Replacing StartSSL

A small service I created for personal use had its SSL certificate expire a few weeks ago. I replaced it using my go-to free certificate provider, StartSSL. Unfortunately, accessing this service from my iPhone still didn’t work afterwards, or rather it did, but the certificate still wasn’t trusted. I was forced to ignore this issue at the time due to other pressing matters and, as the service was just used by me, on my device, I simply set the app to ignore the issue until I had time to diagnose the problem properly.

Today I replaced my e-mail signing certificate, also from StartSSL. This time I knew something was wrong; adding the certificate to Thunderbird and sending a test e-mail to be retrieved by my iPhone, the certificate again wasn’t trusted.

Turns out that silently, unbeknownst to me and I’m sure many others, the following chain of events has occurred

  1. StartCom which runs StartSSL were taken over by WoSign
  2. Due to past issues with WoSign regarding the erroneous issuing of certificates for a domain that they had no authority to issue for, they had their root certificate rights revoked by Apple, Mozilla, Google and others
  3. Since the take over of StartSSL, the aforementioned device/software companies have also ceased to trust the root certificates of StartCom.

This has resulted in my having to spring into action. The silent take-over of a previously trusted organisation by a dubious one located in a political jurisdiction known to be questionable with respect to web security is worrying enough, but with the added pain of being unable to send signed e-mail and issue new certs for my soon to expire domains required to be addressed immediately.

I’ve found that comodo, a trusted certficate authority, will issue free e-mail signing certs so I’ve jumped over to that immediately for e-mail and that is running nicely.

In addition there is “LetsEncrypt”, which, once installed, allows you to generate trusted SSL certificates for your domains using the following command

letsencrypt certonly --manual -d my.domain.com

When running the above it’s important to remember that validation you have control over the domain for which the certificate will be issued requires you to

  • Be running a web server on port 80 on the domain
  • Said port 80 server to be accessible publicly through your firewall
  • For you to place a file to be served on the web root of this server

You can always stop apache (or whatever your web server is) and run up a simple stand-alone python server to do the job, but you won’t be able to get away without changing your firewall rules.

This is a departure from the way I’m used to doing things which used the administrative e-mail address registered to the domain and code sent to this for validating I owned the domain. This was nicer as it meant I didn’t have to play with my config all that much (some servers I run use non-standard ports and don’t have port 80 open by default for example).

Anyhow, from my reading of the documentation about LetsEncrypt, it seems that all major browsers and Apple iOS are trusting certificates signed this way. I’ll update this post if that turns out not to be the case, but I’m optimistic.

Hopefully this post will help to raise awareness and also assist some folk out of a bit of a pickle with their security arrangements.

Comments    

Lost Keys

Last night while crossing Tower Bridge on my way home, a cyclist went past Southbound and there was a soft clatter in the roadway as he did so. His keys had fallen out of his pocket. As he was going at quite a pace, by the time I had managed to dart into the road, pick them up and run after him, he was long gone.

Arriving home with the keys, I resolved to try and trace the owner with the information on the keys and then hand them in with as much info as I could to the police station I pass every morning on the way to work. Finding little on the keys to indicate who they belonged to, I settled for e-mailing the company who had cut one of the security keys on the bunch in the hope they maintained an owners registry.

Taking the keys with me the next morning in order that I could act on anything the locksmith company told me or indeed hand them in if they failed to turn up anything, I set off for work.

As I was crossing Tower Bridge I saw a cyclist who had parked on the pavement in order to take a photo of the beautiful hazy sunrise to the East. Passing him I noticed a striking familiarity in the motif and colour of the back of his jacket. “It can’t be!?” I exclaimed to myself! Walking up to the chap I just came out with it, “Sorry to bother you, but you wouldn’t happen to have lost a set of keys cycling over Tower Bridge last night would you?” and lo and behold, it was the same man! To say that incredulity and gratitude all rolled into one was writ upon his countenance would be an understatement – neither of us could quite believe the chance encounter that had so swiftly re-united him with his lost property!

It just goes to show, no matter how hopeless a situation feels or improbable a solution to it may be, never give up hope!

Comments off    

4am Finish

Slightly more refined than student days of old, we threw a house-warming party in our new flat over the weekend with great success. Guests arrived, food was eaten, music was played and copious quantities of alcohol were consumed. The conversation and conviviality continued until the early hours of the morning, proving that being a student is not a prerequisite for an all-nighter on the party scene! Thanks to all who attended and may it be the first of many.

Comments off    

Draytek DNS Drops

Some time ago I wrote an article about fixing a VPN connection issue over a Draytek router concerning a UDP flood defense setting. Its turns out that the very same setting can also cause an issue with DNS, the symptoms of which I will outline below. For the fix, head over to the old article above.

Essentially the symptoms are simple. You browse the web as normal and then all of a sudden DNS for new sites (not in local cache) stops resolving. A router reboot is the only way to fix the issue. Increasing the flood defense packet ceiling as mentioned in the article above stops the issue from occurring. I said it was simple!

As to why this issue had happened to me once more, despite having applied an earlier fix, I can only conclude that the ceiling I setup earlier, being tailored to the speed of my ADSL link at the time, should now be higher as I have around twice the bandwidth I used to. I doubled the value and now all is well.

Comments off    

Welcome 2017

In the past I have written round ups of what has happened throughout the previous year before wishing the compliments of the season to readers, hopes for the future etc. I’ve also gone so far as to neglect to do anything at all with regards the blog in recent years, sporadically posting when the fancy takes me, having very little regard for direction or purpose. But that’s life.

I felt it best to offer category based round-ups this year; this way I can engage in some retrospective commentary about the years events, without feeling the need to go into too much detail, but allowing myself the license to do so for those topics of particular note.

Family – With the tragic death of Shweta’s Mother in late May and the passing of my Grandfather in December, it’s been a rough road at times, particularly for Shweta and her Father. While it’s not something that’s either easy to write about, nor really articulate in terms of emotions or feelings, there is only one way, and that is forward and we’ve never felt alone on this difficult journey either in body or spirit and that has been a great comfort.

Home – So let’s move on with something that has made a very firm positive mark on the year. Shweta and I bought a flat together, managing too, by the end of the year, just, to finish renovating it. It’s located in Shad Thames, a small corner of London that we’ve lived in together for the past few years and have come to love very much. We look forward to many more happy walks along the river, nights out we can walk home from, quiet nights in and perhaps the odd party or two.

Travel – What we’ve lacked in distance flown, we’ve made up for in engagement with our surroundings. We’ve spent a number of holidays and made numerous excursions to different part of the UK. We’ve stayed with friends on Angelsey, hiked in Snowdonia, toured Cornwall, explored Gloucestershire and had many nights out in our fine capital city, taking in music, theatre and art. We’re still behind with the photo log, but I’m working on getting albums up and there’ll be a kind of retrospective written later in the year to point in the direction of these.

Politics – One really couldn’t leave this post without referring to the political events of this past year.

The Brexit vote in June was quite possibly the most politically upsetting event that I’ve ever had the misfortune to experience. While I’ve not always agreed with EU policy and direction, I’ve always felt an affinity with Europe and her peoples. The shame of being a citizen of a country turning it’s back on this great bond of friendship and having to face friends and colleagues in work the following day who are citizens of other European countries, was a most singularly unpleasant experience. We can only look forward now, but I can’t deny that I do so with trepidation about what our future might hold.

As if this wasn’t enough, the election of Donald Trump was another body blow for progressive Western politics. Again, I was not always a fan of some of Obama’s more left wing policies, but his handling of world issues and his general tolerance towards those who might oppose him was a positive beacon for many and one that we will all feel the worse for losing. One cannot predict the future, but isolationist policies perpetrated by a modern world power cannot do anything to help it be a positive one.

Direction – Shweta and I have come to appreciate what, I think, we’ve always known and that is, whatever life serves you, you get the most out of it if you give it your all and expect nothing in return. What you get back will then, almost certainly, not only surprise you, but surpass any and all expectations. To this end we have resolved, perhaps more than ever, to focus on our presence; that is to say, be aware of what is around you, retreat less, engage more. We plan on reducing our engagement with ubiquitous communications, spend more time with friends and family, make more adventurous travel plans and throw plenty of energy into social and cultural engagements around town. We’ll also be starting a scrap book; we’ve already collected some material for it and will continue to do so into the new year. It’s not for public consumption and is very much a slow-burn type task, but I feel sure this will provide much fun and inspiration for us both.

So yes, it really is a warm welcome for 2017 – we have much cause for hope in the future and there really has been far too much despair in 2016, in spite of all the immensely positive things that we and our friends and family have achieved.

Wishing you all then, a very happy, prosperous new year.

Comments off    

Focusing on the Value-Add

It’s a common thing on e-commerce sites these days; we find a product we like, read all about it, but before committing to a purchase, we decide to have a quick search around to make sure we’re getting the best deal price-wise. It’s the online shopping equivalent of trying on a pair of shoes in the shop and then having a quick check on your phone to make sure you can’t get a better deal elsewhere.

Understandably, retailers are twitchy about this. They build sites jam packed full of information, the value-add if you will, to try and encourage confidence in buyers, only to lose the sale on the price point, despite having invested in the customer experience.

I came across a site a few months ago that was fighting back against this post-decision shopping around in a very innovative way.

The following image is the product on sale

And this is what happens when you select the product name text with the intention of copying and pasting into a search engine

Now, it doesn’t *prevent* you from doing the copy/paste, but it does ensure you stop and think, as a customer, about the realities of doing business and if, given the level of service you’re getting, if the price is actually *already* fair.

Food for thought for e-commerce operators and customers alike I’d say.

Comments off    

Locked out of iPhone

The other day I had cause to turn off my iPhone. Unlike many who leave theirs permanently on, it’s something I often do; restaurants, theatre, cinema, church to name but a few places where it’s simply good etiquette to do so. Anyway, I digress.

When I switched the device back on again some hours later, I was greeted with a request to “re-activate” it using my apple ID. The problem with this is that for those security concious people like myself who place their iCloud password in LastPass, you cannot get access to the the LastPass app if your phone is locked, which a de-activated phone effectively is.

Fortunately I was within easy reach of a PC on which I could install LastPass, login, retrieve the requisite password and unlock the phone.

This could have been so much worse though; with a phone that could do nothing but call 999 and no PC to retrieve my password, I could have been incommunicado while abroad or some other such significant inconvenience.

I simply didn’t *know* that an iPhone could just de-activate its self like that – certainly a risk worth evaluating when you decide what password (random, unknown, in LastPass v.s. simpler, recallable) to utilise for the purpose!

Comments off    

Farewell to Grandad

As Grandad was a fan of all things nautical, we thought it only fitting, after his funeral, to make our farewell in the same way he’d done for his boat some years previously – a salute

Comments off    

‘Tis the Season 2016

A small, snatched, selection of photos from around the various celebrations at the end of the year. Occasions include Dad’s birthday, Shweta’s birthday and Christmas, although you wouldn’t necessarily know it looking at the pictures!

Comments off    

Family Christmas 2016

Somewhat of a family tradition over the years; everyone posing for a photo at the dinner table before the start of the Christmas meal

Comments (1)    

« Previous entries