NinerNet Communications™
Blog

Corporate Blog

A cursory and superficial analysis of the Google/Symantec “knife fight”

20 November 2016 07:32:16 +0000

There is an African proverb: “When elephants fight the grass suffers.” I think this fairly describes the “knife fight” — a popular term in some recent media coverage of the American presidential transition — between Google and Symantec recently.

As described on our status blog, a bug (Google, Symantec) in the Google Chromium web browser caused Chromium users to see certificate errors when trying to access websites secured with valid certificates issued by Symantec and it’s subsidiaries — e.g., Geotrust, RapidSSL, Thawte and possibly others too. This included large websites such as Amazon, Flickr and Yahoo.

The knife fight first came to our attention probably a year or so ago, likely in an email from the certificate authority (CA) that we use for most of the SSL certificates we sell to clients and use ourselves. That CA is RapidSSL, a subsidiary of Symantec.

Now, it seems that Symantec did something bad in 2015: they created some certificates for domains that had neither requested nor authorised them. This was likely for testing purposes, although you do have to wonder about the IQ of the person at Symantec who authorised this. Google was particularly annoyed, because two of those certificates were for google.com and www.google.com.

What followed was some serious holier-than-thou public finger wagging at Symantec by Google, pontification worthy of a schoolmarm armed with a wooden ruler rapping the knuckles of the Symantec child. Bad, bad Symantec, now we’re going to shame you and be nasty to you in public, and tell you how you should be running your business. Which is all well and good, because Symantec did something stupid and should suffer the consequences.

One of those consequences was Google using the power it wields by virtue of the fact that it creates the most popular web browser on the planet — power that Microsoft used to wield, and also abused — to single out Symantec certificates for special treatment. (Why Google Chrome [and its progenitor Chromium] are so popular is beyond me. I’ve used Chromium and Chrome as secondary browsers on Linux and Windows machines, but my personal experience is that it’s slower and less configurable than Firefox.) Starting in June 2016 Google required Symantec to jump through hoops it doesn’t require of other CAs. Is that abuse of power? Some say no, and it’s difficult to disagree with them. However, Google then also did something bad and stupid themselves, by creating a situation that led to what they’ve called a “time bomb”, meaning that most (if not all) Symantec certificates stopped being trusted by Google Chromium in early to mid-November.

The upshot of this is that it was innocent third parties — the proverbial grass, the customers of Symantec that bought their certificates, and some users of Chromium — that were hurt by this knife fight. I’d love to know how much business Amazon lost as a result, and if we can expect a lawsuit and a payout from Google.

SSL version 3 “POODLE” vulnerability

17 October 2014 05:21:12 +0000

The latest in a series of recent vulnerabilities discovered in software commonly used on servers hosting websites and email (among other services) has reared its head. “POODLE” (conveniently discovered by the clever rhymers at Google) is a catchy name for a vulnerability found in a two-decade-old cryptographic protocol used to encrypt network connections. SSL — the secure sockets layer protocol — has become a household word over the years, and those three letters are still now used by many to refer generically to secure connections, even though SSL version 3.0 (published in 1996) was superseded by TLS (transport layer security) version 1.0 fifteen years ago (in 1999).

All of this introductory information is not intended to trivialise the problem, of course, but to give some background and illustrate how it can take a long time for new standards to be adopted, and old ones to be abandoned. Often, old standards live on simply because “if it ain’t broke, don’t fix it” … and now (well, three days ago) we find that the last version of SSL — version 3.0 — is indeed “broke”.

As such we will be re-configuring all of our servers still configured to allow SSL 3.0 connections to use TLS exclusively. This will require reconfiguring and restarting web servers, FTP servers and various email services. While we anticipate the work on all servers taking about an hour, interruptions in service — if there are any — should be brief and last only a few seconds at a time as services are restarted.

Of particular interest — due to a couple of recent support requests related to our newer mail server on NC027 — is that Microsoft Outlook 2003 users will likely no longer be able to connect securely to the mail servers on NC018 and NC023 (the relay server), as Outlook 2003 does not have support for TLS. Apparently a 2004 “hotfix” available from Microsoft will add TLS support to Outlook 2003, but we cannot vouch for this personally, nor are we aware of any clients who have used this. It should be noted that Microsoft stopped supporting Outlook 2003 earlier this year. It is obsolete software.

It is of interest to me personally that my favourite email program of all time — Eudora — will weather this storm and continue to flourish, as it does support TLS. However, sadly, even Eudora will eventually succumb to the ravages of time and the march of technology. In fact, I strongly suspect it only supports TLS version 1.0, and I have noticed that Google actively discourages connections from old email clients such as Eudora, probably because they likely suggest using an email client that supports at least TLS version 1.1. The latest version of TLS is 1.2, already six years old itself.

