Index ¦ Archive ¦ RSS

SSL still sucks

In a fit of madness I decided to replace the self signed SSL certificate I use with a proper one. The self signed one I made was good for 10 years so I didn't have to deal with renewal nonsense. Various clients did whine a bit, but usually there was some setting to tell them it was ok. The biggest problem with a self signed cert is you generally can't tell the difference between it and a middleman intercepting your connection.

SSL certificates are a curious business. Just like with the credit rating agencies and the banking crisis, the incentives and payments are all wrong. The certificate is analogous to an identity document like a drivers license or a passport. Identity documents are trusted not because of the information on them, but rather who issued them. My British passport is only trusted around the world because the British government is trusted as the issuer. A self signed SSL certificate is analogous to printing your own passport saying it comes from the Republic of You.

To get a SSL certificate you engage with a certificate authority. They will verify your identity information to some degree, accept your money and issue the certificate. But the people who care about your identity are the ones connecting to your site, and they haven't been involved in this process. The browser and operating system manufacturers handily include a list of trusted certificate authorities, but the way it works is that any name will be accepted providing any of those authorities issued it!

Here is the start of the long list of trusted authorities:

CA

If any of those issued a certificate for my site, your browser would trust it, or for amazon.com or microsoft.com [1] for that matter. For the certificate authority businesses to operate, they need to remain in those trusted lists, but also need to make it easy to exchange money for certificates.

Their solution is multiple "classes" - they create intermediate certificate authorities [2] and each of those then has different requirements. For example a class 1 might check there is a working email address associated with the site, while class 3 may involve people doing strong verification including getting business documents and making phone calls. They charge more for the latter.

But it is rather pointless. Your browser accepts class 1 [3] certificates that cost $20 with minimal verification as well as class 3 that cost the site thousands. As an end user, you could check the certificate for each site you visit, determine if you trust the certificate authority, go to their web site to read up what their statements are for that class and decide if it acceptable risk to you. You'll also notice they'll have some legalese disclaiming any liability, making it essentially worthless.

This is all a long winded way of saying that it doesn't really matter who issues your certificates, there are no real assurances behind them any way, and nobody checks. They wouldn't be too different from real world passports printed on tissue paper that only machines ever look at. Consequently I used the free StartSSL certificate authority.

The sign up process is annoying and tedious, largely to try to give the appearance of value and security. New certificate in hand, I then had to replace my self signed certificate. This was more complicated because I also had to include the intermediary authority information.

The various applications I tried all worked perfectly, except those from Mozilla. In the olden days they would give detailed information about SSL issues, but it was gobbeldy gook, so naturally most users clicked whatever they could to get them to the site as quickly as possible. It is virtually impossible to tell the difference between misconfiguration and security breaches. The solution was to hide all that and try to show the minimum amount. Which leads us to today.

Thunderbird doesn't like the certificate for reasons I can't determine. It doesn't even show an error, so it looks like it is working but in reality it is repeatedly hanging up on the server. When using a self signed certificate it at least puts up an error dialog where you can say to permanently accept the certificate. In this case the behaviour for a legitimate certificate is far worse! Going through several arcane menu sequences you can finally make it work, but this is ridiculous.

Firefox initially worked and then stopped. In the end I worked out that it had OCSP issues [4]. I can't really tell who is to blame, and ended up having to turn OCSP off.

Now I have a real certificate, it works providing you go nowhere near Mozilla products, and isn't worth anything anyway. Madness indeed.

[1]There are some minimally deployed attempts to fix this like certificate pinning.
[2]SSL provides a chain of certifying authorities. It would be analogous to getting a passport from England that is then stamped by the British government. You trust the England intermediary because you trust the British government.
[3]The classes are made up by each certificate authority.
[4]OCSP allows checking if a certificate has been revoked. If you lost the private part, someone could impersonate your site or read the traffic, so you would ask the issuer to add it to a list of certificates not to be trusted.

Category: misc – Tags: ssl, thunderbird, mozilla


All Change

Things look different here. The hand written HTML and styles were from a decade ago, and didn't really support my resume's claim of long time proficiency in the web arts. (It was of course "cobbler's children have no shoes" syndrome.)

I also originally supported Google Plus, and posted occasional content there. However over the last 6 months or so Google has made maximum efforts to make reading it as difficult as possible. I missed having somewhere to post the periodic rants and finds.

Now you can see my fix. This site is built using Nikola which ticks the boxes for simplicity, using Python, and not requiring yet more usernames and passwords, complicated servers and databases, worrying about various attacks, maintenance etc. Under the hood there is jquery and bootstrap, but ironically I write this content even further removed from the web arts than before.

There is even an rss feed which pleases me a lot compared to the Reader shutdown, and walled garden of Google Plus. Anyone can read (and respond thanks to disqus) in virtually any way that works for them.

