Things that annoy me, number 543,321: Expired or no SSL certificates

Update: MPC finally got around to renewing their SSL certificate on the 15th May!  Alas, however, for mixed content delivery. 🙁

This is 2018, a year where IT infrastructure is constantly under attack, and privacy is king (except when it isn’t, and just you’ve given an app permission to slurp your data and sell it the highest bidder),  I’m a very strong advocate of making sure that ALL websites load over SSL by default because any form of input from the client (whether it be form filling – such as a local search engine, for example) will be sent over in plain text which gives anybody the opportunity to sniff the contents of the transmission.

SSL hasn’t had it easy, however.  We’ve had companies running certificate authorities compromised, SSL vendors compromised, key encryption algorithms weakened by increasing power of technology forcing everybody to switch to a stronger algorithm, and all manner of things in-between.  I’ve seen a lot in the 9 years I’ve been working in the hosting industry, and in the 9 months I’ve been working in e-commerce.  I’ve been using SSL on this blog for a considerable amount of time.  Whether paid SSL certificates, Let’s Encrypt, cPanel/Comodo issued certificates or through CloudFlare.

ALAS!

I’ve recently ranted (then deleted) about how a BBC Apprentice winner launched their brand new website without SSL, then added SSL but screwed loading assets over the secure connection, and a number of other issues that are super important in modern web site maintenance.   I also discovered ANOTHER Apprentice winner not loading their website over SSL by default, and with contact forms that send data over in plain text.  So much for that £250,000 investment!

Then, as I was just browsing the ‘net, I suffered problems browsing a major computer vendor’s web site where a third party service they use had an expired SSL certificate, leading to mixed content and warnings galore.

Now I’m stumbling across websites that have SSL, but are using a certificate from a Symantec distrust source which essentially means that anybody who bought a certificate from one of the vendors mentioned in the link prior to certain dates will need to have their certificate re-issued (or if it’s close to expiry, just renew it a little earlier than expected).

Despite the pain in the arse managing SSL brings, it is nevertheless very important.  Google will start downranking websites in their search rankings that don’t have it, and the likes of Chrome will eventually display a big unfriendly warning that a site is insecure if you do not load your site over SSL by default.  Chrome is still very much the dominant browser on the block right now, so I’d take notice of what they’re planning to do!

I shall give you an example of what I consider to be bad web site management.

So, former employers of mine, MPC (The Moving Picture Company), why has an Academy award-winning (amongst many, many other awards) failed to renew their SSL certificate which is still in place (some 216 days) on their web server?  This is sloppy!  Just removing it is a better thing to do than leaving an expired certificate in place.  I sincerely hope that they do not have any client facing logins off the main moving-picture.com because this would cause me to scream.

On a more positive note, their web server doesn’t accept SSLv3 connections.  But that’s perhaps the only good thing I can say about their set-up.

Bad Academy award winning company. Bad!
Red warning colour by Technicolor! Which will persist if MPC, like many other companies, do not take SSL seriously.

BTW, I did reach out to MPC about this, but to date (about a week now), no response and no action.

So unless MPC does something – and sooner rather than later – when a future of Chrome is released, www.moving-picture.com will display a great big Not Secure message.

If you run a website, blog, or whatever it may be – for crying out loud – take a look at your site’s SSL functionality.  Do you even have one?  If not, why not?  Sort it out right away!

Update: It’s not just MPC that’s got an SSL problem – practically all other than perhaps two or three Soho-based VFX companies don’t have an SSL certificate, or if you attempt to load the site over SSL, uses an invalid common name (e.g. the certificate of another domain).  Chrome will be switching on the Not Secure flag in July when Chrome 68 is released.  We’re on Chrome 66 at the moment.  Time is counting down..

Update on the update: And home.bt.com is another culprit that doesn’t load over SSL by default, and if you try to force it, returns mixed content (e.g. it won’t load certain assets over SSL thus you might as well just treat the whole connection as insecure).  Man, this is crazy.  If telecoms companies aren’t doing the right thing by default.. 


For a later blog post: Is Google becoming too dominant?  Are Google’s new Gmail security tools proprietary, and will it eventually make existing email standards obsolete?  Will RFCs aka “internet standards” be a thing of the past?

I’m all about that bass, ’bout that bass, no treble..

.. except there’s a decent amount of treble in Apple’s new HomePod “smart” speaker.  But that bass!

The press has certainly not been wrong in stating that this is perhaps the best quality of speaker of the current generation of “smart” speakers.  The bass and response of the sound emanating from this tiny, yet tubby speaker definitely has put my now redundant Alexa-enabled Echo Plus to shame.

The fibre mesh is lovely to touch, it’s almost difficult not to walk past and give it a bit of a stroke..

Set-up was extremely easy – just plug it into the mains and then hold your iPhone (it must be an iOS device – forget buying one of these if you’re not heavily tied into the Apple iOS ecosystem) near the speaker.  Set-up begins on your iPhone and ends when Siri fires up and prompts you to try her out.

The biggest weakness of this speaker aside from no physical inputs or outputs, plus no Bluetooth support?  Siri.  It has yet to get any of my requests of songs or playlists right (I’m an Apple Music subscriber – albeit using the 6 months free subscription with EE at the moment – I’ll have to start paying again in April) – but I can AirPlay stuff directly from the phone without any bother.

