Things that annoy me, number 543,321: Expired or no SSL certificates

Update: MPC finally got around to renewing their SSL certificate on the 15th May!  Alas, however, for mixed content delivery. 🙁

This is 2018, a year where IT infrastructure is constantly under attack, and privacy is king (except when it isn’t, and just you’ve given an app permission to slurp your data and sell it the highest bidder),  I’m a very strong advocate of making sure that ALL websites load over SSL by default because any form of input from the client (whether it be form filling – such as a local search engine, for example) will be sent over in plain text which gives anybody the opportunity to sniff the contents of the transmission.

SSL hasn’t had it easy, however.  We’ve had companies running certificate authorities compromised, SSL vendors compromised, key encryption algorithms weakened by increasing power of technology forcing everybody to switch to a stronger algorithm, and all manner of things in-between.  I’ve seen a lot in the 9 years I’ve been working in the hosting industry, and in the 9 months I’ve been working in e-commerce.  I’ve been using SSL on this blog for a considerable amount of time.  Whether paid SSL certificates, Let’s Encrypt, cPanel/Comodo issued certificates or through CloudFlare.

ALAS!

I’ve recently ranted (then deleted) about how a BBC Apprentice winner launched their brand new website without SSL, then added SSL but screwed loading assets over the secure connection, and a number of other issues that are super important in modern web site maintenance.   I also discovered ANOTHER Apprentice winner not loading their website over SSL by default, and with contact forms that send data over in plain text.  So much for that £250,000 investment!

Then, as I was just browsing the ‘net, I suffered problems browsing a major computer vendor’s web site where a third party service they use had an expired SSL certificate, leading to mixed content and warnings galore.

Now I’m stumbling across websites that have SSL, but are using a certificate from a Symantec distrust source which essentially means that anybody who bought a certificate from one of the vendors mentioned in the link prior to certain dates will need to have their certificate re-issued (or if it’s close to expiry, just renew it a little earlier than expected).

Despite the pain in the arse managing SSL brings, it is nevertheless very important.  Google will start downranking websites in their search rankings that don’t have it, and the likes of Chrome will eventually display a big unfriendly warning that a site is insecure if you do not load your site over SSL by default.  Chrome is still very much the dominant browser on the block right now, so I’d take notice of what they’re planning to do!

I shall give you an example of what I consider to be bad web site management.

So, former employers of mine, MPC (The Moving Picture Company), why has an Academy award-winning (amongst many, many other awards) failed to renew their SSL certificate which is still in place (some 216 days) on their web server?  This is sloppy!  Just removing it is a better thing to do than leaving an expired certificate in place.  I sincerely hope that they do not have any client facing logins off the main moving-picture.com because this would cause me to scream.

On a more positive note, their web server doesn’t accept SSLv3 connections.  But that’s perhaps the only good thing I can say about their set-up.

Bad Academy award winning company. Bad!
Red warning colour by Technicolor! Which will persist if MPC, like many other companies, do not take SSL seriously.

BTW, I did reach out to MPC about this, but to date (about a week now), no response and no action.

So unless MPC does something – and sooner rather than later – when a future of Chrome is released, www.moving-picture.com will display a great big Not Secure message.

If you run a website, blog, or whatever it may be – for crying out loud – take a look at your site’s SSL functionality.  Do you even have one?  If not, why not?  Sort it out right away!

Update: It’s not just MPC that’s got an SSL problem – practically all other than perhaps two or three Soho-based VFX companies don’t have an SSL certificate, or if you attempt to load the site over SSL, uses an invalid common name (e.g. the certificate of another domain).  Chrome will be switching on the Not Secure flag in July when Chrome 68 is released.  We’re on Chrome 66 at the moment.  Time is counting down..

Update on the update: And home.bt.com is another culprit that doesn’t load over SSL by default, and if you try to force it, returns mixed content (e.g. it won’t load certain assets over SSL thus you might as well just treat the whole connection as insecure).  Man, this is crazy.  If telecoms companies aren’t doing the right thing by default.. 


For a later blog post: Is Google becoming too dominant?  Are Google’s new Gmail security tools proprietary, and will it eventually make existing email standards obsolete?  Will RFCs aka “internet standards” be a thing of the past?

Going back to my roots.. now hosting with Memset Hosting

I spent a very happy 9 years at Memset Hosting as an employee, working my way up from systems administrator to a senior systems administrator and finally to First Line Team Leader.  Changed offices three times (with two location changes).  Dealt with more customers and configurations than I care to count.

Now I’m working for an entirely different company that specialises in e-commerce/e-business platform development, I don’t get the perk of free servers or hosting.  Have to pay for it myself now.  For two months after leaving Memset I moved my cPanel and Ubuntu server to Digital Ocean – mainly to avoid any potential conflict of interest and also I wanted to check DO out properly.  All was good – I have no complaints with Digital Ocean.  I’d recommend them for development or testing stuff, and no doubt I’ll be doing so when I need to spin up a server for a day or two to try something out.

But gradually I’ve been moving stuff back to Memset – this time as a paying customer.  I got a bit fed up with Rackspace Cloud Files and the lack of decent granular controls over containers.  It just wasn’t the same experience I had back at Memset.  So I set-up a pay-as-you-go Cloud Storage service for backing up my virtual private servers.  Interestingly I’m using Nick Craig-Wood‘s (one of my former bosses at Memset)  rclone to push the backups to Memset Cloud Storage as well as Backblaze’s B2 object storage system.  I like some redundancy in my backup strategy in case things go completely awry.  It’s been working great so far.  And since I started the new job, I’ve been exposed much more to “git” and BitBucket, so I now use that to store configuration and automation tools I’ve written for my blog server.

