Let’s Encrypt – Doing it Properly

A while ago I made a passing comment about replacing StartSSL using Let’s Encrypt and while it’s true you can use it in the way I described, it’s not as simple as the command would imply and there are a number of pitfalls – not least that if you side-step most of them by going a truly manual route, your efforts only last for 3 months – let’s encrypt certificates expire after only 3 months.

What this all boils down to is that in order to make proper use of this excellent free service you have to automate the process of obtaining and renewing certificates. Not just that though, because their python tooling (certbot) will do this in a general fashion for you, but to truly implement a hands off one size fits all solution. I articulated this as the following requirements.

  • Tool must check for impending expiry and renew in time to avoid nag e-mails
  • Support should be available for adding new certificate requests to the “pool”, not just to renew existing ones
  • A fixed, permanent web server must not be required
  • Servers running on non-standard ports must be supproted
  • Servers not ordinarily accessible to the public must be supported
  • Firewall must not be required to always be open to Let’s Encrypt servers
  • Tool must support servers who’s control IP (SSH etc.) differs from that to which an SSL certificate is to be assigned (A record of SSL domain)

A evening of hacking around on a Raspberry Pi to get certbot running and some hasty coding in bash revealed a solution which essentially, does the following, in order, for each domain requiring a certificate.

  1. Checks to see if the domain has a cert and if it’s expiring
  2. Creates a remote directory from which files will be served as part of the renewal process
  3. Inserts a temporary firewall rule to allow Lets’ Encrypt servers to validate the served files
  4. Starts a temporary lightweight webserver to serve said files and runs it on a port that Let’s Encrypt supports (80)
  5. Mounts this served directory locally on the certbot machine so that certbot can load files into it
  6. Runs certbot to create/renew the certificate
  7. Unmounts the temporary server directory
  8. Stops the temporary webserver
  9. Removes the temporary firewall rule
  10. Cleans up temporary files
  11. Load the certificate files onto the remote server over SSH
  12. Bounces any services that use them so that they are picked up (e.g. Apache)

Before I share the script, a few words of warning and a few pointers

  • Everything needs to run as root
  • I mounted a NAS share of my certificate files so that they were stored and backed up centrally. Certbot expects to find everything in /etc/letsencrypt so that will need to be your mount point if you use the NAS option
  • The script assumes that the server on which it is running has SSH keys setup on all hosts it needs to connect to such that passwordless root is possible.

If you don’t know how to do any of these things then you probably shouldn’t try using the script. It’s not that you won’t be capable or anything, rather that there are a lot of moving parts and basic Linux knowledge that would allow you to achieve these 3 points will go a long way in helping you to debug any issues with the script.

Finally then, the script; configured for two dummy domains, running on the same box, one serving from apache, the other a custom process.

#!/bin/bash
# Configuration section
email=your.email@address.com
certPath=/etc/letsencrypt/live/
remotePort=80 # Lets encrypt only supports 80 - ouch - we'll need to stop servers while doing this
domains=('one.domain.com' 'two.domain.com')
hosts=('1.2.3.5' '1.2.3.6')
sshHosts=('1.2.3.4' '1.2.3.4')
sslPathOnServer=('/etc/apache2/ssl/' '/etc/specialprocess/ssl/')
keyFileNameOnServer=('www.key' 'pub.key')
certFileNameOnServer=('www.crt' 'cert.crt')
chainFileNameOnServer=('www-chain.pem' 'chain.pem')
serverStopCommand=('/etc/init.d/apache2 stop' '/etc/init.d/specialprocess stop')
serverStartCommand=('/etc/init.d/apache2 start' '/etc/init.d/specialprocess start')

