PKI

The burdens of SSL certificate maintenance to a website admin are, I’m guessing here, universal.  Even after the process of acquiring one is complete, the installation and configuration can be somewhat daunting.  And if this were a one-time deal, it’s be far more tolerable, but as the certificates regularly expire, it’s a constant hassle.  So I’ve bounced between certificate authorities as my own circumstances, as well as those of the industry, have changed.

I began this site with with a company called StartSSL.  At the time, I found them efficient, affordable (as in–free), and with an easy to use website.  My user ID was assigned via browser certificate (as opposed to the username/password method), and on their dashboard I could mint on-demand website and email certificates with standard WHOIS-based domain name validation.

But when I went to renew one day, I found the site to no longer be functioning properly.  The basic operations to which I was accustomed had vanished, and my attempts at minting new certificates resulted in incompatible file types.  I searched for info, but as the service was free, it was hard to come by.  Further research revealed that they had been acquired, and shortly thereafter made the tech news for their new parent company’s bad security practices (and secret acquisition).  Ultimately, they got themselves blacklisted by browser vendors and once my certificates expired, I would not be able to use StartSSL as a CA.

By this time, however, the EFF’s certificate project had launched and was gaining traction.  The service, Let’s Encrypt, boasted hassle-free and automatic domain-validated SSL certificates.  The best part was that my server’s manufacturer released an update which integrated the process into their stock software.  With just a few selections, I could request a certificate, then be issued one with no further input on my part to install it.  And even better, the service would reissue automatically prior to the certificate’s expiration (which was limited to 90 days, but that’s not a bother when they reissue on their own).  I made the switch.

Then I received an email.  The domain validation system used (a variant of the HTTP file-based verification method–more on this in a bit), was being sunsetted due to security vulnerabilities.  I checked with my server manufacturer’s forums, but couldn’t find any information on how to change the default verification method.  So with 30 days of lead time, I looked into finding a new certificate issuer.

I would have thought that because of the EFF’s efforts, certificates would have become very affordable.  And they are, but you have to dig, because the majority of advertised products are intended for business and/or ecommerce use.  Securing a certificate for a personal non-business home-based server proved to be somewhat trying, but I did eventually find such a line of products: COMODO’s PositiveSSL certificates.

These certificates are domain-validated only, meaning to acquire one you only have to prove you control the domain.  This is the only type I’ve ever used, as their application is rather low-risk, this being a blog.  Their price point is due to the ability to automate the process, and while it offers the same level of encryption as any industry-standard certificate, it’s a very basic level of authentication.  Here’s Wikipedia’s explanation (https://en.wikipedia.org/wiki/Domain-validated_certificate):

“The sole criterion for a domain validated certificate is proof of control over whois records, DNS records file, email or web hosting account of a domain. Typically control over a domain is determined using one of the following:[3]

  • Response to email sent to the email contact in the domain’s whois details
  • Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
  • Publishing a DNS TXT record
  • Publishing a nonce provided by an automated certificate issuing system

A domain validated certificate is distinct from an Extended Validation Certificate in that this is the only requirement for issuing the certificate. In particular, domain validated certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply a particular legal entity controls the domain.”

But alas, with COMODO, this was my first encounter with a certificate-signing request.  With StartSSL, the service generated the public/private key and installed it into my browser, which then required me to export the file and import it into my server.  I’m assuming that’s okay, but it is placing a lot of trust in the certificate issuer, as in theory they’d have/had access to the private key.  A certificate-signing request, on the other hand, eliminates that security hole.

The process is as follows: the server creates a certificate/private key pair, wherein the certificate is signed by the private key (standard procedure).  The certificate is then exported, which in turn is uploaded to the CA.  After validation, the CA then signs the certificate with their own certificate’s private key (the intermediate certificate), and then provides that now-signed certificate alongside the signing intermediate certificate.  Both are uploaded to the server, along with the original private key.  The three files now supply encryption and identity validation (via the certificate chain path through the intermediate certificate).

It sounds complicated, but from the user end it’s mostly automatic.  The burden lies in the validation process.

