300Mbs down, 50Mbs up – that’s pretty darn ludicrous

After nearly 6 months with Zen Internet, I’ve decided to upgrade to their fastest package – Ultimate Fibre 4 – which should give me a top speed of 300Mbs download and 50Mbs upload. And it only costs an extra £8 per month.

It ties me into a new 12-month contract, but I’ve been very happy with Zen’s performance over the past few months. And I’m still extremely happy with the Amplifi kit I purchased too – especially as I’ve seen some really decent Wi-Fi performance gains through firmware updates, and the latest firmware release gives me the ability to VPN back into my home network via the Teleport app.

As I work from home at least one day a week, it’ll get to the point where my home broadband will (vaguely) match that of the work connection – so using a VPN will ensure that any file transfers will remain fast.

I’ll report back when the connection goes live.

The past year has seen an influx of new smartphones flooding the market – all Android, and almost all of them touting at least three rear cameras.

The Huawei P30 Pro has perhaps shown the most promise – until the U.S. government came along and started their trade war with China – as well as the whole Huawei trustworthiness affair. This resulted in Google allegedly cutting Huawei’s access to Android updates at one point. Even with the recent thawing, it’s enough to have put me off considering Huawei smartphones.

I’ve used Google’s Pixel XL and Pixel 2 XL for a while, but even with a frequently updated OS, there have been substantial problems with the phone that have put me off going back to Android at all. I’ve read all the problems with the Pixel 3/3 XL and have been counting my chickens that I didn’t switch.

I am an iOS man, and I’m not likely to ever switch. Here are some statistics as to why that is the case:

  • 1,642 albums (15,648 songs) totalling 108.95Gb, or 37.5 days worth of music stored in Apple Music
  • 361 purchased iTunes films totalling 1.4Tb in total (if I were to download them all in HD), or 30 days worth of viewing back to back in one sitting
  • 38 purchased iTunes TV programmes totalling 947Gb in total (if I were to download them all in HD), or 24 days worth of viewing back to back in one sitting
  • 10,108 photos, 453 videos totalling around 97Gb (APFS) which are stored both on the Mac, iPad Pro and iPhone XS Max as well as the iCloud Photo Library

Switching between Apple Music and something like Spotify is possible with third party programs, but it’s a substantial pain-in-the-arse process and the music catalogues vary between the services which mean that I’d lose quite a few albums/tracks along the way. I know I’d definitely lose all the Studio Ghibli soundtracks if I were to switch to Spotify.

Moving my movies and TV shows to another service is near impossible unless I break the digital rights management of each title. This is illegal in the UK (even for the purposes of backup). The state of the streaming and physical disc union is a massive pile of poop at this point, but iTunes has almost always been the best experience. And the Apple TV 4K has been the best streamer. Newer TVs from the likes of Samsung and Sony are getting the Apple TV app, so content from iTunes is becoming more widely available across other devices. It’s still not ideal, but it’s something that consumers are having to live with if they want to rewatch their favourite films or TV shows.

I’ve also struggled with Android to try and replicate the sheer ease of use and simplicity of Apple’s Photos app. Google Photos has come very close, but it is substantially behind in some RAW camera formats (particularly earlier Sony RX100 models) and limitations in MP4 sizes has meant that I cannot upload my whole library to Google’s servers. I do use Google Photos to upload what I can, however, and my Google Nest Home Hub shows a series of photos from my travels – a bit like a digital photo frame – when I’m in the kitchen.

Then there is iOS itself. We get a major free version every year, and it’s generally very well supported for around 3-4 (and even in some cases 5) years during the lifetime of a device. And it’s regularly updated by Apple to fix major security flaws whenever they occur. When looking at my work’s policies for BOYD phones, we have had to pretty much rule out most Android phones because of the delay in which the device manufacturer roles out security updates. It’s really only Google’s Pixel phones that pass the grade and that kind of rules out the whole purpose of Android IMHO.

Finally, I have an Apple Watch (series 4) which still requires pairing with an iPhone for many functions. However, with the next release of WatchOS, the watch is going to start to gain a bit more independence from the phone. But it will still take a few more iterations before the Apple Watch is a truly standalone product.