# Work is done here, no further edits!
i=0
for domain in ${domains[@]}; do
        # Ascertain if the certificate will expire in 3 weeks or less - stops lets encrypt nagging e-mails
        new=0
        if [ -d "$certPath$domain" ]
        then
                openssl x509 -in $certPath$domain/cert.pem -checkend $(( 86400 * 21 )) -noout
                result=$?
        else
                new=1
                result=1
        fi
        if [[ $result == 1 ]]
        then
                # Report the status
                if [[ $new == 1 ]]
                then
                        echo "Certificate for $domain [New]"
                        echo "Running certificate creation process..."
                else
                        echo "Ceritificate for $domain [Expiring]"
                        echo "Running renewal process..."
                fi
                # Start renewal process; create remote directory, iptables rule, start remote server
                echo -n "       Setting up iptables rules on remote server, stopping server process using certs & starting temporary micro server..."
                rule="INPUT 1 -p tcp -m tcp --dport $remotePort -d ${hosts[i]} -j ACCEPT"
                ssh root@${sshHosts[i]} << ENDSSH > /dev/null 2>&1
                eval ${serverStopCommand[i]}
                mkdir /tmp/$domain
                iptables -I $rule
                cd /tmp/$domain
                python -m SimpleHTTPServer $remotePort > /dev/null 2>&1 &
ENDSSH
                echo " Done"

                # Mount remote directory locally over SSHFS
                echo -n "       Creating mount to directory served by temporary micro server..."
                if [ -d /tmp/certbot ]
                then
                        rm -rf /tmp/certbot
                fi
                mkdir /tmp/certbot
                sshfs ${sshHosts[i]}:/tmp/$domain /tmp/certbot
                echo " Done"

                # Call letsencrypt to renew/create
                echo -n "       Call letsencrypt to renew the certificate in our store..."
                letsencrypt certonly --webroot -n -w /tmp/certbot -m $email -d $domain > /dev/null 2>&1
                echo " Done"

                # Unmount remote SSHFS directory
                echo -n "       Unmounting micro server directory and cleaning mount point..."
                umount /tmp/certbot
                rm -rf /tmp/certbot
                echo " Done"

                # SCP certificate/chain/key files to remote host
                echo -n "       Copying new certificate files to the server..."
                scp $certPath$domain/cert.pem ${sshHosts[i]}:${sslPathOnServer[i]}${certFileNameOnServer[i]} > /dev/null 2>&1
                scp $certPath$domain/privkey.pem ${sshHosts[i]}:${sslPathOnServer[i]}${keyFileNameOnServer[i]} > /dev/null 2>&1
                scp $certPath$domain/chain.pem ${sshHosts[i]}:${sslPathOnServer[i]}${chainFileNameOnServer[i]} > /dev/null 2>&1
                echo " Done"

                # Cleanup remote host; stop temp server, reload default iptables, cleanup temp directory, restart server process
                echo -n "       Stop micro server, clean up iptables rule & start server process using certs... "
                ssh ${sshHosts[i]} << ENDSSH > /dev/null 2>&1
                kill \`ps -ef | grep SimpleHTTPServer | grep -v grep | awk '{ print \$2; }'\`
                iptables -D INPUT 1
                rm -rf /tmp/$domain
                eval ${serverStartCommand[i]}
ENDSSH
                echo " Done"

                # Confirm completion
                if [[ $new == 1 ]]
                then
                        echo "Certificate for $domain [Created]"
                        echo "Creation process complete"
                else
                        echo "Renewal process complete"
                        echo "Certificate for $domain [Renewed]"
                fi
        else
                # Certificate needs no renewal, indicate as such
                echo "Certificate for $domain [OK]"
        fi
        i=$i+1
done

You’ll need to modify the variables/arrays at the start to get it working, some are obvious, but I’ll explain them anyway.

  • email : This is used to create, recover and access your account. Once created, the private key for accessing your account will be stored in the let’s encrypt home directory (usully /etc/letsencrypt)
  • certPath : The path to the /live directory in your let’s encrypt home directory, usually /etc/letsencrypt/live
  • remotePort : Leave this at 80; it’s just here to help setup iptables rules – it cannot be changed in let’s encrypt config
  • domains : An array of domains for which you want certificates
  • hosts : An array of IP addresses corresponding to the aforementioned certificates – keep the ordering the same!
  • sshHosts : An array of IP addresses used for administering each of the aforementioned domains; for example you may have several web servers/domains all being served from the same physical host – this would then be an array of identical IPs, corresponding in array size with the number of domains
  • sslPathOnServer : What is the file system path to each domain’s certificates on the host server
  • keyFileNameOnServer : Within that directory, what is the key file name
  • certFileNameOnServer : Within that directory, what is the certificate file name
  • chainFileNameOnServer : Within that directory, what is the chain file name
  • serverStopCommand : For each domain, what command stops the server process the domain is used for
  • serverStartCommand : Likewise, what is the command to start the server process again

That’s it! Best of luck if you choose to go this way and do let me know if the script is useful to you.

