14 files changed, 100 insertions, 10 deletions

diff --git a/amber/layouts/_footer.html.haml b/amber/layouts/_footer.html.haml
index a6255bd..e17d494 100644
--- a/amber/layouts/_footer.html.haml
+++ b/amber/layouts/_footer.html.haml
@@ -4,4 +4,4 @@
   %a{:rel => "license", :href => "https://creativecommons.org/licenses/by-sa/3.0/"}<
     %img{:alt => "Creative Commons License", :style => "border-width:0; vertical-align: middle", :src => "/img/by-sa-3.0-80x15.png"}
   &nbsp;
-  <span>(c) 2012-2016 LEAP Encryption Access Project</span>
+  <span>(c) 2012-2017 LEAP Encryption Access Project</span>
diff --git a/amber/menu.txt b/amber/menu.txt
index 70c35dd..b68e7e8 100644
--- a/amber/menu.txt
+++ b/amber/menu.txt
@@ -6,6 +6,7 @@ about-us
 #  people
   contact
   news
+    2017
     2016
     2015
     2014
diff --git a/pages/about-us/contact/en.haml b/pages/about-us/contact/en.haml
index fdf9a9b..80c5896 100644
--- a/pages/about-us/contact/en.haml
+++ b/pages/about-us/contact/en.haml
@@ -14,6 +14,11 @@ Email is pretty good too.
 .well
   info@leap.se
 
+%h3 Twitter
+
+.well
+  [[Twitter => https://twitter.com/leapcode]]
+
 %h3 Postal Address
 
 It may take us a very long time to respond to postal mail.
@@ -29,6 +34,3 @@ Leave us a message, bonus points if you sing your message.
 
 .well
   +1 (206) 420-6613
-
-
-
diff --git a/pages/about-us/news/2015/en.haml b/pages/about-us/news/2015/en.haml
index dd6f43e..e5bd46c 100644
--- a/pages/about-us/news/2015/en.haml
+++ b/pages/about-us/news/2015/en.haml
@@ -1,3 +1,3 @@
 - @path_prefix = '2015'
 
-= child_summaries
\ No newline at end of file
+= child_summaries
diff --git a/pages/about-us/news/2016/en.haml b/pages/about-us/news/2016/en.haml
index dd6f43e..2a3f822 100644
--- a/pages/about-us/news/2016/en.haml
+++ b/pages/about-us/news/2016/en.haml
@@ -1,3 +1,3 @@
-- @path_prefix = '2015'
+- @path_prefix = '2016'
 
-= child_summaries
\ No newline at end of file
+= child_summaries
diff --git a/pages/about-us/news/2017/en.haml b/pages/about-us/news/2017/en.haml
new file mode 100644
index 0000000..ff8aff0
--- /dev/null
+++ b/pages/about-us/news/2017/en.haml
@@ -0,0 +1,2 @@
+- @path_prefix = '2017'
+= child_summaries :order_by => :posted_at
diff --git a/pages/about-us/news/2017/perf-improvements-soledad.md b/pages/about-us/news/2017/perf-improvements-soledad.md
new file mode 100644
index 0000000..6cde74a
--- /dev/null
+++ b/pages/about-us/news/2017/perf-improvements-soledad.md
@@ -0,0 +1,29 @@
+@title = 'Improving performance of user encrypted data sync'
+@author = 'drebs'
+@posted_at = '2017-03-3'
+@preview_image = '/img/pages/soledad-performance/upload.png'
+@more = true
+
+## Performance improvements in synchronization of user encrypted data
+
+One challenge with end-to-end email encryption is synchronization of user data among devices. A user wants to see all the contents of her email box on both her computer and her mobile phone, for example. From the technical perspective, this means that the content has to be stored securely (that is, encrypted) on each device, and also synchronized between devices without anyone other than the user being able to see its contents.
+
+In order to achieve that, the LEAP project started with U1DB, a solution that already provided a correct and working data synchronization protocol, and added end-to-end encryption on top of it. Data is stored encrypted in the client (that is, the user's device) and is re-encrypted before being synchronized with the server (that is, the user's email provider). From the server, data can be further synchronized to the user's other devices. The encryption keys must also be shared among devices so content can be decrypted there.
+
+Problems started to appear when the proof-of-concept faced the real world: hundreds of email messages with hundreds of kilobytes or even megabytes of attachments can be difficult for a computer to process if the download queue and encryption pipeline are not well designed. This problem gets worse in some scenarios such as, for example, the one faced by the [Pixelated Project](https://pixelated-project.org/) which uses the technology developed by LEAP to implement a multi-user web-based email solution.
+
+Since May 2016 we have been working hard to understand and address the difficulties involved in the encrypted synchronization of user data, to increase its speed while lowering memory and CPU usage. At the end of 2016 we implemented some important changes in the synchronization code which will be contained in the next Bitmask release, and some details of which we share with you here.
+
+By fixing some flaws and reworking the data transfer and encryption/decryption pipeline as a whole, we were able to decrease download and upload time substantially. The figure below shows the download time for 3 distinct scenarios that transfer the same amount of data: 20 documents of 500K each, 100 documents of 100K each, and 1000 documents of 10K each. For download, we achieved twice the speed we had before:  
+    ![download times](/img/pages/soledad-performance/download.png) 
+
+For upload, on the other hand, the increase was much more striking. The nature of the synchronization algorithm requires that uploaded data is inserted in an orderly manner in the server. When trying different ways to handle that requirement, we ended up having a very slow algorithm that enqueued data to be uploaded in the client, and sent one by one, taking a long time to finish the whole transfer. After reworking that algorithm, we achieved from 2 to 37 times faster upload speeds, depending on the scenario:
+    ![upload times](/img/pages/soledad-performance/upload.png) 
+
+By changing the algorithms used to encrypt and decrypt user data, as well as to authenticate the contents (so we know that data has not been tampered with), we also diminished the time taken for cryptographic operations as a whole. The following figures show the encryption/decryption (plus authentication) times for different sizes of raw data:
+    ![raw encrypt times](/img/pages/soledad-performance/raw_encrypt.png) 
+    ![raw decrypt times](/img/pages/soledad-performance/raw_decrypt.png) 
+
+These were only some of the bits polished to help make it feasible to have end-to-end encrypted user data synchronized among devices. Also, the performance metrics presented here are only the ones related with total synchronization time. More complete results including memory consumption and application responsiveness will follow soon.
+
+We plan to release the next Bitmask Client and LEAP Platform with these and other features, and keep delivering improvements to support easier to use and better privacy tools. 
diff --git a/pages/docs/platform/guide/keys-and-certificates.md b/pages/docs/platform/guide/keys-and-certificates.md
index cf356df..8683a1f 100644
--- a/pages/docs/platform/guide/keys-and-certificates.md
+++ b/pages/docs/platform/guide/keys-and-certificates.md
@@ -248,3 +248,61 @@ Let's Encrypt validations are short lived. You will need to renew the certificat
 
 There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.
 
+## Issues
+
+### Certs already expired
+
+When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.
+
+
+#### Install the official acme client
+
+Log in to your webapp node and install the `certbot` package:
+
+    server$ apt install -t jessie-backports certbot
+
+#### Fetch cert
+
+Stop apache so the letsencrypt client can bind to port 80:
+
+    server$ systemctl stop apache2
+
+Fetch the certs
+
+    server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+
+This will put the certs and keys into `/etc/letsencrypt/live/DOMAIN/`.
+
+Now, go to your workstation's provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.
+
+    workstation$ cd PATH_TO_PROVIDER_CONFIG
+
+Copy the Certificate
+
+    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+
+Copy the private key
+
+    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+
+Copy the CA chain cert
+
+    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+
+#### Deploy the certs
+
+Now you only need to deploy the certs
+
+    workstation$ leap deploy
+
+This will put them into the right locations which are:
+
+- `/etc/x509/certs/leap_commercial.crt` for the certificate
+- `/etc/x509/./keys/leap_commercial.key` for the private key
+- `/usr/local/share/ca-certificates/leap_commercial_ca.crt` for the CA chain cert.
+
+Start apache2 again
+
+    server$ systemctl start apache2
+
+Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).
diff --git a/pages/docs/platform/tutorials/vagrant.md b/pages/docs/platform/tutorials/vagrant.md
index 710c266..a741b1b 100644
--- a/pages/docs/platform/tutorials/vagrant.md
+++ b/pages/docs/platform/tutorials/vagrant.md
@@ -302,7 +302,7 @@ By default, Vagrant will use VirtualBox to create the virtual machines, but this
     sudo apt-get install ruby-dev libxslt-dev libxml2-dev libvirt-dev
 
     # install the required plugins
-    vagrant plugin install vagrant-libvirt fog fog-libvirt sahara
+    vagrant plugin install vagrant-libvirt sahara
 
 Log out and then log back in.
 
@@ -353,8 +353,6 @@ Known issues
 * `Call to virConnectOpen failed: internal error: Unable to locate libvirtd daemon in /usr/sbin (to override, set $LIBVIRTD_PATH to the name of the libvirtd binary)` - you don't have the libvirtd daemon running or installed, be sure you installed the 'libvirt-bin' package and it is running
 * `Call to virConnectOpen failed: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied` - you need to be in the libvirt group to access the socket, do 'sudo adduser <user> libvirtd' and then re-login to your session.
 * if each call to vagrant ends up with a segfault, it may be because you still have virtualbox around. if so, remove virtualbox to keep only libvirt + KVM. according to https://github.com/pradels/vagrant-libvirt/issues/75 having two virtualization engines installed simultaneously can lead to such weird issues.
-* see the [vagrant-libvirt issue list on github](https://github.com/pradels/vagrant-libvirt/issues)
-* be sure to use vagrant-libvirt >= 0.0.11 and sahara >= 0.0.16 (which are the latest stable gems you would get with `vagrant plugin install [vagrant-libvirt|sahara]`) for proper libvirt support,
 
 Useful commands
 ------------------------
diff --git a/pages/img/pages/soledad-performance/download.png b/pages/img/pages/soledad-performance/download.png
new file mode 100644
index 0000000..584270e
--- /dev/null
+++ b/pages/img/pages/soledad-performance/download.png
diff --git a/pages/img/pages/soledad-performance/raw_decrypt.png b/pages/img/pages/soledad-performance/raw_decrypt.png
new file mode 100644
index 0000000..3365abf
--- /dev/null
+++ b/pages/img/pages/soledad-performance/raw_decrypt.png
diff --git a/pages/img/pages/soledad-performance/raw_encrypt.png b/pages/img/pages/soledad-performance/raw_encrypt.png
new file mode 100644
index 0000000..585ecc8
--- /dev/null
+++ b/pages/img/pages/soledad-performance/raw_encrypt.png
diff --git a/pages/img/pages/soledad-performance/upload.png b/pages/img/pages/soledad-performance/upload.png
new file mode 100644
index 0000000..59349f2
--- /dev/null
+++ b/pages/img/pages/soledad-performance/upload.png
diff --git a/public/.gitkeep b/public/.gitkeep
deleted file mode 100644
index e69de29..0000000
--- a/public/.gitkeep
+++ /dev/null