So, this leads me to the iPhone 11. We should find out soon when Apple intends to announce this year’s new line-up. It’s not long to go – they usually announce them sometime in September. Rumours suggest that the current XS and XS Max line-up will be renamed “Pro”.

Rumours also suggest that there will be fairly modest upgrades this year, with the bulk of the good stuff coming in 2020. We’re unlikely to see 5G modems this year, and we’re likely to follow the trend of other smartphone manufacturers by having a third camera on the back of the phone – probably an ultra-wide lens.

My plan with EE should allow me to upgrade sometime at the end of September. Whether I will or not really depends on what Apple’s offering with the iPhone 11. I’d REALLY like to see is USB-C connectivity like the iPad Pro. Given the Macs, I work with all have USB-C ports, and I have multiple USB-C chargers, cutting down on Lightning connectors would be a real bonus. There are some sketchy rumours abound that the Pro range of iPhones will feature Apple Pencil support. Useful, but not essential to me (but I can imagine a trillion uses in my line of work).

As for cameras, I’ve been really happy with the iPhone XS Max. It is by far the best camera that Apple has rolled out in a phone. Some recent images that I took:

And I still have a significant amount of storage left for more films, TV shows, music and photos:

So I’d be perfectly happy to continue using the iPhone XS Max for another year if necessary. If I did upgrade, I’d still be on an upgrade anytime plan, but I’d effectively renew my contract for another 2 years – whereas next year I’d be free to leave EE if necessary. But so far I’ve had no reason whatsoever to do so – they’ve been brilliant.

Central Line – is it time to replace the nearly 30 year old stock?

This week I’ve been travelling on London Underground rather than South Western Railway, and there are a number of observations I have to make:

  • South Western Railway doesn’t have the monopoly on delays. We’ve had passengers taken ill, or defective trains across a number of days which has lead to me arriving late in Wimbledon despite leaving plenty of time to allow for such incidents.
  • The Central Line has sections of track which emit deafening high-pitch squealing as the train passes over it. It’s like somebody dragging their claws down a blackboard. I wouldn’t be surprised if it’s loud enough that it could ultimately affect people’s hearing if they’re regular commuters.
  • Shake, rattle and roll. Again, the Central Line has a section of track – between Mile End and Stratford – which has the effect of the train rattling around like a baby’s rattle when the train is going at a decent speed. For the poor saps inside the train, this is extremely uncomfortable and I nearly threw my back out during to a sharp jerk or three. I was sitting at the end of the carriage at the time. I like my insides as they are: neither shaken or stirred.
  • On a couple of days, when the Central Line train left the platform, it’d start and then violently stop. Then start. Then violently stop. And then start again, eventually picking up speed. I’ve a feeling this is the train’s safety mechanism kicking in – perhaps people are leaning against the door (because, of course, the idea is to cram as many people into these carriages like sardines despite the frequency in which the trains run). In any event, the jerking brought on by these stop-starts-stops-starts isn’t conductive to a healthy back.
  • Apple Watch and Apple Pay. A number of times the Apple Watch had difficulties with the barriers – causing a Seek Assistance or Use A Single Card. Attempting the process again resulted in success (unlike SWR’s terrible smart card system). Similar problems on London buses too.
  • People will NOT stop looking at their mobile phones. Man, these people are seriously addicted, and liable to cause accidents. Their eyes are glued to the screens before getting on the train, during the journey, and when getting off. And it’s the getting off part that’s the worst, because you are then stuck behind them and they ain’t going to be moving fast any time soon.

I remember when the current rolling stock for the Central Line was first introduced. It was around 1991 or 1992 when I was enrolled at Epping Forrest College studying for my BTEC, and we suddenly saw these futuristic trains replace the older stock from the time of the dinosaurs. Alas, now, these trains are now behaving like dinosaurs.