Comments (1)    

Raspberry Pi MAC Address Changing on Reboot

I recently did a apt-get dist-upgrade on my Raspberry Pi running Raspbian 8 and when I rebooted the device appeared to drop clean off my network. I was away from home at the time so I decided to fix it when I was next on the premises – it wasn’t a hugely important device to have running 24/7.

When I looked at the device in person I realised that it was in fact connected to the network, but with a different IP address to that it had held before. Having MAC address based IP allocation, this seemed rather strange. Looking at the MAC address in ifconfig revealed the problem – it had changed! Thinking this to just be a fluke, I rebooted. Now, not only was the MAC still different to that which it should have been, it had changed a third time!

Investigating what had happened during the upgrade revealed that both the bootloader and the kernel had both been upgraded, but for whatever reason, the new kernel wasn’t being loaded. Modifying the /boot/config.txt as follows along with a reboot fixed this discrepancy and lo and behold the MAC returned to it’s former value and the device picked up the IP address it was supposed to have over DHCP

From

[pi1]
kernel=vmlinuz-4.4.0-1-rpi
initramfs initrd.img-4.4.0-1-rpi followkernel
# to enable DeviceTree, comment out the next line
device_tree=

To

[pi1]
kernel=vmlinuz-4.9.0-2-rpi
initramfs initrd.img-4.9.0-2-rpi followkernel
# to enable DeviceTree, comment out the next line
device_tree=

It’s worth pointing out that you may have a similar problem with a similar cause but slightly different kernel versions to me. If this is the case, or to check if it is, verify the old/new versions in /boot as follows

ls -lha /boot | grep initrd.*rpi

Which will reveal your old/new versions

-rwxr-xr-x 1 root root 5.7M Jul 3 18:26 initrd.img-4.4.0-1-rpi
-rwxr-xr-x 1 root root 13M Jul 3 18:46 initrd.img-4.9.0-2-rpi

You should then modify /boot/config.txt from the old version to the new version as per my above example.

Comments    

Danfoss Compressor Starting Device Recall – Fridge/Freezer Repair

After a recent fire in one of the flats in our apartment building, the resulting London Fire Brigade investigation concluded that the cause was a faulty part present in all the original fridge freezers installed when the building was first constructed. This part had in fact been subject to an electrical safety product recall back in 2007. As we’d recently purchased our apartment and the fridge was indeed an original, this spurred us into action.

Desiring to avoid the environmental impact of disposing of an entire device when reportedly such a small part was at fault, I set about researching options for a repair rather than resorting to replace the entire fridge/freezer.

The fridge/freezer in question has two Neff product labels inside, one in the fridge and one in the freezer, photos of which were as follows.

Looking these product codes up online told me two things; firstly that these fridges and freezers do indeed contain the faulty part as per the product recall and secondly that we actually have a separate fridge and a separate freezer, something I was up until now unaware of due to the wooden surround which hid how the fridge and freezer were installed. Extracts from the docs showing the Danfoss compressor and the separate nature of the fridge and freezer as follows.

The Neff product look up provided a further useful piece of information about the compressor – its specific product code. This was useful because it allowed me to determine that a starting device, readily available on amazon, was suitable for the task. Note that the new part states the suitability for the “TL” series of compressors which you can see is the same series as present in the Neff product documentation. I bought two of these as the fridge and freezer are completely separate units with separate compressors.

Now all that was required was to extract the fridge and freezer in turn from their integrated state within the kitchen units, disconnect them from the power supply and replace the faulty part. This is best tackled in two stages, firstly, to remove the fridge or freezer from the cabinet

  1. With the fridge/freezer door open, locate retaining screws below the wooden panel on the door and remove
  2. Do likewise for those on top of the door, being careful this time to support the wooden panel in case it should fall – it’s heavy
  3. Lift the wooden panel off the door if has not already come away. Set it aside.
  4. Still with the door open, locate two screws, one on each hinge, that anchor the unit to the side wall of the cabinet. Remove them.
  5. At the top of the unit, still with the door open, find the pair of screws which hold the unit to the top of the cabinet, remove them.
  6. At the base of the fridge/freezer is a clip on plastic panel. Carefully pull this away to reveal a gap underneath the fridge/freezer. Use the diagrams to help you here as the freezer has a slightly more complex plastic panel which first requires the removal of a drain plug and drain tube before you can remove the plastic panel. The fridge/freezer is now “free”
  7. Closing the door, use the gap you have created underneath the fridge/freezer in the step above to slide the unit out, take great care with both the cable which will still be plugged into the wall at the back and also the sharp metal/pipes at the back near the vents/compressor – these can hurt and also can be easily damaged – a second pair of hands is highly recommended in removing the unit
  8. Set the unit down on the kitchen floor, the back portion facing in a direction with plenty of space such that you’ll be able to work on it at floor level. Switch off and unplug the unit at the wall.

Once you have the unit on the floor you need to get access to the compressor starting device which is under a plastic cover. See the labeled, exploded diagram below to help you in this

  1. Find the cover retaining screw and remove. This will allow the cover to slide up and out, top first. It’s in a tight space but with care and patience you’ll be able to fully remove it.
  2. You’ll see the black starting device now, wired up and attached to the side of the compressor. Your new one will be white so you won’t get them mixed up
  3. Note that in these “faulty” fridges/freezers a significant amount of white decayed plastic will be sitting inside the cover and below the starting device. Remove this with a vacuum cleaner and then any residue that remains in the cover you can wash/scrub off, afterwards drying the cover thoroughly – only use water on the cover – do not put water anywhere near the compressor, use vacuum only here! It is of course this decayed white plastic that is the cause of the fire risk – quite startling to see it there really.
  4. It’s best to leave the wires attached to the starting device as you remove it; this will allow you to see more clearly how it’s wired up as you’ll need to replicate the same wiring with the new device
  5. Slip a small flat-bladed screw driver between the compressor and the starting device, as close to the centre of starting device as you can and slide it in until it’s fully behind the starting device. Once in position, gently prise the device away from the compressor. You’ll be able to finish the job by hand, revealing 3 pins on the side of the compressor which have plugged into the starting device.
  6. Observe the simple wiring; white cable from the wall plug goes live/neutral to the screw terminals of the starting device, black cable from the fridge/freezer goes live/neutral to the corresponding spade terminals to either side of the screw terminals and then a black control wire goes to a spade terminal on the centre bottom of the starting device. There are also earth wires, but you should avoid touching these and leave them in place – you don’t need to do anything with these in order to replace the starter.
  7. Carefully disconnect the old starter from the wires. If you’re unsure of the aforementioned wiring convention, you may wish to take a photo for later reference.
  8. Wire up the new starting device to the cables as per the aforementioned wiring plan, referring to your photo if you felt you needed to take one. Note that I found the spade terminals were slightly different sizes (new ones larger) and so I had to prize apart the terminals on the wires a little using pliers to get them to fit snugly over the new starter’s pins.
  9. Once you’re happy that everything is wired up correctly and tightly, it’s time to fit the new starter back onto the compressor’s 3 pins. Line it up carefully, use a torch if you can’t see clearly and gently press the starter onto the pins. Take great care to only exert force in the absolute centre of the starter such that you avoid the possibility of bending those pins.
  10. With the starter firmly in place it’s time to replace the black cover – make sure it’s dry if you wiped it with a cloth earlier! Slide it into place, bottom first, then top, then push down – you’ll see the screw hole line up – replace the retaining screw

At this point I decided to test my handy work by plugging the fridge/freezer back into the wall socket and turning it on. You should hear the compressor start. All being well you can now proceed to replace the unit into the kitchen cabinet as per the following directions

  1. With the fridge/freezer plugged in at the wall and switched on – you won’t be able to reach behind it to switch it on after re-inserting it into the kitchen cabinet – start the process of replacing the unit into the cabinet
  2. Get someone to help you lift the fridge freezer back up to the level of the hole in the cabinet. Line up the base of the back of the unit so that the back “feet” will enter first – be careful not to damage those delicate pipes on the back.
  3. With the back feet in position supporting the back of the unit, support the unit at the front with your hand. Reach behind and feed the cable down the back of the kitchen cabinets so it is out of the way and will not snag/trap under the unit
  4. Now slide the fridge/freezer back into place, taking care not to push it in too far – you can use the screw holes in the top and hinges as a guide – get them lined back up with those in the cabinet walls
  5. With the door open, replace the hinge screws and those at the top of the unit
  6. Re-insert the plastic cover at the bottom
  7. Hang the wooden face plate back on the open door, supporting it carefully as you tighten the top screws
  8. Finally replace the bottom screws and close the door – it should close snugly to a good seal

Now you’ve done one unit, you’ll need to do the exact same process on the other. I did the freezer first as that was already almost at floor level so was easy to remove on my own. I got someone to help me with the fridge as that was higher up and the galley shape of our kitchen made it tough work to get the unit gently down to floor level – remember to take care of that cable and delicate pipe work at the back!

And there you have it. Fridge and freezer as good as new and with safe parts to boot. All for the price of a round at the pub and a couple of hours work – what could be better.

One final word – I offer these instructions without warranty! If you’re unsure of these steps in any way, consult a qualified electrician! The wiring is simple (like inside a plug) and should be within the ken of most competent DIY’ers but as with any unfamiliar task, do take care and double check what you’re doing at each stage.

Comments off    

Failed to connect to lockdownd

After a recent holiday I wanted to download the photos from my iPhone – something I’ve long been able to do in Linux. Upon following my well trodden process, I was greeted with an unfamiliar error message

$ ifuse /media/kieran/iphone
Failed to connect to lockdownd service on the device.
Try again. If it still fails try rebooting your device.

Some reading around the subject revealed that encryption needed to be disabled on the libimobiledevice module that is used under Linux to pair with the iPhone. Rather than go to the effort of modifying the source myself, some helpful chap has already done this and published the code and usage guide to GIT. Hope this pointer helps someone who is stuck trying to access their phone.

Comments off    

Replacing StartSSL

A small service I created for personal use had its SSL certificate expire a few weeks ago. I replaced it using my go-to free certificate provider, StartSSL. Unfortunately, accessing this service from my iPhone still didn’t work afterwards, or rather it did, but the certificate still wasn’t trusted. I was forced to ignore this issue at the time due to other pressing matters and, as the service was just used by me, on my device, I simply set the app to ignore the issue until I had time to diagnose the problem properly.

Today I replaced my e-mail signing certificate, also from StartSSL. This time I knew something was wrong; adding the certificate to Thunderbird and sending a test e-mail to be retrieved by my iPhone, the certificate again wasn’t trusted.

Turns out that silently, unbeknownst to me and I’m sure many others, the following chain of events has occurred

  1. StartCom which runs StartSSL were taken over by WoSign
  2. Due to past issues with WoSign regarding the erroneous issuing of certificates for a domain that they had no authority to issue for, they had their root certificate rights revoked by Apple, Mozilla, Google and others
  3. Since the take over of StartSSL, the aforementioned device/software companies have also ceased to trust the root certificates of StartCom.

This has resulted in my having to spring into action. The silent take-over of a previously trusted organisation by a dubious one located in a political jurisdiction known to be questionable with respect to web security is worrying enough, but with the added pain of being unable to send signed e-mail and issue new certs for my soon to expire domains required to be addressed immediately.

I’ve found that comodo, a trusted certficate authority, will issue free e-mail signing certs so I’ve jumped over to that immediately for e-mail and that is running nicely.

In addition there is “LetsEncrypt”, which, once installed, allows you to generate trusted SSL certificates for your domains using the following command

letsencrypt certonly --manual -d my.domain.com

When running the above it’s important to remember that validation you have control over the domain for which the certificate will be issued requires you to

  • Be running a web server on port 80 on the domain
  • Said port 80 server to be accessible publicly through your firewall
  • For you to place a file to be served on the web root of this server

You can always stop apache (or whatever your web server is) and run up a simple stand-alone python server to do the job, but you won’t be able to get away without changing your firewall rules.

This is a departure from the way I’m used to doing things which used the administrative e-mail address registered to the domain and code sent to this for validating I owned the domain. This was nicer as it meant I didn’t have to play with my config all that much (some servers I run use non-standard ports and don’t have port 80 open by default for example).

Anyhow, from my reading of the documentation about LetsEncrypt, it seems that all major browsers and Apple iOS are trusting certificates signed this way. I’ll update this post if that turns out not to be the case, but I’m optimistic.

Hopefully this post will help to raise awareness and also assist some folk out of a bit of a pickle with their security arrangements.

Comments off    

Lost Keys

Last night while crossing Tower Bridge on my way home, a cyclist went past Southbound and there was a soft clatter in the roadway as he did so. His keys had fallen out of his pocket. As he was going at quite a pace, by the time I had managed to dart into the road, pick them up and run after him, he was long gone.

Arriving home with the keys, I resolved to try and trace the owner with the information on the keys and then hand them in with as much info as I could to the police station I pass every morning on the way to work. Finding little on the keys to indicate who they belonged to, I settled for e-mailing the company who had cut one of the security keys on the bunch in the hope they maintained an owners registry.

Taking the keys with me the next morning in order that I could act on anything the locksmith company told me or indeed hand them in if they failed to turn up anything, I set off for work.

As I was crossing Tower Bridge I saw a cyclist who had parked on the pavement in order to take a photo of the beautiful hazy sunrise to the East. Passing him I noticed a striking familiarity in the motif and colour of the back of his jacket. “It can’t be!?” I exclaimed to myself! Walking up to the chap I just came out with it, “Sorry to bother you, but you wouldn’t happen to have lost a set of keys cycling over Tower Bridge last night would you?” and lo and behold, it was the same man! To say that incredulity and gratitude all rolled into one was writ upon his countenance would be an understatement – neither of us could quite believe the chance encounter that had so swiftly re-united him with his lost property!

It just goes to show, no matter how hopeless a situation feels or improbable a solution to it may be, never give up hope!

Comments off    

4am Finish

Slightly more refined than student days of old, we threw a house-warming party in our new flat over the weekend with great success. Guests arrived, food was eaten, music was played and copious quantities of alcohol were consumed. The conversation and conviviality continued until the early hours of the morning, proving that being a student is not a prerequisite for an all-nighter on the party scene! Thanks to all who attended and may it be the first of many.

Comments off    

Draytek DNS Drops

Some time ago I wrote an article about fixing a VPN connection issue over a Draytek router concerning a UDP flood defense setting. Its turns out that the very same setting can also cause an issue with DNS, the symptoms of which I will outline below. For the fix, head over to the old article above.

Essentially the symptoms are simple. You browse the web as normal and then all of a sudden DNS for new sites (not in local cache) stops resolving. A router reboot is the only way to fix the issue. Increasing the flood defense packet ceiling as mentioned in the article above stops the issue from occurring. I said it was simple!

As to why this issue had happened to me once more, despite having applied an earlier fix, I can only conclude that the ceiling I setup earlier, being tailored to the speed of my ADSL link at the time, should now be higher as I have around twice the bandwidth I used to. I doubled the value and now all is well.

Comments off    

Welcome 2017

In the past I have written round ups of what has happened throughout the previous year before wishing the compliments of the season to readers, hopes for the future etc. I’ve also gone so far as to neglect to do anything at all with regards the blog in recent years, sporadically posting when the fancy takes me, having very little regard for direction or purpose. But that’s life.

I felt it best to offer category based round-ups this year; this way I can engage in some retrospective commentary about the years events, without feeling the need to go into too much detail, but allowing myself the license to do so for those topics of particular note.

