Browse Source

Help & about

aeris 1 year ago
parent
commit
aa5743577d

app/assets/images/donate.svg → app/assets/images/liberapay.svg View File


+ 11
- 2
app/assets/stylesheets/application.scss.erb View File

@@ -27,8 +27,17 @@
27 27
 	box-sizing: border-box;
28 28
 }
29 29
 
30
+$navbar-offset: $navbar-height + 10px;
30 31
 body {
31
-	padding-top: $navbar-height + 10px;
32
+	padding-top: $navbar-offset;
33
+}
34
+
35
+:target:before {
36
+	display: block;
37
+	content: " ";
38
+	margin-top: -$navbar-offset;
39
+	height: $navbar-offset;
40
+	visibility: hidden;
32 41
 }
33 42
 
34 43
 .label-error, .progress-bar-error {
@@ -40,7 +49,7 @@ body {
40 49
 }
41 50
 
42 51
 table.center {
43
-	td, th {
52
+	td {
44 53
 		text-align: center;
45 54
 
46 55
 		&.left {

+ 4
- 0
app/assets/stylesheets/site.scss.erb View File

@@ -1,10 +1,14 @@
1 1
 #about, #help {
2 2
 	margin-bottom: 20px;
3
+}
4
+
5
+#about, #help .scoring {
3 6
 	p {
4 7
 		font-size: 1.25em;
5 8
 	}
6 9
 }
7 10
 
11
+
8 12
 #donorbox {
9 13
 	background: #2d81c5 url(<%= image_path 'donorbox.png' %>) no-repeat 18px center;
10 14
 	color: #fff;

+ 1
- 1
app/helpers/check_helper.rb View File

@@ -54,7 +54,7 @@ module CheckHelper
54 54
 	end
55 55
 
56 56
 	def rank_label(rank)
57
-		l = %i(V T).include? rank
57
+		l = %i(0 V T X).include? rank
58 58
 		label rank, rank_color(rank), !l
59 59
 	end
60 60
 

+ 8
- 0
app/helpers/site_helper.rb View File

@@ -1,3 +1,11 @@
1 1
 module SiteHelper
2 2
 	include CheckHelper
3
+
4
+	def rfc_link_to(rfc)
5
+		link_to "RFC #{rfc}", "https://tools.ietf.org/html/rfc#{rfc}", target: :_blank
6
+	end
7
+
8
+	def wikipedia_link_to(content, page)
9
+		link_to content, "https://en.wikipedia.org/wiki/#{page}", target: :_blank
10
+	end
3 11
 end