However, what Siri can do is interact with my Philips Hue lights far more quickly via Apple’s HomeKit than Amazon’s Alexa ever could.  I have been extremely impressed with HomeKit’s performance on iOS and Siri so far.  While HomeKit support is still fairly limited within the “smart” devices industry – for example, British Gas’ Hive could REALLY benefit from such support – it does mean that for many devices would have to be refreshed in order support a specific chipset that HomeKit requires.  So we may not see Hive support for quite some time.

If you’re curious to know what’s going on inside the HomePod, this iFixit teardown will show you that it’s next to impossible for the average consumer to fix.

It’s funny how the music industry has changed over the past few decades.  When I was a kid growing up in North East London, I was over the moon with the hand-me-down Amstrad tower system which compromised of a turntable, an FM/AM radio/tuner, dual deck tape deck (Amstrad was famous for this).  I didn’t even have a CD player for quite some time.

Now we tend to subscribe (monthly or annually) to music services rather than paying for individual tracks or albums, listen on mobile phones or computers, or stream music to speakers.  While many people who take music seriously will still have an amplifier with built-in equaliser (another thing that the HomePod does away with – it’ll automatically “equalise” the music for you), a great many people will still be using these smart speakers in place of a traditional hi-fi set-up.

I’ve been a big fan of Apple’s audio products over the years.  I started off with a 3rd generation click wheel iPod and have made my way up to the iPhone X.  I’ve also bought three types of Beats headphones – the Beats Solo 3 wireless, the Beats EP and the granddaddy of them all, the Beats Studio 3 wireless – and perhaps my favourite of all – the AirPods.  None of these is cheap, and none are the absolute best in class, but I’ve always found a use for them (the Studio 3 wireless is ideal when the neighbours are doing late evening DIY, the Solo 3 for general computing use, the AirPods for daily commuting, and the EP for anything else (I originally bought it in Edinburgh when the Solo 3 unit suffered a charging problem and I had to send it to Apple for repair).

Porgy and Mess: Star Wars – The Last Jedi

I finally went to see Star Wars: The Last Jedi this week after waiting it out and trying very hard to avoid internet spoilers.  My patience was rewarded (of sorts) as I went to see it outside of peak hours at the local Guildford Odeon.

ALAS!

Using my Odeon Limitless pass to book the showing was one of the most difficult things I’ve experienced so far during the time I’ve had the subscription.  I wanted to go to an earlier showing, but for some reason, the Odeon’s website was playing up.  I wasn’t able to book the same slot again, or the later slot.  For some reason, Odeon’s website locked off all uses of the Limitless cad and refused to let me use it.

More error codes then there were stars in heaven.

As the Odeon is now very heavily reliant on the website for bookings, the availability of customer service via telephone is rather limited (9am – 4pm Monday – Thursday, 9am – 5pm Friday at all other times).  I was booking this on Friday evening.

What really got my goat was that Odeon does not publish email addresses.  Internet standards are ignored – an email to [email protected] bounced.  This is extremely bad practice, Odeon.  Let me, as a customer, choose how to contact you.  Web forms aren’t always appropriate.

I had to wait until the following morning to call and try and sort this out – and even then, not much could be done.  The system enabled me to book for the later Monday performance, but there wasn’t confirmation that credit I used from an Odeon Gift card to upgrade seating would be refunded immediately.

I popped along to the Odeon on Monday and found this:

As I didn’t use a debit or credit card for this booking, I usually pick up tickets at the Box Office.  So I had to go to the confectionary counter to figure out what was going on.  I was told that the ATM machines can dispense tickets with a booking reference, but it’s not entirely obvious from the choices on display:

Perhaps Odeon needs to reword that third option – just say that if you have a booking reference, you can pick up tickets using that rather than implying it may only be for Tesco and Business Voucher holders.

The third complaint was that it appears Odeon do not sell Butterkist Toffee Popcorn.  I’m not a fan of the sweet or regular flavoured stuff served in buckets the size of my head.  In the end, I chose Aero mint balls and the smallest Coke Zero at the extortionate price of £6.68.  I’ll pay it, however, because I do like the Odeon and would still like to see cinemas remain in business.  But if I had a family, kids and all, this would definitely bankrupt me if we visited regularly.

As for the film?  It was alright.  I think the sooner the main franchise moves away from the Skywalkers, the better.

Back to basics!

With the news that practically all modern Intel, AMD (though to a lesser extent) and ARM CPU architectures are vulnerable to attack, it’s time we ditched our fancy pants computers and go straight back to the glory days of 80’s computing prowess:

My beloved (and also very crash prone) ZX Spectrum +2A. Notice the mouse in the right hand corner of the photo…

Or pre-Mac Apple:

I was an Apple fan long before it was fashionable to be so…

I’m very glad I don’t work for a hosting company anymore because I’d hate to have to coordinate and apply the forthcoming patches across a big estate.  That’s not to say I won’t have to do something since my work involves the system management of several large sites and as such, will need to work with the hosting partners to ensure that patching is performed correctly.

At least Apple is on the ball as – allegedly – MacOS already contains mitigation patches in place within the latest release of High Sierra.  Still, the news wouldn’t make me feel any better if I had spent up to £12,500 on a new iMac Pro (which contains Intel’s new Xeon W processors – which I’m guessing are also vulnerable).