I have high praise for the District Line which has been flawless throughout. Bigger trains thanks to bigger tunnels, and walk through carriages results in a much more open environment. Oh, and I nearly forgot to mention proper air conditioning. Unlike the Central Line, where any kind of relief from the boiling temperatures of the train is best to stand against the carriage doorway with the window all the way down.

Next week: The Return of SWR.

And ditch insecure and weak TLS ciphers or risk attack

SSL, or TLS as it should be called these days, is THE de rigueur of modern web site hosting. Well, not so much de rigueur, but more of a necessity. It’s not just about security (encryption between your web browser and the webserver), but SEO (search engine optimisation) requires an SSL/TLS certificate as search engines such as Google are prioritising SSL/TLS protected sites above non-secure sites (see http://www.bafta.org, an example of a web site which could – and indeed should – be using an encryption connection throughout, but doesn’t).

And it’s not just all about encryption. With the HTTP/2 protocol – assuming your web server supports it – can provide a number of improvements that can significantly boost the performance of your site as well.

SSL/TLS certificates used to cost a fortune and were difficult to manage. Every year or so, you’d have to create a new certificate signing request (and private key, if necessary) and then submit the CSR to an SSL vendor. You’d then have to verify you own the domain either by placing a text file on your website, or an entry in DNS. And you’d be paying a pretty penny in the process. And that’s just to protect one URL (or, in the case of most SSL vendors – actually two – one for a subdomain (such as ‘www’), and the other for the bare domain (such as ‘drake.org.uk’). If you wanted to protect a whole bunch of subdomains, you could buy a wildcard SSL certificate. These are even more expensive (though the cheapest I found was $45 per year), but can be deployed across multiple servers and hostnames under the same domain.

Then came along Let’s Encrypt. It’s a free certificate authority that issues free single hostname and wildcard SSL certificates. It’s easily automated and requires very little effort. Wildcard SSL certificates are relatively new – and most people end up issuing single domain certificates through the “certbot” utility.

But it’s just as easy to get a wildcard cert which can be renewed automatically. Usually, like me, you’d run certbot with the –nginx command which sorts out your nginx configuration for you. But if you wanted a wildcard certificate instead, it requires a bit extra work:

certbot-auto certonly --manual --preferred-challenges=dns \
--email [email protected] \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d *.wombats-are-cool.com

You’ll then be prompted by certbot to add a DNS entry to your domain (in this example, wombats-are-cool.com) and then it’ll go off and verify it exists and issue the certificate. Keep your DNS TTL record for a quick resolution.

Once issued, you’d just alter your nginx server block with:

ssl_certificate /etc/letsencrypt/live/wombats-are-cool.com/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/wombats-are-cool.com/privkey.pem; # managed by Certbot

Then shove the following in /etc/crontab:

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

(add > /dev/null 2>&1 to taste)

A free wildcard SSL certificate which will automatically renew itself. An alternative to Let’s Encrypt is to use a WAF or CDN such as Cloudflare or Sucuri – both will offer to install a certificate at the edge (e.g. their servers – all traffic will go through their datacentres before being passed to your origin server). This requires a bit more set-up, especially if you want to the WAF/CDN to connect over HTTPS to the origin server. There are a number of approaches to this – including, ironically, using Let’s Encrypt.

Now, don’t forget to disable SSLv3, TLS v1.0 and v1.1 and use strong ciphers. Don’t do what many web site owners do, and accept any old nonsense.

In the following example (from a well known UK multi-media facility), the highlighted protocols are terribly insecure and will fail you in any vulnerability scan, and a temptation for intruders and automated bots. TLS v1.1 isn’t worth keeping around – I’ve been looking at the stats of a very high volume e-commerce web site shows that barely anybody uses it. I’ve configured many web sites to use TLS v1.2 at a minimum and it has had absolutely no impact on browser compatibility.

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
|
SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
|
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
|
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
|_ least strength: C

Or a more visual representation of the above:

Exposing the versions of your server’s web server, OpenSSL and PHP is also a Bad Thing(tm). Which of course, our poor saps absolutely do:

Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.6.30

Don’t do what these people do. Pay attention to your SSL/TLS settings as well as your certificate.

Meanwhile, I’m happy with this: