From 87aa1aaf9199a6c82b9f79de7ffc889aa935dd4b Mon Sep 17 00:00:00 2001
From: Caleb James DeLisle <cjd@cjdns.fr>
Date: Mon, 3 Nov 2014 20:43:43 +0100
Subject: [PATCH] don't start measuring lag until after syncing and update
 readme

---
 readme.md               | 24 ++++++++++++++++++++++++
 www/realtime-wysiwyg.js |  7 +++----
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/readme.md b/readme.md
index 488b49bcc..e1a931499 100644
--- a/readme.md
+++ b/readme.md
@@ -2,6 +2,8 @@
 
 Unity is Strength - Collaboration is Key
 
+## hold on, it's still a prototype...
+
 ![and_so_it_begins.png](https://github.com/cjdelisle/cryptpad/raw/master/and_so_it_begins.png "We are the 99%")
 
 CryptPad is the **zero knowledge** realtime collaborative editor.
@@ -21,6 +23,28 @@ To install:
     node ./server.js
 
 
+## Security
+
+CryptPad is *private* not *anonymous*. Privacy protects your data, anonymity protects you.
+As such, it is possible for a collaborator on the pad to include some silly/ugly/nasty things
+in a CryptPad such as an image which reveals your IP address when your browser automatically
+loads it or a script which plays Rick Asleys's greatest hits. It is acceptable for anyone
+who does not have the key to be able to change anything in the pad or add anything, even the
+server.
+
+The server does have a certain power, it can send you evil javascript which does the wrong
+thing (leaks the key or the data back to the server or to someone else). This is however an
+[active attack] which makes it detectable. The NSA really hates doing these because they might
+get caught and laughed at and humiliated in front of the whole world (again). If you're making
+the NSA mad enough for them to use an active attack against you, Great Success Highfive, now take
+the battery out of your computer before it spawns Agent Smith.
+
+Still there are other low-lives in the world so using CryptPad over HTTPS is probably a good idea.
+
+
+
+
 [ChainPad]: https://github.com/xwiki-contrib/chainpad
 [CKEditor]: http://ckeditor.com/
 [fragment identifier]: https://en.wikipedia.org/wiki/Fragment_identifier
+[active attack]: https://en.wikipedia.org/wiki/Attack_(computing)#Types_of_attacks
diff --git a/www/realtime-wysiwyg.js b/www/realtime-wysiwyg.js
index aff3e1a61..8a18ff07d 100644
--- a/www/realtime-wysiwyg.js
+++ b/www/realtime-wysiwyg.js
@@ -486,10 +486,6 @@ window.ErrorBox = ErrorBox;
 
             //createDebugLink(realtime, doc, allMessages, toolbar);
 
-            createLagElement(socket,
-                             realtime,
-                             toolbar.find('.rtwysiwyg-toolbar-rightside'));
-
             createUserList(realtime,
                            userName,
                            toolbar.find('.rtwysiwyg-toolbar-leftside'));
@@ -534,6 +530,9 @@ window.ErrorBox = ErrorBox;
                 // if we spot ourselves being added to the document, we'll switch
                 // 'initializing' off because it means we're fully synced.
                 initializing = false;
+                createLagElement(socket,
+                                 realtime,
+                                 toolbar.find('.rtwysiwyg-toolbar-rightside'));
                 incomingPatch();
             });