Doing the conversion was relatively easy but somewhat tedious. Nikola let me keep existing files and do incremental conversions. My resume took a while as the structure wasn't that good. pandoc does a good first pass on other docs.

I also redid all my Google Plus posts here in this blog. Data Takeout let me get the underlying data, but it took many hours of Python coding to munge the data into a reasonably good looking and compatible format.

Category: misc – Tags: nikola


I pick future dead technologies

Article

icon

linux kernel monkey log Here's some thoughts about some hardware I was going to use, hardware I use daily, and hardware I'll probably use someday in the future. ... (more)

It turns out that I am extremely competent at picking future dead technologies when buying Lenovo laptops. My T61 purchase a few years ago included wireless USB. The same wireless USB that failed.

My most recent acquisition last year included Thunderbolt. Well that is dead too.

I wonder what I'll be picking next time...

Category: gplus – Tags: humour


From Google Reader to tt-rss

Screenshot

I switched from Google Reader to tt-rss two weeks ago. It works well and is my permanent solution. That also means I don't have a page permanently open at Google any more, which means far more conscious effort is needed to hit Google Plus which still remains unreadable. The screenshot shows just how many of the two million pixels on my screen are devoted to actual content in yellow. Compare to Reader or tt-rss which come in at close to 100%. I'll probably give up on Plus completely.

On the topic of a Reader replacement, tt-rss pluses are that I can run it on my own server, there are two Android clients (I like the non- official one), feeds are automatically sorted into alphabetical order, the mobile web view is good, there is a well engineered and extensive plugin mechanism, updates are easy, and you can import your Reader feeds and starred articles. There are lots of little pleasant touches here and there. It is fully open source.

On the minus side the UI lags when showing articles are read. The developer says this is because the Javascript rate limits hits to the server, and they don't update the UI until the server has been told. This means it takes up to 15 seconds from when an article is read until the UI updates to show that. They also grey the text instead of a border like Reader. The Reader approach is better UI especially if you are part way through reading the article. The main developer can be quite abrasive, but anyone can fork the project if that turns out to be too much of a problem.

Category: gplus – Tags: google reader, tt-rss


Being demanding

A pet peeve is company websites that demand personal details before telling you anything useful. You can't read case studies, get product details or even download SDKs to see if they would fit with your project. They are insisting on something of high value from you - your personal details and the implied access to you that gives. But in return they offer nothing first. You will still be spending your time to determine if what is being offered is what you are looking for, and if it provides value to you.

This is a terrible way to start a relationship. From previous companies I've worked at and from friends, the reported rate of junk information entered is between 40 and 100%. I was even advised by one company to “enter junk, everyone else does”. The usual rationalisation is that it is better to ignore the junk (and annoy the people who had to provide it), than miss a single lead. The latter is measurable but the former not, since you have no idea how many gave up and left for the competition.

Hiding content also prevents indexing by search engines, and people can't link to it. The solution is easy - it is perfectly okay to ask for details (but not require them), and to ensure people can communicate with you once they have found you are a good match. Ironically many of those sites that provide the terrible start to the relationship also make it hard to continue once you know you do want to proceed.

Category: gplus – Tags: rant, registration


Ok Google, I give up

Ok Google, I give up. First you made G+ unreadable on Android due to putting every article in boxes with large images, making it impossible to actually read what people had to say. Now you have done the same to website making it impossible to follow sequence (boxes going horizontally and vertically of arbitrary different size and packing). Yes newspapers do that, but their articles are longer than a few sentences, the content is curated, and the layout is overseen by humans.

If you want to know how to make content easy and productive to read, then I suggest studying an excellent product that is very good at that. It is called Google Reader.

Category: gplus – Tags: google plus, google reader


It used to be about me

I used to be the kind of person the computer industry cared about. Hardware makers kept trying to give me more: cpu, memory, storage, screens, pixels etc. Software makers kept trying to harness that extra capability, providing new things for me to do, removing limits on existing ones and new ways of combining, mashing up and remixing what I have. They came up with multiple different ways of doing things so you could pick what worked best for you.

Those days are completely over. Hardware comes with built in obsolescence with non-expandable memory and storage. Screens have regressed in resolution and surface area. Software makers are optimising for small tablets using one program at a time with a finger. They are battling to contain you within their walled garden. They only provide one way of doing things, which helps reinforce the walled garden and makes other systems seem alien. (Some changes have been for the better which is apparent because everyone adopts them - an example is typing a few letters and getting all relevant applications, documents, contacts etc.)

This is even happening in the open source/free software world. Canonical/Ubuntu has a CLA which ensures an unequal advantage to them if you want to collaborate. Parts are kept private to keep up that walled garden (Ubuntu One).

