we can ensure that the java applet is loading, one way or another, then we can try again with ABE once we know that you are able to enable it.

The 2 frames are found in the old GUI. Clicking the link to return to the old GUI is as easy as clicking the one to preview the new.

That's good to know. I may be less available for the next few days due to other obligations, but again, I'll try both GUIs and see what can be done. I do know that the Compose box opens in a new window.

I should make a list of all the RFEs [feels strange typing that] and submit them to Giorgio via e-mail I guess. He can sort all the fine details after that.

If you don't mind, I'd rather that we work together on that, and let me sort and organize as much as possible, and post them publicly.

One reason is that as a a support team member, the easier I can make things for Giorgio, the more he can work on the actual coding of enhancements, new versions, bug fixes, etc.

The other is that if they are posted publicly, especially in the specified sub-forum, NoScript Development, then it gives other users a chance to read and comment, express support, suggest changes, etc. Also, it becomes a permanent part of the knowledge base, because we ask all users to search the forum for their particular issue before posting. Many don't, but for those who do, it's an ever-growing resource. Do you object to this?

It feels good knowing I am being heard and all good things are worth their wait.

As said, the squeaky wheel gets the grease. Congratulations on being part of the solution instead of just griping about the problem. [hearty clap on the back]

[Tom T.]

System tray items can be accessed easily. The help balloons are read too but the Java item does not make itself known. I am guessing the ABE rule although syntactically correct does not work because I still allowed the blocked objects. The 2 frames are found in the old GUI. Clicking the link to return to the old GUI is as easy as clicking the one to preview the new.

I just tried switching to the new GUI after already enabling Java, but when I clicked to switch, I received a message that the new GUI does not yet support Java. This was surprising.

From the home page, there was a link to the page about the new GUI, which was https://www.hushmail.com/blog/2010/12/1 ... -hushmail/.

That page says the new GUI is by invitation only. There was a link to request an invitation, but I did not click it. Clearly, the new GUI is still in the testing stages. I won't use it until it supports the Java local ecryption applet, of course. Else, there's not much benefit.

Is your contact person there giving you special access to Java? Else, that's why you're not finding the Java icon in the system tray. It only works on the old GUI.
I'll see if I can check out those blank spaces, frames, access to Java, etc. in the old GUI. If you have Java in the new one, please let me know, thanks.

Don't forget to delete the ABE rule until we get all this straightened out, and confirm that Java is working for you.

[Identities Infinite]

I can not access Java in the new GUI either but there is still a blank applet frame. One needs no invitation to use the new GUI at least not any more. That blog post is old so that was probably years ago. I am surprised after 1+ years the new GUI still has not been finished. StatCounter's interface was finished in shorter time than Hushmail's.

I tried the old GUI using Internet Explorer 9 and it said my Java Virtual Machine is really outdated which does not make sense considering it is 7 update 4.

[Tom T.]

I can not access Java in the new GUI either ....

Guess we'll have to stick with the old GUI for now.

I tried the old GUI using Internet Explorer 9 and it said my Java Virtual Machine is really outdated which does not make sense considering it is 7 update 4.

It offers me only Java 6 update 31, but that's undoubtedly because I'm still on XP. I don't know what the latest Java for Win 7 is, but if you go to www.java.com and click Downloads in the top banner, it should sniff your browser version and OS, and offer you whatever is the latest compatible version. If it matches what you have, then either IE or Hush has an issue. Can't help you with IE [grin], but you could let Hush know about it. After all, that's why they gave you the free account, right? [big smile]

Since my last post, I've extensively examined the old GUI, imagining that I was using a screen reader. Here's what I found so far.

Allow or whitelist scripting from https://www.hushmail.com.

enter full email address in the field at the home page.
click tab once. focuses "Sign In" button. click "Enter".

Password and Java option page appears, https://www.hushmail.com/hushmail/index.php

Default focus is in password field. Tab once to Authenticate field, but don't do anything. Next tab focuses on "Enable Java", and with scripting enabled, just clicking "Enter" activates that click-link. You should then be taken to the Java-loading page, which below the top banner says,

Loading the Hush Encryption Engine may take up to three minutes. If you are asked to install software from Hush Communications, please choose Yes.

And the images of typical software-download warning boxes, most likely seen on IE.

Followed by what I see as a clickable link, "Turn off Java", but whose mouseover destination ends in "blankContentFrame.php", followed by ? and a session ID number. Perhaps that is one of the blank frames that you mentioned.

Immediately following that is a similar clickable link labeled "Explain", but its destination is more clear: it includes showHelpFile.php etc. But then, "file=popupJavaHelp", so it's a link to a pop-up. I don't know how JAWS interprets or reports those.

Now, until we start on the ABE rule, open the NoScript menu. Either the second or third entry will be "Blocked Objects". When the mouse is placed there, a new sub-menu opens. It opens to the right if your NoScript menu is in the left or middle of the browser, and to the left if the icon is to the right. Clicking on *any* of the three sub-menu choices is sufficient to start the Java object loading. Can JAWS or NVDA find those? If not, I have an ABE rule at the end to try.

After some time, depending on connection speed, the Java icon should place itself in the system tray, with appropriate balloon tip. Does this happen?

The page should now return to the password-entry form. Enter the password. One tab click to focus on the "Authenticate" button [same as "log in"], then click Enter to activate that button. You should then be logged in.

Once inside, click near the top of the page, below the browser toolbar. Tab now selects various options, but for some silly reason, there is a focus element above and below each option. So two Tabs to "Check mail", which is the default anyway, then three more tabs to Compose, and three more to each other option. "Enter" key activates each option. The succeeding ones, I hope, are read by JAWS. They are contacts, "spam control", preferences, "Hushtools" [which include downloading your public key to send to others], Help, "Sign Out". Any problems here?

As you mention, there is a frame directly below this, which by default is your Inbox. I could not tab to it. Perhaps NVDA could read the contents better than JAWS? But once you are in there, "Contents of Inbox", which is the default-opened folder, or other folders manually opened, can be navigated with tab. Clicking on a message displays it in the lower frame. The lower frame is not useful, other than the GUI switch, until a message is selected from Inbox, Sent, etc., when it becomes displayed there.

The left side of the page lists folders, including (top to bottom), Drafts, Inbox, Sent, Trash, and any optional user-created folders. If you are able to click in this area, Tab will move the focus in that order. Note that after Trash is "Delete all", so focusing on that and entering would delete the entire contents of the trash folder.

How are we doing so far?

One more try at an ABE rule to auto-allow the Java applet:

Code: Select all

Site *@https://www.hushmail.com
Accept from SELF+
Deny

This should allow code objects, Java being the only one, from the host domain itself, while still preventing the third-party script, https-ssl.google-analytics.com, which also tries to run.

[Identities Infinite]

I entered the ABE rule because it should enable me to bypass always pressing Shift+F10, Up Arrow till I hear NoScript, Right Arrow, Down Arrow till I hear Blocked Objects. I will tell you how it works once I do it.

[Tom T.]

I entered the ABE rule because it should enable me to bypass always pressing Shift+F10, Up Arrow till I hear NoScript, Right Arrow, Down Arrow till I hear Blocked Objects. I will tell you how it works once I do it.

Cool. But if it doesn't, at least please confirm that you can start Java at the old GUI.

[Identities Infinite]

Seems somebody must sound the ban hammer on user 489132siqyx. I guess even the security-related forums occasionally have spam. I know it is spam just by reading their user agent «wink».

I will test the Java thing later. I guess I should downgrade from 7 update 4 to 6 update 31.

[Tom T.]

Seems somebody must sound the ban hammer on user 489132siqyx.

Done, and post deleted.

I guess even the security-related forums occasionally have spam.

No one is immune. We have certain filters in place, but no matter how much security, anyone can register and post, at least until they get caught -- which usually isn't more than a few hours.

I received a "topic reply" notification when that spam was posted. Just didn't get online before you saw it.

You can always report one, by using the stylized link element at the top of the post that has the tooltip "report this post".
That turns it, and the topic, pink, thus quickly drawing moderator attention. But it usually isn't necessary. As volunteers, we all have different and varied times to log on and serve as moderators, so the spammers usually don't stay around for very long.

I sometimes ban spam profiles -- those with a spam signature link -- before they've even had a chance to post. I check "our newest member" at the bottom of the board index. Personal record is banning one minute after registration. [grin]

I know it is spam just by reading their user agent «wink».

Not always. Sometimes, users have had a legitimate reason to post here with Safari or Chrome or whatever, especially if their Firefox or Seamonkey seems broken from the issue they're reporting.

I will test the Java thing later. I guess I should downgrade from 7 update 4 to 6 update 31.

Have you told Hush of this? You've confirmed with the java website that that is the latest release appropriate for your system, correct?

ETA: [not "estimated time of arrival", but "edited to add" |wink|] Perhaps Hush is not yet fully compatible with the alpha releases of Firefox? Have you tried with F10 or F3.6? You can get the portable versions of either or both and put them on a flash drive, so you don't have to do the complications of installing multiple versions on the hard drive.

[Identities Infinite]

I will enquire to them if it is compatible with later builds than the stable Firefox. I will also enquire if later releases of Java after 6 update 31 are supported.

I do not think the ABE rule works when I am on https://www.hushmail.com/hushmail/index.php because the following is exactly what JAWS displays to me. The contents would not be blocked by NoScript. The frame and frame end is a JAWS addition that lets me know the boundaries of a frame; the same accounts for iframes, lists and tables.

appletFrame frame
<FRAME>, unknown@https://www.hushmail.com/hushmail/apple ... mediately=
appletFrame frame end
blankNavigationFrame frame
<FRAME>, unknown@https://www.hushmail.com/hushmail/blank ... CD1D78E99F
blankNavigationFrame frame end
showLogin frame
<FRAME>, unknown@https://www.hushmail.com/hushmail/showL ... CD1D78E99F
showLogin frame end

The applet frame should be the only one that is not the way it is now, correct?

[Tom T.]

First, did you try it without the ABE rule, even with the inconvenience of navigating the "Blocked Objects" menu, just so that we can find out whether you are able to load java at all?

I was not aware that the "Enable Java" click was in a frameset. The source code indeed shows

Code: Select all

<FRAME scrolling="NO" noresize
			src="appletFrame.php?PHPSESSID=2D398836883B0E8599785E92B5E88A40&loadContentFrameImmediately=">

And if you can activate that one, the java applet should load.

But visually, all one sees, other than the Hush banner at the top, is a plain white page, with only these:
"Please enter your passphrase:" followed by that field;
The "Authenticate" (login) element;
The clickable links for "Enable Java", "Explain", and "Try the new Hushmail".

All else is a blank page. I would not have thought to consider these as frames had you not told me.
I have frames, iframes, etc. blocked in Embeddings page, with "apply to whitelisted sites" checked, yet NoScript has never prompted me to allow a frame, only the Java applet itself.

Again, please try to activate java with *no* ABE rules pertaining to hushmail. Or with ABE temporarily disabled. If you have no other browser tabs or windows open, the slight weakening of protection should not be an actual risk, unless indeed we can't trust hush.

Then we'll work on the ABE rule. OK?

[Identities Infinite]

I never knew you visually-orientated people miss so much.

I went back with no cookies. Firstly, I entered the full e-mail address; secondly, pressed Sign In; thirdly, pressed the return to original Hushmail link since it always switches back for some reason; fourthly, the page which I copied shows up. In the NoScript | Blocked Objects sub-menu I hear the following items:
Temporarily allow <FRAME>@https://www.hushmail.com/.../appletFrame.php
Temporarily allow <FRAME>@https://www.hushmail.com/.../blankNavigationFrame.php
Temporarily allow <FRAME>@https://www.hushmail.com/.../showLogin.php
Temporarily allow *@https://www.hushmail.com
Temporarily allow *@https://www.hushmail.com (https://www.hushmail.com)
Temporarily allow unknown@https://www.hushmail.com (https://www.hushmail.com)
Temporarily allow unknown@https://www.hushmail.com

Does the asterisk mean everything? Why are there 2 of the last ones: unknown and asterisk? I encounter that on all sites and do not know why. I allowed the /appletFrame.php object and after it reloaded there is revealed a edit field with no name but with the digit 1 in it. I have no idea what that is. My guess is I must allow all other frames for it to work so let me do that. I just did that and after reloading it reveals a few onmouseover links that point to the help system: 4 to be exact on their own line. Why I have no idea. Let me allow the other frame now. Upon doing that and after the reload in that frame it contains the passphrase field, Authenticate button and links that say enable Java and explain. Here is the page as I know it with those 3 <FRAME> elements allowed. I did not turn on Java yet.

Hushmail
https://www.hushmail.com/hushmail/apple ... mediately= frame
1
https://www.hushmail.com/hushmail/apple ... mediately= frame end
blankNavigationFrame frame
View the Help System
Help
View the Help System
View the Help System
blankNavigationFrame frame end
showLogin frame
 
Please enter your passphrase:  
Authenticate
Enable Java | Explain

Try the new Hushmail
 
showLogin frame end

Let me now enable Java. I did and the Java item is not yet in the system tray. However, this is where I notice the unknown frame and up top the <APPLET> element. I assume that is on what I should click. First the page then the blocked objects sub-menu:

Hushmail
https://www.hushmail.com/hushmail/apple ... mediately= frame
<APPLET>, java-vm@https://www.hushmail.com/shared/com.hus ... tionEngine
1
https://www.hushmail.com/hushmail/apple ... mediately= frame end
blankNavigationFrame frame
View the Help System
Help
View the Help System
View the Help System
blankNavigationFrame frame end
blankContentFrame frame
<FRAME>, unknown@https://www.hushmail.com/hushmail/blank ... 43D863E22B
blankContentFrame frame end

The blocked objects sub-menu now contains:
Temporarily allow *@https://www.hushmail.com
Temporarily allow *@https://www.hushmail.com (https://www.hushmail.com)
Temporarily allow java-vm@https://www.hushmail.com (https://www.hushmail.com)
Temporarily allow java-vm@https://www.hushmail.com
Temporarily allow java-vm@https://www.hushmail.com/.../com.hush.c ... tionEngine

I will just press Enter on the <APPLET> placeholder on the page since I do not know which of the 3 to pick. I did that and the Java Platform, Standard Edition item is now in the system tray.