As stated above, domain validation is merely the process of confirming that the requestor actually controls the domain to which they’re requesting a signed certificate.  And, as Wikipedia explained above, COMODO chose to do this in one of 3 ways:

  1. The CA queries the requestor’s domain WHOIS record–the ICANN-required information supplied along with the original domain registration.  Specifically, the registered email address.  The problem for me was that, because of the amount of spam email I received as a result of keeping that information public, I had to purchase a WHOIS-masking service that prevented my registered email address from being visible.  As a result, the CA had no way to query my email, and therefore no email by which to contact me.
  2. This led me to method 2: the CA generates an ASCII nonce and tells me to paste it into a text file in the /.well-known directory.  This directory is, in theory, only write-accessible to the server’s admin, and is also publicly visible.  Logic follows that I, the admin of the server to which the domain name is pointed, would not be able to make this file unless I had full control of both the domain and the server (which I do).  I created the file and was in turn sent a link to download the now-signed certificate.  (Note: the /.well-known is not a mountable directory by default.  This required me to save a file directly to the directory via the server’s integrated text editor, although I’m sure a more advanced user could perform a simple SSH command).
  3. Had this second method not worked, the third method of verification involves creating a TXT record with my domain registrar.  It is, more or less, the equivalent of option #2, but at the domain registrar’s level instead of the server’s.  Being able to add any domain record here proves de facto that the individual controls the domain.  Fortunately, I didn’t have to go quite this far, but it’s nice to know the option is available in the event of server/network problems.

Uploading the certificate files was pretty straightforward after that, and a quick setting change switched it over.  I’ve kept my Let’s Encrypt certificate just to see what will happen with the renewal, but if that fails and it expires, I’ll still be good now with a 2-year COMODO one.  Hopefully when renewal time comes up for that, I’ll have this article available to remind me how I did it.  And…if anyone else besides myself ever discovers this article and finds it useful, that’s cool too.

–Simon

Patch Panel

A while back I offered my thoughts on the benefits of wiring devices rather than relying on WiFi, and my efforts with installing Ethernet drops.  The system worked well, but I had nagging doubts about my install.  Specifically, my jack punchdowns were not up to spec, my patch cables were self-made, and my drops terminated in the basement with RJ45 connectors.  In short, it was an amateurish install and didn’t look good.

After re-punching my wall jacks with the proper method, I decided that I would finally bite the bullet and buy a patch panel.  The only thing that had been holding me back was the price, and the fact that I lacked a networking rack to hold it, but these concerns were alleviated with a little bit of searching.  I decided upon these two items:

TRENDnet 24-Port Cat6 Unshielded Wallmount or Rackmount Patch Panel, Compatible with Cat 3/4/5/5e/6 Cabling, TC-P24C6
Monoprice 1.75 by 19 by 4-Inch 1U Wall Mount Bracket 108623

The intent was to mount the patch panel in the bracket on the concrete wall in the basement.  And, despite the irritations involved with drilling concrete, this idea played out perfectly:

It was also much easier than crimping.  A simple punchdown tool secured the wires and clipped the excess, and in short order I had secured my existing 5 drops.

For the record, I chose T-568A.  Although now, having purchased patch cables all configured in B, I probably should have chosen B.  Ah well, the difference is pretty negligible.  Regardless, though I haven’t benchmarked anything, the network does seem a little snappier now.  The previous RJ45s were properly rated for solid-core CAT6, but I still don’t think it’s possible to manually crimp a connection as well as punching.

And besides, it looks much cooler now.

–Simon

Counter-Stalker

I’m sure at some point I’ve complained about internet tracking.  There’s no way I haven’t, but I can’t find the right article to link to at the moment.  So instead, I’ll ramble on for a bit about the over-discussed and tired topic.

I did find this topic, wherein I discussed my router upgrade.  Recently, the manufacturer pushed an update to it, and in this update I found some more robust traffic management and firewall tools.  Naturally, I poked around, and discovered that I could control domain blocking with more refinement.  On a whim–well, more than a whim really–I blocked Facebook and some other well-known web analytic and tracking domains in a custom rule that I then assigned to all my personal devices.

The result was even worse than I had suspected.  There were all manner of things that were linking to Facebook.  Even if I chose to ignore all Facebook prompts, applications and pages were still running their scripts in the background.  Why?!  The question, of course, is rhetorical.

One more incremental step in fighting for internet privacy.

–Simon

Generational Technology

I was talking to my father, as I tend to do, and as what usually happens when I engage in such discourse, especially whilst imbibing, I acquired certain information from a specific point of view and found it interesting.  And so, a blog post is born.