I'd been sticking to Gnome because it had historically been usable and didn't have a walled garden agenda. Unfortunately the most recent release (3.8) has finally become unusable, because they provide only two modes - one completely unusable unless using a small screen with fingers (that approximately no one has), and the second that imitates the earlier more usable interface from back when things kept getting bigger and better.

The latter fails because the developers so focussed on the first mode completely missed what it was about the second that made it productive. My main workstation has 4,000 square centimetres of display space (compared to 160 for an iPad Mini 7 inch). Things are hidden (eg system monitors and dropbox icons) that should be always visible. Huge swathes of horizontal space at the top of the screen are wasted. Attempting to use multiple copies of the same program are an exercise is frustration. Even task bars (so far the least worst UI paradigm for managing lots of open windows where many are from the same app) is broken (eg can't drag and drop to reorder). Doing anything involves more mouse movement, and more steps. Even the workspaces don't show their contents or have keystrokes to switch.

The usual answer is that it is open and I can fix it. This is true in the abstract sense, but not practically because it is obvious I am no longer welcome. Heck I didn't really even want any changes, just for things to be left as they were before they got too much worse.

Designers seem to be on a parallel course to make things worse. The new esthetic is "flat" ui which means fewer pixels devoted to highlighting the difference between ui elements. And the colour schemes involve using various shades of gray on top of and next to other shades of gray. 4,000 square centimetres of gray is not usable. On laptops with worse colour differentiation it is even hard to distinguish what is going on.

I've got six months to find the least worst productive environment. O for the days when it was all about users like me.

Category: gplus


Software license agreements

Article

Commercial License Agreement :: AppCode A new Objective-C IDE for iOS and OS X development with a smarter code editor (more)

I bought some software today, and their license agreement contains a rather odious term. They get the right to use your name and similar details including trademarks in marketing without getting permission at the time, or any notification. Fortunately if they do that I have enough counter material that would make them regret it. Oh, they also get to pull the software any time they feel like with no notice period, including remotely disabling it.

I guess most companies are lucky that no one actually reads these agreements since they pretty much consist of a list in legalese of how the company can be hostile to its users.

Category: gplus – Tags: rant


How to get more throughput from AppEngine database?

Article

Improving database record retrieval throughput with appengine Using AppEngine with Python and the HRD retrieving records sequentially (via an indexed field which is an incrementing integer timestamp) we ... (more)

Anyone know how to get more throughput from AppEngine database? We'll pay!

Category: gplus – Tags: appengine


After Google Reader

Several people have asked me what I am going to use instead of Google #Reader . I know what I definitely won't use - the majority of the alternatives out there, because they are obsessed with with showing items as rectangles with as much of the rectangle taken up with pictures as possible. (That is also why I gave up on G+ on Android.) My RSS feeds do not constitute a pretty magazine. For example look at http://feedly.com and notice how the screenshot of the mac is showing 6 articles - all that space for 6 articles! Pulse's home page has way more articles but all as images. 99% of my RSS articles have no images.

Reader has three important parts. One is the backend which means you can read from any number of computers and devices and a centralised location keeps track of your feeds and which articles have been read. There is no open standard protocol for this and I'm hoping that in the next few months one is born. (Reader was used by many but as far as I can tell the API was not official, arbitrary and reverse engineered.)

The second was updating the feeds (a background task). Having worked on consuming RSS feeds before, it turns out that many only have the most recent few articles which could turn out to be a few hours worth or at most a day. If you don't regularly poll the feeds then you will miss out on articles. This rules out pure clients like Liferea.

The final part is the presentation which worked well with a hierarchy of folders, feeds, articles and article, making it very easy to jump around hierarchy. UI that blends it all together into a single stream does not work (eg G+) because that only works with a low volume of articles. (I do not follow many people on G+ due to their posting volume. I would happily follow them via RSS feed but G+ doesn't export the data so I don't. Google loses by being a closed island.) So far only http://tt-rss.org shows that hierarchical context and navigation UI. Others like http://theoldreader.com/pages/tour seem obsessed with the whole social side, and note there is no screenshot showing the actual reading experience!

Oh, and the presentation part needs to work in disconnected mode on mobile too.

My plan is to punt for a few months hoping that someone comes up with the sweet spot of openness and readability. If not I'll just write my own. The database side of things can be solved in a home grown manner, but a toolkit like https://www.parse.com could be used instead to solve the data problem keeping web (Javascript) and mobile clients all synced up with state.

However I realised that it would be even easier to use +Dropbox as the state and synchronization mechanism. Each article becomes a file, and gets deleted by a reader when done. The poller just keeps adding the files from feeds. (Yes, that is the same principle as Maildir.) Dropbox released https://www.dropbox.com/developers/sync recently so that solves the offline mobile clients sync problem. I just wonder how well they will cope with hundreds of little files being created and deleted every hour.

Category: gplus – Tags: google reader, tt-rss

Contact me