Family – With the tragic death of Shweta’s Mother in late May and the passing of my Grandfather in December, it’s been a rough road at times, particularly for Shweta and her Father. While it’s not something that’s either easy to write about, nor really articulate in terms of emotions or feelings, there is only one way, and that is forward and we’ve never felt alone on this difficult journey either in body or spirit and that has been a great comfort.

Home – So let’s move on with something that has made a very firm positive mark on the year. Shweta and I bought a flat together, managing too, by the end of the year, just, to finish renovating it. It’s located in Shad Thames, a small corner of London that we’ve lived in together for the past few years and have come to love very much. We look forward to many more happy walks along the river, nights out we can walk home from, quiet nights in and perhaps the odd party or two.

Travel – What we’ve lacked in distance flown, we’ve made up for in engagement with our surroundings. We’ve spent a number of holidays and made numerous excursions to different part of the UK. We’ve stayed with friends on Angelsey, hiked in Snowdonia, toured Cornwall, explored Gloucestershire and had many nights out in our fine capital city, taking in music, theatre and art. We’re still behind with the photo log, but I’m working on getting albums up and there’ll be a kind of retrospective written later in the year to point in the direction of these.

Politics – One really couldn’t leave this post without referring to the political events of this past year.

The Brexit vote in June was quite possibly the most politically upsetting event that I’ve ever had the misfortune to experience. While I’ve not always agreed with EU policy and direction, I’ve always felt an affinity with Europe and her peoples. The shame of being a citizen of a country turning it’s back on this great bond of friendship and having to face friends and colleagues in work the following day who are citizens of other European countries, was a most singularly unpleasant experience. We can only look forward now, but I can’t deny that I do so with trepidation about what our future might hold.

As if this wasn’t enough, the election of Donald Trump was another body blow for progressive Western politics. Again, I was not always a fan of some of Obama’s more left wing policies, but his handling of world issues and his general tolerance towards those who might oppose him was a positive beacon for many and one that we will all feel the worse for losing. One cannot predict the future, but isolationist policies perpetrated by a modern world power cannot do anything to help it be a positive one.

Direction – Shweta and I have come to appreciate what, I think, we’ve always known and that is, whatever life serves you, you get the most out of it if you give it your all and expect nothing in return. What you get back will then, almost certainly, not only surprise you, but surpass any and all expectations. To this end we have resolved, perhaps more than ever, to focus on our presence; that is to say, be aware of what is around you, retreat less, engage more. We plan on reducing our engagement with ubiquitous communications, spend more time with friends and family, make more adventurous travel plans and throw plenty of energy into social and cultural engagements around town. We’ll also be starting a scrap book; we’ve already collected some material for it and will continue to do so into the new year. It’s not for public consumption and is very much a slow-burn type task, but I feel sure this will provide much fun and inspiration for us both.

So yes, it really is a warm welcome for 2017 – we have much cause for hope in the future and there really has been far too much despair in 2016, in spite of all the immensely positive things that we and our friends and family have achieved.

Wishing you all then, a very happy, prosperous new year.

Comments off    

Focusing on the Value-Add

It’s a common thing on e-commerce sites these days; we find a product we like, read all about it, but before committing to a purchase, we decide to have a quick search around to make sure we’re getting the best deal price-wise. It’s the online shopping equivalent of trying on a pair of shoes in the shop and then having a quick check on your phone to make sure you can’t get a better deal elsewhere.

Understandably, retailers are twitchy about this. They build sites jam packed full of information, the value-add if you will, to try and encourage confidence in buyers, only to lose the sale on the price point, despite having invested in the customer experience.

I came across a site a few months ago that was fighting back against this post-decision shopping around in a very innovative way.

The following image is the product on sale

And this is what happens when you select the product name text with the intention of copying and pasting into a search engine

Now, it doesn’t *prevent* you from doing the copy/paste, but it does ensure you stop and think, as a customer, about the realities of doing business and if, given the level of service you’re getting, if the price is actually *already* fair.

Food for thought for e-commerce operators and customers alike I’d say.

Comments off    

« Previous entries