+ 301
- 0
app/views/site/_checks.html.erb View File

@@ -0,0 +1,301 @@
1
+<h1>Checks</h1>
2
+<h2>Protection</h2>
3
+<h3>Hard protection</h3>
4
+
5
+<p>
6
+	Such protection are hard or risky to deploy but give strong protection
7
+	against attack.<br/>
8
+	Deploying such protection can just break your service for a long time if you
9
+	don't understand what you are doing.<br/>
10
+	Service using such protection really tries to protect you and really know
11
+	what security is.
12
+</p>
13
+<hr/>
14
+
15
+<h4 id="hpkp">
16
+	<%= rank_label :A %>
17
+	HTTP Public Key Pinning (HPKP)
18
+	<span class="small">HTTPS only, incoming feature</span>
19
+</h4>
20
+
21
+<p>
22
+	HPKP protection, specified in <%= rfc_link_to 7469 %>, consists of putting
23
+	headers on HTTP response to specify which keys or certificats are allowe
24
+	for the encryption.
25
+	If pinning mismatches, for example because of a
26
+	<%= wikipedia_link_to 'man-in-the-middle attack', 'Man-in-the-middle_attack' %>
27
+	connection is rejected and no data at all is transfered.
28
+</p>
29
+
30
+<pre>
31
+	<code>
32
+$ curl -sI https://cryptcheck.fr/ | grep public-key-pins
33
+public-key-pins: report-uri="https://aeris.report-uri.io/r/default/hpkp/enforce"; max-age=5184000;
34
+		pin-sha256="wdkD38iQQzxE7g0RpmN8VoaIqX7YmPWwoueD9Iqawfg="; pin-sha256="EswdUzfH2N8sx6Nb4Vr9gamtNF5VWQxLWUG0gDIPVLw=";
35
+	</code>
36
+</pre>
37
+
38
+<p>
39
+	HPKP is difficult to deploy because has a redemption period of some days
40
+	(maximum allowed: 60). During this time, in case of misconfiguration,
41
+	returning visitors will faced a TLS error page, even if the configuration
42
+	was fixed.
43
+</p>
44
+
45
+<hr/>
46
+
47
+<h3>Medium protection</h3>
48
+
49
+<p>
50
+	Such protection is not so easy to deploy and can have hazardous side effects,
51
+	but provides quiet good protection against some attacks.<br/>
52
+	Broken service is unexpected or could be fixed in a small time range.<br/>
53
+	Using such protection is a clear sign the service try to protect you.
54
+</p>
55
+
56
+<hr/>
57
+
58
+<h4 id="hsts">
59
+	<%= rank_label :A %>&nbsp;<%= rank_label :B %>
60
+	HTTP Strict Transport Security (HSTS)
61
+	<span class="small">HTTPS only</span>
62
+</h4>
63
+
64
+<p>
65
+	HSTS protection, specified in <%= rfc_link_to 6797 %>, consists of putting
66
+	headers on HTTP response to specify the service supports HTTPS.<br/>
67
+	After the first connection (HSTS is
68
+	"<%= wikipedia_link_to 'Trust On First Use', 'Trust_on_first_use' %>" (TOFU)),
69
+	the browser automatically rewrite <code>http://</code> address to
70
+	<code>https://</code>, avoiding a plain request (with potential data leak)
71
+	to be asked by the service to redirect to the <code>https://</code> address.
72
+</p>
73
+
74
+<pre>
75
+	<code>
76
+curl -sI https://cryptcheck.fr/ | grep strict-transport-security
77
+strict-transport-security: max-age=31536000; includeSubDomains; preload;
78
+	</code>
79
+</pre>
80
+
81
+<p>
82
+	To have full score on HSTS, you need to have a long <code>max-age</code>
83
+	period, at least 1 year (<code>31536000</code> seconds).<br/>
84
+	If you correctly configure your service with HSTS, you can also ask for
85
+	<a href="https://hstspreload.org/" target="_blank">browser preloading</a>,
86
+	avoiding the trouble of the first connection.
87
+</p>
88
+
89
+<hr/>