So, we will be using our weekend maintenance window to perform this maintenance. However, instead of starting at the usual time, this maintenance will begin at 21:00 UTC on Saturday, 18 October and, as stated above, should take roughly one hour. Please consult our status blog for updates on this maintenance, and please contact support if you have any questions or concerns.

Christmas and New Year hours and wishes

24 December 2013 22:25:28 +0000

It’s the end of the year again, and a fitting time to thank you once again for the custom that you have given to NinerNet in 2013. This year was challenging in some respects, but looking at things from the positive side the challenges were the result of growth. Some of that growth continues to be the new business that you, our existing clients, continue to refer to us, and for that we are most grateful.

Looking forward to 2014 we, as always, have plans to expand and improve the services we offer to you. Some of the new services will involve “private clouds”. We have avoided the buzzword “cloud”, bucking the industry trend in recent years, but with the news that broke this year about pervasive, worldwide, government surveillance — especially through big hosting companies based in the USA — we’re getting more enquiries about setting up a cloud-type infrastructure for in-house use only, and on servers outside the US. Look for an announcement about this in 2014.

On a wider scale, 2014 will see the introduction of new top-level domains (TLDs) and stronger enforcement of the requirement to use real and working contact data for domain registrations. Early in the new year we’ll be contacting you about the latter. As for the new TLDs — a TLD is the part of your domain to the right of the last dot (e.g., .com) — early registration for some of these are underway. Their introduction has been controversial, but they may see use in certain regions and niche industries. At this time they would appeal to only a limited number of our existing clients, but we’ll be providing information about them early in the New Year too (although we can immediately register in some of them). Some examples of new TLDs include .bike (e.g., example.bike), .clothing, .construction, .contractors, .diamonds, .enterprises, .guru, .holdings, .singles … and so on. Eventually there will also be a .africa too. Please be aware, though, that there are already scams involving fake registrations in these new TLDs, so if you get spam about these please keep that in mind and ask us if you need guidance.

Finally, our offices will be closed over the Christmas break for routine business, but support continues to be monitored 24 hours a day, seven days a week. We will re-open on Monday, 6 January.

We wish you and your family, business, organisation, employees and/or colleagues who celebrate it a very happy Christmas, and all the best for the New Year.

Entrusting your privacy to “the Cloud”

29 February 2012 23:59:52 +0000

As a company NinerNet is — and I personally am — a bucker of trends, a refuser of “the easy way”, an anti-“fashionista”, and an advocate of low-level simplicity. This can, at times, make us look like Luddites, but we’re not quite that bad. For example, we’ve joined the trend over the last few years of using the new electric light rather than burning torches to light the office.

The trend we haven’t joined is that of entrusting every scrap of data to “the Cloud”. And this is where what I call “low-level simplicity” comes in. Sure, it might be “easy” to set up a Gmail account, or to use Google Apps to host email on your company domain, or to use Blogger (also owned by Google) or WordPress.com to host your blog. It may even eventually be true, as one client told me recently, that websites are passé and have been replaced by Facebook! (Heaven help us if that prediction ever comes true!) But is it really easier?

In evaluating any course of action, one has to conduct a cost-benefit analysis. Even getting out of bed in the morning involves a cost-benefit analysis, so choosing where to store your private email and sensitive company documents certainly does too. But the costs and the benefits are not confined to the beginning of the endeavour; the costs and the benefits run the entire life of the course of action, from set-up to tear-down — whether or not that tear-down is voluntary and planned.

So if you want to entrust all of your data to the Cloud, please be my guest. Just remember to consider what might happen to that data once it’s beyond your control, how you might deal with the situation if the company you’ve entrusted it to loses it or disappears, what your losses will be if the company decides to give access to your data to someone (e.g., a government or someone undesirable who gains access to the data illegally or through a company takeover), and how you’re going to deal with the situation (and how much it’s going to cost) when you decide to switch systems. So it was free and easy to set up, but will it be free and easy to take down?

The paradigm shift, in my opinion, seems to have been the move from keeping all of your data locally and backing it up remotely (even if it involved driving back-up tapes to a warehouse across town), to keeping all of your data remotely and backing it up … where? Locally, or on another remote system, probably owned by the same company where your data is primarily stored? Good questions. Many of these systems (Cloud and otherwise) that are supposed to “help” you and make your life “easier” with respect to technology really just add a higher-level layer of complexity on top of lower-level simple protocols that have been running the Internet (just fine, thank-you very much) for decades.