I finally decided to commit to Memset for my long-term virtual private server needs. I set-up two of them – one for the blog, the other for cPanel.  I have an external cPanel license which I can take with me from hosting company to hosting company, but the downside is that it’s about £3/month more expensive than Memset – so there I’ve made a mistake.  But next year I’ll probably switch to Memset’s cPanel license instead.  I find cPanel to be like the G Suite of the hosting world – I can set something up and it’ll just work.  Doesn’t require too much effort on my part (except for the initial set-up and hardening/locking down).  So I decided to move my blog (which was running Varnish as an exercise for what I’m playing around with now) to cPanel.  That doesn’t run Varnish, but Memcache is still giving WordPress the edge.  There are a few hundred milliseconds in it, but that’s fine.  Everything on one server.  So the old new(!) blog server is retiring next month.  I upgraded cPanel to a better specification (and here’s one difference between Digital Ocean and Memset – you get an extra 2 CPUs at the 4Gb RAM mark with Memset and you do notice the difference).

I’ve had to make just one support query with Memset about the initial set-ups of my servers, and my former colleagues did me proud with a quick turnaround.  The only other problem was that the monitoring configuration was slightly wrong – I guess the CentOS 7 image might need looking at – but it was easily fixed and I’m using the bundle self-managed Advanced Port Patrol to notify me of any problems.

I provisioned each server with 20Gb of block storage, mounting it under /backup and keeping backups dumped there.  If I ever need to re-image the server itself, that block storage will be persistent and I can just restore from the backups stored there.  I also have the Cloud Storage backups too, of course, but this is ever so slightly quicker.

Overall I’m paying £35.50 including VAT for a 4Gb, 4 vCPU, 60Gb SSD Centos 7 virtual private server including the extra 20Gb block storage.  Cloud Storage costs me around 60-70p per month including the backups AND two snapshot images of the server.  Compare that to the £26 I was paying just for my Times and Sunday Times iPad newspaper subscription, it’s an absolute bargin.

(And before anybody asks – no, Memset are not paying me to post this, nor are they giving me any freebies – I’m 100% paying my own way here )

You don’t need ransomware to make me WannaCry about Windows..

Windows Servers.  What a load of old tosh.  The past three weeks or so have seen me tinkering unnecessarily with the blasted things because of Microsoft’s inability to write an operating system which is so super sensitive to hardware changes – principally because of licensing – that just by upgrading underlying virtualisation software triggers the operating system to think it has a new network card.  You can imagine the chaos something like that can cause!

It’s not just that which makes me despise Windows Server.  For similar reasons, if a dedicated server chassis dies and needs to be swapped out – you’d better have a spare because any hardware changes will cause Windows to freak out.  Linux has no problem with such things providing you’re using a modern distribution and reasonably up to date hardware.  Generally speaking, with maybe a very few exceptions, Linux Just Works(tm).

Don’t get me started on those people that are still running the now 15 year old Windows 2003.. (though this article about Fasthosts running Windows 2003 for their backup platform made me laugh a lot more than it should – and bury my hands in my face for leaving an obsolete OS in charge of managing critical customer backups).

The whole WCry situation around these parts has been, strangely, pretty good – indeed, a lot more people have taken an interest in their backups and patching their systems and this is only to be commended.  A good old major outbreak tends to kick people in the teeth and get them thinking about disaster recovery.

Just because I use MacOS and Linux isn’t making me complacent – oh no.  Very recently Apple just released updates to iOS, MacOS and WatchOS to fix a rather nasty exploit, as well as general performance updates.  It’s one of the reasons I went back to iOS – Apple has become very good at rolling out updates much faster and on schedule than the likes of Samsung.

The server on which this blog runs on utilises something called KernelCare which patches the kernel in real time for newly discovered exploits.  This has the advantage of:

  1. Not having to wait for the OS vendor to release a patch.
  2. You don’t have to reboot the machine.

In my testing of KernelCare, it has worked very well.  If you’re using it in a VPS, it must support full virtualisation – paravirtualisation won’t cut it.

Meanwhile, Microsoft should stick to producing office productivity software and gaming (Xbox One) – it’s what they’re good at.  I’ve completely lost faith in their desktop and server operating system divisions.

Flim Flam Film Spam

I am convinced somebody out there is putting themselves out there as a spammer-for-hire for a number of UK film distributors.  It’s all exceptionally dodgy because the spammer is utilising a number of domains (far too many) and super cheap web hosting outside the UK where dedicated servers are super cheap – the bandwidth doubly so.

There appears to be absolutely no logic to the spammers mailing list of spamees – it feels completely random.  You’d think they’d use a list of known investors with money to burn, but this feels like it’s targeting individuals, promising them many riches and rewards for investing in the UK film industry.

The latest spam originates from a Spanish server.  The Spanish web host/ISP doesn’t offer an [email protected] email address (which they should under the relevant published RFCs), plus the unsubscription URL is invalid – it doesn’t resolve.

I’ve been in contact with the distribution company mentioned in the spam, asking them if they’re aware of the email (it could be they not, and the whole spam thing is a massive scam – in which case, the distribution company had better be informed so they can take action against the spammers themselves).  I doubt I’ll hear back, but it’s better to let them know than not.

If you do want to invest in British film – ignore random spam.  Look towards the BFI whom I’m sure can advise accordingly.  And remember – there have been a number of high profile court cases filed by the HMRC about tax schemes regarding alleged tax avoidance.  So it’s vital to get the correct advice.

Stay safe.