90
+
91
+<h3>Easy protection</h3>
92
+
93
+<p>
94
+	Such protection is easy to deploy and without .<br/>
95
+	Broken service is unexpected or could be fixed in a small time range.<br/>
96
+	Using such protection is a clear sign the service try to protect you.
97
+</p>
98
+
99
+<hr/>
100
+
101
+<h4 id="aead">
102
+	<%= rank_label :C %>
103
+	Authentificated Encryption with Authenticated Data (AEAD)
104
+</h4>
105
+
106
+<p>
107
+	Since 2014, TLS (and SSL) suffers of
108
+	<a href="https://www.imperialviolet.org/2014/12/08/poodleagain.html" target="_blank">PODDLE</a>
109
+	vulnerability on the way padding is done during TLS handshake.
110
+	An attacker can play with this encrypted padding to guess underlying plain
111
+	data.<br/>
112
+
113
+	Any <%= wikipedia_link_to 'cipher mode operation', 'Block_cipher_mode_of_operation' %>
114
+	other than <%= wikipedia_link_to 'AEAD', 'Authenticated_encryption' %> is
115
+	vulnerable to this attack.
116
+</p>
117
+
118
+<p>
119
+	In practice, POODLE is a serious flaw for SSLv2/v3, which must be avoided
120
+	in all cases, but also for TLSv1.0/1.1.<br/>
121
+	Service operators must support AEAD cipher suite as soon as possible, to
122
+	avoid trouble when practical attack will be found on POODLE on TLS.<br/>
123
+	Such cipher suite is only available on TLSv1.2, so operators must disable
124
+	TLSv1.0 now, and TLSv1.1 as soon as possible.
125
+</p>
126
+
127
+<hr/>
128
+
129
+<h4 id="scsv">
130
+	<%= rank_label :C %>
131
+	TLS Fallback Signaling Cipher Suite Value (SCSV)
132
+</h4>
133
+
134
+<p>
135
+	SCSV, specify in <%= rfc_link_to 7507 %> is a TLS extension to allow a
136
+	client to signal to the server a previous hanshake attempt with higher TLS
137
+	version was done, but unsuccessfully.<br/>
138
+	This way, the server can detect a downgrade attack on the line, because
139
+	supporting better than the current TLS version.<br/>
140
+	Without this signaling value, the server has no way to distinguish between
141
+	a client supporting TLSv1.2 but downgraded to TLSv1.1 and a client TLSv1.1
142
+	only.<br/>
143
+	For example, this feature allows blocking of downgrade attack from TLSv1.2
144
+	(AEAD & PFS) to TLSv1.0 (nor AEAD nor PFS) to exploit POODLE vulnerability
145
+	more easily.
146
+</p>
147
+
148
+<p>
149
+	To activate SCSV, you just need a decent OpenSSL version (1.0.1j+).
150
+	LibreSSL currently doesn't have support for this.
151
+</p>
152
+
153
+<hr/>
154
+
155
+<h2>Weaknesses</h2>
156
+<h3>Future weakness</h3>
157
+
158
+<p>
159
+	This kind of weakness is theorical vulnerability but without practical
160
+	attack or with too much side effects to be able to patch it.
161
+</p>
162
+
163
+<hr/>
164
+
165
+<h3>Current weakness</h3>
166
+
167
+<p>
168
+	Such weakness knows practical attacks to break encryption.
169
+	Using such features is hightly discourage, and operators must take quick
170
+	actions to remove them.
171
+</p>
172
+
173
+<hr/>
174
+
175
+<h4 id="tlsv1.0">
176
+	<%= rank_label :F %>
177
+	TLSv1.0
178
+</h4>
179
+
180
+<p>
181
+	TLSv1.0 is vulnerable to
182
+</p>
183
+
184
+<hr/>
185
+
186
+<!--
187
+<h4 id="pfs">
188
+	<%= rank_label :F %>
189
+	Perfect Forward Secrecy (PFS)
190
+</h4>
191
+
192
+<p>
193
+	<%= wikipedia_link_to 'PFS', 'Forward_secrecy' %> is
194
+</p>
195
+
196
+<hr/>
197
+-->
198
+
199
+<h3>Deprecated feature</h3>
200
+
201
+<hr/>
202
+
203
+<h4 id="ssl">
204
+	<%= rank_label :G %>
205
+	SSLv2, SSLv3
206
+</h4>
207
+
208
+<p>
209
+	SSLv2 and SSLv3 are deprecated SSL protocol version.<br/>
210
+	Pratical attacks exist to decrypt SSL encrypted traffic to plain text in
211
+	some minutes with standard computer.
212
+	For SSLv3, it's
213
+	<a href="https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html" target="_blank">POODLE</a>
214
+	again.
215
+	For SSLv2, it's was supposed to never be in production because too bad and
216
+	broken cryptography under the hood.
217
+	<a href="https://drownattack.com/" target="_blank">DROWN</a> vulnerability
218
+	allows an attacker to decrypt encrypted traffic (even TLSv1.2!) as soon as
219
+	one of the servers used for the service supports SSLv2 with the same key.
220
+</p>
221
+
222
+<hr/>
223
+
224
+<!--
225
+<h4 id="rc4">
226
+	<%= rank_label :G %>
227
+	RC4
228
+</h4>
229
+
230
+<p>
231
+	<%= wikipedia_link_to 'RC4', 'RC4' %> is a stream cipher, recently known to
232
+	have
233
+</p>
234
+
235
+<hr/>
236
+-->
237
+
238
+<h4 id="sha1">
239
+	<%= rank_label :E %>&nbsp;<%= rank_label :G %>
240
+	SHA-1
241
+	<span class="small">incoming feature for HMAC</span>
242
+</h4>
243
+
244
+<p>
245
+	<%= wikipedia_link_to 'SHA-1', 'SHA-1' %> is a cryptographic hash function
246
+	used in TLS cipher suite.
247
+	<a href="https://shattered.io/" target="_blank">It was broken</a> in 2016.
248
+</p>
249
+
250
+<p>
251
+	SHA-1 is used in two parts of the handshake.<br/>
252
+	For <%= wikipedia_link_to 'HMAC', 'Hash-based_message_authentication_code' %>,
253
+	which protect each messages exchanged during handshake. Because lifetime of
254
+	such HMAC is very short (TCP/IP round trip), SHA-1 collision is not a real
255
+	trouble on this part.<br/>
256
+	For key exchange and authentication. Each certificate is signed by the issuer
257
+	certificate using a digest.
258
+	In this case, if SHA-1 digest is used and because certificate lifetime is
259
+	long (years to decades), collision on digest could allow an attacker to
260
+	forge a rogue certificate which match the real certificate digest, and so
261
+	to impersonate the TLS service behind.
262
+</p>
263
+
264
+<p>
265
+	SHA-1 signed certificates must be banned.<br/>
266
+	SHA-1 HMAC is currently quite safe, but operators must take action to ensure
267
+	SHA-2 compatibility with clients in case if SHA-1 must be revoked even for
268
+	HMAC.
269
+</p>
270
+
271
+<hr/>
272
+
273
+<h4 id="digest">
274
+	<%= rank_label :G %>
275
+	MD-5, MD-4, MD-2, MDC-2
276
+</h4>
277
+
278
+<p>
279
+	MD-5, MD-4, MD-2 and MDC-2 are completely broken hash function.
280
+	Just don't use it.
281
+</p>
282
+
283
+<h4 id="compression">
284
+	<%= rank_label :G %>
285
+	Compression
286
+	<span class="small">incoming feature</span>
287
+</h4>
288
+
289
+<p>
290
+	With TLS compression activated, some oracle attacks allow to decrypt the
291
+	content.
292
+	For example the
293
+	<a href="https://arstechnica.com/information-technology/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/" target="_blank">BREACH</a>
294
+	or
295
+	<a href="https://threatpost.com/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312/77006/" target="_blank">CRIME</a>
296
+	attacks.
297
+</p>
298
+
299
+<p>
300
+	TLS compression must be disabled on the service.
301
+</p>