We were discussing technology and the inevitable variances by which the differing generations adapt to it.  It’s cliché, certainly, to envision some old geezer hammering away at a keyboard and yelling at a computer monitor.  For many years, in fact, I provided customer service to such people who couldn’t figure out the difference between a browser’s search menu and address bar–possibly why so many modern browsers have now dealt away with the differentiation altogether.

Of course, I knew the stereotype to be a half truth, and I considered my own father a model example to the contrary.  Dad, a professor, had a history of spending his research grant money on computer equipment, and in fact I, as a child, had been quite enamored by his laboratory on campus.  I willingly accompanied him into work during those summer days of my youth for the sole reason of gaining access to the banks of computers which lined the old slate countertops of those musty rooms.  And, by observation and from rudimentary instruction, taught myself how to type properly on a modern QWERTY keyboard–years before keyboarding was introduced into gradeschool curriculum.

Many years prior, Dad had typed up his doctoral dissertation on an electric typewriter.  And now, while I still can’t hope to capture even his most basic interest in networking technology and infosec, still see the man using modern hardware beyond a simple intuitive ease, but with something approaching mild obsession.  In short–he’s entirely comfortable with modern technology.  And this is a man who has no connective tissue in his leg to speak of (he’s old).

And during this particular discussion, he was musing over his students’ inability to use basic computing equipment.  A particular anecdote involved his class sending him email invites to subscribe to Office 365 (a rant for another time), so that he might log in and view their term papers digitally.  Basically, his students sent him friend requests to a digital subscription service to view their shared documents…rather than use a printer.

Of course, I have written about the evil contrivances we call “printers”, but that’s besides the point.

But anyway, Dad told me this story because he had been approached for his thoughts on how his aging generation anticipates adapting to our world of rapidly-changing technology, to which he responded that the youngest generation doesn’t know anything about using current technology, and so such concerns were misguided.

As a point of comparison, I thought about young drivers and realized that the youngest generation doesn’t know how to operate motor vehicles properly.  But then again, neither do most people…and most people don’t really know how to effectively use modern operating systems, or we wouldn’t have Windows 10.

Sooo, I guess my point is that expectations are higher than reality and generational gaps have nothing to do with an individual’s ability to learn and adapt…to a point.  I mean, old people still need to stop driving, but I also don’t think most people are competent enough to handle the responsibilities of the Internet either.  Hmm–a conundrum.

–Simon

Diagnostics Addendum

Earlier this year I wrote about the shortcomings of on-board car diagnostics and how I was searching for a computer-reader that would provide more information in the event of a problem.  Like a fire extinguisher, it’s something that I had hoped to never need to use.

But I had to use it.  And I’m glad I had it.

Less than a year after purchasing the CR-V, it died in a grocery store parking lot.  I, being at work, dutifully responded to my wife’s texts in a most timely manner–an hour later–and was off to save the day…cursing and muttering the entire way.

The vehicle, refusing to start, notified me of such by informing me that the parking break was malfunctioning, as well as the antilock breaks, and the electronic break stabilizers, and the gate lift mechanism, and a number of other systems.  It was disconcerting, but not very helpful.

So I plugged in the OBDII device and waited while it ran a diagnostic.  It then informed me that two systems had insufficient voltage to operate.  I cleverly deduced that voltage insufficient to operate the breaking mechanism probably meant the starter wouldn’t work.  I’m a real mechanic I am.

So I jumped the car and it started, and it promptly died when it got home.  Presumably the battery was bad, but that seemed unlikely given how new it was.

AAA agreed, once they came out and tested the electrical system.  Surely the battery was fine, and something was drawing power when the vehicle was off.

Then the Village Elder came over and gave us a charger, and after manually giving the battery a full charge, I tested it an hour later and it had already been drained.  Ultimately, a replacement battery seems to have fixed the problem, though we’re still left wondering why the original died so quickly.  Maybe it was just a lemon.

I’m also left with the nagging irritation at Honda’s dash alerts.  While telling me that every electrical system was malfunctioning was technically accurate, it wasn’t very practical information, especially considering the error codes themselves had the information we needed.

Oh well, at least the computer reader proved its worth.  I can finally give it a solid recommendation now.

–Simon