Extract help in partials

app/views/site/_scoring.html.erb

@@ -0,0 +1,258 @@
+<h1>Scoring</h1>
+
+<p>
+	Currently, CryptCheck gives note from <%= rank_label :G %> for the
+	worst sites to <%= rank_label :'A+' %> for the best ones.
+</p>
+
+<p>
+	Scoring is based on the fact that TLS handshake is <b>not</b> authenticated,
+	and so an attacker can force to use whatever cipher he wants as soon as both
+	client and server support it, with a downgrade attack as simple as modify
+	TCP packets on the fly.
+</p>
+
+<p>
+	Such downgrade attack doesn't require heavy resources and can be made with
+	standard computer or phone.<br/>
+	The only difficult part is to be in position to modify the traffic between
+	the client and the server.
+	This is the case if the attacker is connected on the same network as the
+	client (hotspot, 3G…) with simple
+	<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
+	doable with tools like
+	<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
+</p>
+
+<p>
+	As client support can't be guessed, CryptCheck considers the <b>weakest</b>
+	suite supported server side.
+	This way, a connection to the scored service can't lead to a negociated
+	handshake with a worse score than the one given to the service, whatever
+	your client supports and whatever an attacker is present or not.
+</p>
+
+<table class="scoring table table-bordered table-condensed center table-striped">
+	<thead>
+	<tr>
+		<th rowspan="2">Score</th>
+		<td rowspan="2"></td>
+		<td colspan="3">Protection</td>
+		<td colspan="3">Weakness</td>
+	</tr>
+	<tr>
+		<td>Best</td>
+		<td>Great</td>
+		<td>Good</td>
+
+		<td>Future</td>
+		<td>Weak</td>
+		<td>Deprecated</td>
+	</tr>
+	</thead>
+	<tbody>
+	<tr>
+		<th><%= rank_label :'A+' %></th>
+		<td class="left">
+			Seriously take security into account and invest a lot on it.<br/>
+			Whatever the cost, encryption safety is implemented.
+			You can be proud!
+		</td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :A %></th>
+		<td class="left">
+			Seriously take security into account and invest a lot on it.
+		</td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :'B+' %></th>
+		<td class="left">
+			Seriously take security into account and invest on it.
+		</td>
+		<td></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :B %></th>
+		<td class="left">
+			Take security into account and invest on it.
+		</td>
+		<td></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :'C+' %></th>
+		<td class="left">
+			Take security into account and invest a little on it.
+		</td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'check-full.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :C %></th>
+		<td class="left">
+			Take security into account but don't spend too much for it.
+		</td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :D %></th>
+		<td class="left">
+			Take security into account. Minimaly.<br/>
+			This is the worst score a decent service must have today.
+		</td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :E %></th>
+		<td class="left">
+			Take security into account. A little. Or not.
+		</td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'cross-red.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :F %></th>
+		<td class="left">
+			Just don't take security into account.
+		</td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'cross-red.svg' %></td>
+		<td><%= image_tag 'check-empty.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :G %></th>
+		<td class="left">
+			Just don't take security into account at all.<br/>
+			What the fuck you do, dude?
+		</td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td></td>
+		<td><%= image_tag 'cross-red.svg' %></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :'0' %></th>
+		<td class="left">
+			No security at all. Just plain text.<br/>
+			Seriously, in <%= Date.today.year %>?
+		</td>
+		<td colspan="6"></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :V %></th>
+		<td class="left">
+			Invalid certificate (wrong domain, expired…)
+		</td>
+		<td colspan="6"></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :T %></th>
+		<td class="left">
+			Unstrusted certificate. Not issued by a trusted
+			<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
+		</td>
+		<td colspan="6"></td>
+	</tr>
+	<tr>
+		<th><%= rank_label :X %></th>
+		<td class="left">
+			Error occurs during the analysis. Try again later?
+		</td>
+		<td colspan="6"></td>
+	</tr>
+	</tbody>
+</table>
+<table class="scoring table table-bordered table-condensed">
+	<tr>
+		<td>
+			For protection:<br/>
+			<%= image_tag 'check-full.svg' %> Fully implemented
+			<%= image_tag 'check-empty.svg' %> Partially implemented<br/>
+
+			Good: simple to implement, small protection<br/>
+			Great: quiet hard to implement, middle protection<br/>
+			Best: hard to implement, strong protection
+		</td>
+		<td>
+			For weakness:<br/>
+			<%= image_tag 'check-empty.svg' %> Not vulnerable
+			<%= image_tag 'cross-red.svg' %> Vulnerable<br/>
+
+			Future: known weakness, but no practical attack known<br/>
+			Weak: known weakness, pratical attack exist<br/>
+			Deprecated: known weakness, merely equivalent or equal to plain text
+		</td>
+	</tr>
+</table>
+
+<p>
+	<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
+	<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
+	When you send an email, the server used to forward the mail (the
+	<a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>) to
+	the recipient has no way to guess in advance if recipient MTA supports or
+	not encryption and which cipher suite will be available.
+	To avoid your email returning to you in case of failure, the standard for
+	email encryption (<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
+	requires to retry <b>in plain text</b> in case of encryption handshake
+	failure.<br/>
+	So, for SMTP, there is a compromise to make between strong configuration,
+	leading to plain text fallback for old or badly configured MTA, and
+	compatibility with such MTA to use weak encryption better than plain text
+	but allowing downgrade attack on stronger MTA.<br/>
+	Given email is a real nightmare for security, with multiple way to force a
+	connection to fallback to plain text
+	(<a href="https://www.eff.org/fr/deeplinks/2014/11/starttls-downgrade-attacks">STARTTLS stripping</a>,
+	<a href="https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes">MX lying</a>…),
+	CryptCheck scores SMTP as HTTPS or XMPP and doesn't care about compatibility
+	trouble. This way, weak people are still weak, but strong people can (not
+	too much) hope strong encryption under normal condition.<br/>
+	Be advice than strong score here for SMTP means compatibility troubles.
+	Or fucked service which doesn't take care of your security.
+	I don't know, you turn to judge.
+</p>

app/views/site/help.html.erb

@@ -1,257 +1,7 @@
 <div id="help" class="container">
 	<div class="row">
 		<div class="col-sm-12">
-			<h1>Scoring</h1>
-
-			<p>
-				Currently, CryptCheck gives note from <%= rank_label :G %> for the
-				worst sites to <%= rank_label :'A+' %> for the best ones.
-			</p>
-
-			<p>
-				Scoring is based on the fact that TLS handshake is <b>not</b>
-				authenticated, and so an attacker can force to use whatever
-				cipher he wants as soon as both client and server support it,
-				with a downgrade attack as simple as modify TCP packets on the
-				fly.
-			</p>
-
-			<p>
-				Such downgrade attack doesn't require heavy resources and can be
-				made with standard computer or phone.<br/>
-				The only difficult part is to be in position to modify the
-				traffic between the client and the server.
-				This is the case if the attacker is connected on the same network
-				as the client (hotspot, 3G…) with simple
-				<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
-				doable with tools like
-				<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
-			</p>
-
-			<p>
-				As client support can't be guessed, CryptCheck considers the
-				<b>weakest</b> suite supported server side.
-				This way, a connection to the scored service can't lead to a
-				negociated handshake with a worse score than the one given to
-				the service, whatever your client supports and whatever an
-				attacker is present or not.
-			</p>
-
-			<table class="scoring table table-bordered table-condensed center table-striped">
-				<thead>
-					<tr>
-						<th rowspan="2">Score</th>
-						<td rowspan="2"></td>
-						<td colspan="3">Protection</td>
-						<td colspan="3">Weakness</td>
-					</tr>
-					<tr>
-						<td>Best</td>
-						<td>Great</td>
-						<td>Good</td>
-
-						<td>Future</td>
-						<td>Weak</td>
-						<td>Deprecated</td>
-					</tr>
-				</thead>
-				<tbody>
-					<tr>
-						<th><%= rank_label :'A+' %></th>
-						<td class="left">
-							Seriously take security into account and invest a lot on it.<br/>
-							Whatever the cost, encryption safety is implemented.
-							You can be proud!
-						</td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :A %></th>
-						<td class="left">
-							Seriously take security into account and invest a lot on it.
-						</td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :'B+' %></th>
-						<td class="left">
-							Seriously take security into account and invest on it.
-						</td>
-						<td></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :B %></th>
-						<td class="left">
-							Take security into account and invest on it.
-						</td>
-						<td></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :'C+' %></th>
-						<td class="left">
-							Take security into account and invest a little on it.
-						</td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'check-full.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :C %></th>
-						<td class="left">
-							Take security into account but don't spend too much for it.
-						</td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :D %></th>
-						<td class="left">
-							Take security into account. Minimaly.<br/>
-							This is the worst score a decent service must have today.
-						</td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :E %></th>
-						<td class="left">
-							Take security into account. A little. Or not.
-						</td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'cross-red.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :F %></th>
-						<td class="left">
-							Just don't take security into account.
-						</td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'cross-red.svg' %></td>
-						<td><%= image_tag 'check-empty.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :G %></th>
-						<td class="left">
-							Just don't take security into account at all.<br/>
-							What the fuck you do, dude?
-						</td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td></td>
-						<td><%= image_tag 'cross-red.svg' %></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :V %></th>
-						<td class="left">
-							Invalid certificate (wrong domain, expired…)
-						</td>
-						<td colspan="6"></td>
-					</tr>
-					<tr>
-						<th><%= rank_label :T %></th>
-						<td class="left">
-							Unstrusted certificate. Not issued by a trusted
-							<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
-						</td>
-						<td colspan="6"></td>
-					</tr>
-				</tbody>
-			</table>
-			<table class="scoring table table-bordered table-condensed">
-				<tr>
-					<td>
-						For protection:<br/>
-						<%= image_tag 'check-full.svg' %> Fully implemented
-						<%= image_tag 'check-empty.svg' %> Partially implemented<br/>
-
-						Good: simple to implement, small protection<br/>
-						Great: quiet hard to implement, middle protection<br/>
-						Best: hard to implement, strong protection
-					</td>
-					<td>
-						For weakness:<br/>
-						<%= image_tag 'check-empty.svg' %> Not vulnerable
-						<%= image_tag 'cross-red.svg' %> Vulnerable<br/>
-
-						Future: known weakness, but no practical attack known<br/>
-						Weak: known weakness, pratical attack exist<br/>
-						Deprecated: known weakness, merely equivalent or equal to plain text
-					</td>
-				</tr>
-			</table>
-
-
-			<p>
-				<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
-				<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
-				When you send an email, the server used to forward the mail
-				(the <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>)
-				to the recipient has no way to guess in advance if recipient MTA
-				supports or not encryption and which cipher suite will be
-				available.
-				To avoid your email returning to you in case of failure, the
-				standard for email encryption
-				(<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
-				requires to retry <b>in plain text</b> in case of encryption
-				handshake failure.<br/>
-				So, for SMTP, there is a compromise to make between strong
-				configuration, leading to plain text fallback for old or badly
-				configured MTA, and compatibility with such MTA to use weak
-				encryption better than plain text but allowing downgrade attack
-				on stronger MTA.<br/>
-				Given email is a real nightmare for security, with multiple way
-				to force a connection to fallback to plain text
-				(<a href="https://www.eff.org/fr/deeplinks/2014/11/starttls-downgrade-attacks">STARTTLS stripping</a>,
-				<a href="https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes">MX lying</a>…),
-				CryptCheck scores SMTP as HTTPS or XMPP and doesn't care about
-				compatibility trouble. This way, weak people are still weak, but
-				strong people can (not too much) hope strong encryption under
-				normal condition.<br/>
-				Be advice than strong score here for SMTP means compatibility
-				troubles.
-				Or fucked service which doesn't take care of your security.
-				I don't know, you turn to judge.
-			</p>
+			<%= render partial: 'scoring' %>
 		</div>
 	</div>
 </div>