+ 33
- 34
app/views/site/_scoring.html.erb View File

@@ -19,8 +19,8 @@
19 19
 	the client and the server.
20 20
 	This is the case if the attacker is connected on the same network as the
21 21
 	client (hotspot, 3G…) with simple
22
-	<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
23
-	doable with tools like
22
+	<%= wikipedia_link_to 'ARP spoofing', 'ARP_spoofing' %>, doable with tools
23
+	like
24 24
 	<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
25 25
 </p>
26 26
 
@@ -37,22 +37,22 @@
37 37
 	<tr>
38 38
 		<th rowspan="2">Score</th>
39 39
 		<td rowspan="2"></td>
40
-		<td colspan="3">Protection</td>
41
-		<td colspan="3">Weakness</td>
40
+		<th colspan="3">Protection</th>
41
+		<th colspan="3">Weakness</th>
42 42
 	</tr>
43 43
 	<tr>
44
-		<td>Best</td>
45
-		<td>Great</td>
46
-		<td>Good</td>
44
+		<th>Hard</th>
45
+		<th>Medium</th>
46
+		<th>Easy</th>
47 47
 
48
-		<td>Future</td>
49
-		<td>Weak</td>
50
-		<td>Deprecated</td>
48
+		<th>Future</th>
49
+		<th>Weak</th>
50
+		<th>Deprecated</th>
51 51
 	</tr>
52 52
 	</thead>
53 53
 	<tbody>
54 54
 	<tr>
55
-		<th><%= rank_label :'A+' %></th>
55
+		<td><%= rank_label :'A+' %></td>
56 56
 		<td class="left">
57 57
 			Seriously take security into account and invest a lot on it.<br/>
58 58
 			Whatever the cost, encryption safety is implemented.
@@ -66,7 +66,7 @@
66 66
 		<td><%= image_tag 'check-empty.svg' %></td>
67 67
 	</tr>
68 68
 	<tr>
69
-		<th><%= rank_label :A %></th>
69
+		<td><%= rank_label :A %></td>
70 70
 		<td class="left">
71 71
 			Seriously take security into account and invest a lot on it.
72 72
 		</td>
@@ -78,7 +78,7 @@
78 78
 		<td><%= image_tag 'check-empty.svg' %></td>
79 79
 	</tr>
80 80
 	<tr>
81
-		<th><%= rank_label :'B+' %></th>
81
+		<td><%= rank_label :'B+' %></td>
82 82
 		<td class="left">
83 83
 			Seriously take security into account and invest on it.
84 84
 		</td>
@@ -90,7 +90,7 @@
90 90
 		<td><%= image_tag 'check-empty.svg' %></td>
91 91
 	</tr>
92 92
 	<tr>
93
-		<th><%= rank_label :B %></th>
93
+		<td><%= rank_label :B %></td>
94 94
 		<td class="left">
95 95
 			Take security into account and invest on it.
96 96
 		</td>
@@ -102,7 +102,7 @@
102 102
 		<td><%= image_tag 'check-empty.svg' %></td>
103 103
 	</tr>
104 104
 	<tr>
105
-		<th><%= rank_label :'C+' %></th>
105
+		<td><%= rank_label :'C+' %></td>
106 106
 		<td class="left">
107 107
 			Take security into account and invest a little on it.
108 108
 		</td>
@@ -114,7 +114,7 @@
114 114
 		<td><%= image_tag 'check-empty.svg' %></td>
115 115
 	</tr>
116 116
 	<tr>
117
-		<th><%= rank_label :C %></th>
117
+		<td><%= rank_label :C %></td>
118 118
 		<td class="left">
119 119
 			Take security into account but don't spend too much for it.
120 120
 		</td>
@@ -126,7 +126,7 @@
126 126
 		<td><%= image_tag 'check-empty.svg' %></td>
127 127
 	</tr>
128 128
 	<tr>
129
-		<th><%= rank_label :D %></th>
129
+		<td><%= rank_label :D %></td>
130 130
 		<td class="left">
131 131
 			Take security into account. Minimaly.<br/>
132 132
 			This is the worst score a decent service must have today.
@@ -139,7 +139,7 @@
139 139
 		<td><%= image_tag 'check-empty.svg' %></td>
140 140
 	</tr>
141 141
 	<tr>
142
-		<th><%= rank_label :E %></th>
142
+		<td><%= rank_label :E %></td>
143 143
 		<td class="left">
144 144
 			Take security into account. A little. Or not.
145 145
 		</td>
@@ -151,7 +151,7 @@
151 151
 		<td><%= image_tag 'check-empty.svg' %></td>
152 152
 	</tr>
153 153
 	<tr>
154
-		<th><%= rank_label :F %></th>
154
+		<td><%= rank_label :F %></td>
155 155
 		<td class="left">
156 156
 			Just don't take security into account.
157 157
 		</td>
@@ -163,7 +163,7 @@
163 163
 		<td><%= image_tag 'check-empty.svg' %></td>
164 164
 	</tr>
165 165
 	<tr>
166
-		<th><%= rank_label :G %></th>
166
+		<td><%= rank_label :G %></td>
167 167
 		<td class="left">
168 168
 			Just don't take security into account at all.<br/>
169 169
 			What the fuck you do, dude?
@@ -176,7 +176,7 @@
176 176
 		<td><%= image_tag 'cross-red.svg' %></td>
177 177
 	</tr>
178 178
 	<tr>
179
-		<th><%= rank_label :'0' %></th>
179
+		<td><%= rank_label :'0' %></td>
180 180
 		<td class="left">
181 181
 			No security at all. Just plain text.<br/>
182 182
 			Seriously, in <%= Date.today.year %>?
@@ -184,14 +184,14 @@
184 184
 		<td colspan="6"></td>
185 185
 	</tr>
186 186
 	<tr>
187
-		<th><%= rank_label :V %></th>
187
+		<td><%= rank_label :V %></td>
188 188
 		<td class="left">
189 189
 			Invalid certificate (wrong domain, expired…)
190 190
 		</td>
191 191
 		<td colspan="6"></td>
192 192
 	</tr>
193 193
 	<tr>
194
-		<th><%= rank_label :T %></th>
194
+		<td><%= rank_label :T %></td>
195 195
 		<td class="left">
196 196
 			Unstrusted certificate. Not issued by a trusted
197 197
 			<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
@@ -199,7 +199,7 @@
199 199
 		<td colspan="6"></td>
200 200
 	</tr>
201 201
 	<tr>
202
-		<th><%= rank_label :X %></th>
202
+		<td><%= rank_label :X %></td>
203 203
 		<td class="left">
204 204
 			Error occurs during the analysis. Try again later?
205 205
 		</td>
@@ -214,9 +214,9 @@
214 214
 			<%= image_tag 'check-full.svg' %> Fully implemented
215 215
 			<%= image_tag 'check-empty.svg' %> Partially implemented<br/>
216 216
 
217
-			Good: simple to implement, small protection<br/>
218
-			Great: quiet hard to implement, middle protection<br/>
219
-			Best: hard to implement, strong protection
217
+			Easy: simple to implement, small protection<br/>
218
+			Medium: quiet hard to implement, middle protection<br/>
219
+			Hard: hard to implement, strong protection
220 220
 		</td>
221 221
 		<td>
222 222
 			For weakness:<br/>
@@ -232,15 +232,14 @@
232 232
 
233 233
 <p>
234 234
 	<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
235
-	<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
235
+	<%= wikipedia_link_to 'opportunistic encryption', 'Opportunistic_TLS' %>.<br/>
236 236
 	When you send an email, the server used to forward the mail (the
237
-	<a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>) to
238
-	the recipient has no way to guess in advance if recipient MTA supports or
239
-	not encryption and which cipher suite will be available.
237
+	<%= wikipedia_link_to 'MTA', 'Message_transfer_agent' %> to the recipient
238
+	has no way to guess in advance if recipient MTA supports or not encryption
239
+	and which cipher suite will be available.
240 240
 	To avoid your email returning to you in case of failure, the standard for
241
-	email encryption (<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
242
-	requires to retry <b>in plain text</b> in case of encryption handshake
243
-	failure.<br/>
241
+	email encryption (<%= rfc_link_to 3207 %>) requires to retry
242
+	<b>in plain text</b> in case of encryption handshake failure.<br/>
244 243
 	So, for SMTP, there is a compromise to make between strong configuration,
245 244
 	leading to plain text fallback for old or badly configured MTA, and
246 245
 	compatibility with such MTA to use weak encryption better than plain text

+ 2
- 4
app/views/site/about.html.erb View File

@@ -69,13 +69,11 @@
69 69
 
70 70
 			<p id="contribute">
71 71
 				Bitcoin <a href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck">1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd</a><br/>
72
-				<a id="bitcoin" href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck">
73
-					<%= image_tag 'bitcoin.png', alt: 'Donate using Bitcoin' %>
74
-				</a>
72
+				<a id="bitcoin" href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck"><%= image_tag 'bitcoin.png', alt: 'Donate using Bitcoin' %></a>
75 73
 				<br/>
76 74
 
77 75
 				Liberapay, for recurring donation, require a account (but respect your privacy)<br/>
78
-				<a id="liberapay" href="https://liberapay.com/aeris/donate" target="_blank"><%= image_tag 'donate.svg', alt: 'Donate using Liberapay' %></a>
76
+				<a id="liberapay" href="https://liberapay.com/aeris/donate" target="_blank"><%= image_tag 'liberapay.svg', alt: 'Donate using Liberapay' %></a>
79 77
 				<br/>
80 78
 
81 79
 				Donorbox, for recurring and one-shot donation, doesn't require an account<br/>

+ 6
- 1
app/views/site/help.html.erb View File

@@ -1,7 +1,12 @@
1 1
 <div id="help" class="container">
2
-	<div class="row">
2
+	<div class="scoring row">
3 3
 		<div class="col-sm-12">
4 4
 			<%= render partial: 'scoring' %>
5 5
 		</div>
6 6
 	</div>
7
+	<div class="checks row">
8
+		<div class="col-sm-12">
9
+			<%= render partial: 'checks' %>
10
+		</div>
11
+	</div>
7 12
 </div>

Loading…
Cancel
Save