Anyway, this is a long-winded introduction to Two honest Google employees: our products don’t protect your privacy. In that article security and privacy researcher Christopher Soghoian explodes the myth — if, in fact, the myth existed in the first place among people who actually think about this stuff — that Cloud companies like Google care one jot about the privacy of your data. In fact, Google’s business model — those ubiquitous adverts next to everything you see on the Web these days — relies on your data being open and easily read. Reading a steamy email from your husband about last weekend’s getaway? Yeah, the ads off to the side might also be NSFW.

Here’s a preview:

Google’s products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance).

… if the files that I store in Google docs are encrypted or if the files I store on Amazon’s drives are encrypted then they are not able to monetize it …. And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications. … their business model is in conflict with your privacy.

Read the comments too. Unlike on some blogs, these comments are intelligent and worth reading … with one exception. Oh, and Soghoian’s The New York Times article (When Secrets Aren’t Safe With Journalists), to which he refers, is worth reading too.

Don’t fool yourself. As with anything, use the right tool for the job, and be aware of the strengths, weaknesses, limitations, costs and overall suitability of the tool you choose.

How free is “free”?

31 October 2011 23:04:52 +0000

As has been noted before, the Internet has spawned a generation of freeloaders. The lure of “free” is very difficult to resist, especially when other options out there cost as much as (gasp!) $4.95 a month. However, there is a cost to “free”.

To quote usability guru Jakob Nielsen, “users pay with attention instead of money” when they’re using “sponsored” (i.e., “free”) software. This applies especially to web-based free software, but now even some free software that you install on your computer actually comes embedded with advertising. Imagine! People who install this kind of software — called “adware” — on their computers are actually choosing to install advertising and the engine to drive it on their computers. Makes you shake your head when people who complain about being subjected to advertising against their will in other media actually choose, of their free will, to infect their computers with resource-consuming advertising.

But I digress.

The point is this: There is always a cost when it comes to “free” sponsored software, and this is explained very well (complete with costs added up) by Nielsen in his article The Real Costs of “Free” Search Site Services. Of course, we’re interested in this because some of these free services compete with us. Remember that we are accountable to you because you send us your hard-earned money; companies that provide their services for free have no reason to be accountable to you, because they’re not getting anything measurable from you. What they are getting is payment from their advertisers, and that’s who they’re accountable to.

Nielsen concludes his article with a note about non-commercial software, which he differentiates from “free” sponsored software. It’s a valid and noteworthy distinction.

Do you have questions about free software? Let me know!

Craig

The Navigation Nightmare

23 February 2011 07:49:42 +0000

There’s a very interesting (if several months old) article over on the website of a company named Sedo, written by the company’s CEO. Sedo, founded in Germany, is a company that brokers the sale of domains that have already been registered.

The article, though, isn’t really about their business. It’s about a variation of one of several — maybe even many — misconceptions about what the Internet is. Ask different people the question, “What is the Internet?” and you’re likely to get almost as many answers as people you ask. These days you might get an answer like, “Facebook is the Internet,” or even the other way around: “The Internet is Facebook.”

However, even if you realise how absurd those statements are, you might still be caught up in all of the hype that are Facebook, Twitter, and various other social networking websites, and technologies du jour. I’m not discounting these services; they exist, and they have proven their worth and reach — the latter especially during these days of unrest in north Africa and the Middle East. But the fundamental difference between these services that are built on the Internet and the Internet itself — clearly illustrated just by that very statement — is that Facebook and Twitter can go away. On the other hand, until the human race evolves the ability to use telepathy and manage it to communicate with dozens or millions of people around the world, the Internet (or some variation of it) is likely here to stay.

Something else that’s a bit ironic about the way people perceive companies like Facebook and Apple, and how those companies perceive themselves, is that this is a classic example of “back to the future”, or maybe “forwards to the past”. Back before the Internet moved out of the science laboratory and into the public realm, there were a couple of online services named AOL and CompuServe, and many smaller services called bulletin board systems (BBS for short). You couldn’t navigate outside of those “walled gardens“, and companies would set up the forerunners of what would later become websites within those walled gardens, accessible by using a “keyword” given out in advertising. The Internet knocked down those walls, but companies like Apple and Facebook are (ironically) building them again — essentially blocking the view and the freedoms created by the Internet.

Unfortunately the archived version of this article on the Sedo website lacks an important table that illustrates what I think is the key to understanding the main point of this article, so I’m providing both a PDF version of this article, and a link to the stripped-down article on the Sedo website:

Enjoy, and if you have any questions about the information in this article, feel free to contact me through the NinerNet website.

Craig

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: