Everything within Reason

Or great, of even f*cked up?

Read about the things that are not making it to Twitter. The real things in life.

Starting for the ‘average Joe’ there’s this MyLifeIsAverage website. For those who do (a lot) better, there’s this MyLifeIsG(reat). And finally, for those whose life went completely down the drain a FMyLife (’F’ as in F*ck ).

It’s like Twitter; addictive, but different and a whole lot funnier.

(Is there an iPhone app yet for these services?)…

(Not that I really care, since I don’t own one)

GoDaddy Secured Seal

But not as you might think.

Many websites carry this nice badge stating the website is secure. Well, it’s not the website that’s secure (or even trusted). It’s the connection from your browser to the server serving the website which is secure.

With the cheap GoDaddy SSL certificates, GoDaddy only verifies the domain name ownership. Not if the domain name owner is legit.

So yes, you’re personal information (if you enter any) is transmitted in a secure way, but in some cases to a bunch of scammers.

The criminals use these cheap SSL certificates to give you a false sense of security. Therefor, ALWAYS check, and double check websites selling cheap electronics etc. And when you’re in doubt;

If it seems too good to be true, it usually is...

It seems that the SSL certificate of www.e-holater.com has been removed from the website. If you try an SSL connection you get a warning that the certificate isn’t correct. Further investigation reveals that a wildcard certificate of the hosting company is presented (Yahoo! in this case).

Initial Warning

SSL Certificate Details

Either they moved their scammers website, or someone removed the SSL certificate. Either way, one relatively large part of their credibility is gone (at least for the average triggerclick-happy Joe).

I wonder how many people actually fall for these scams….. Not too many, I hope (as in ZERO).

It seems that scammers are also using valid and trusted SSL certificates nowadays. It seems that it’s quite simple to get a certificate, since the only verification is the domain name ownership.

Domains can be bought in many ways through lot’s of domain registry offices. People doing the verification can screw up, and they can be paid for by using stolen credit cards. This means that getting a SSL connection without any warnings doesn’t mean that the site your connecting to is actually legit.

Is the WebTrust crumbling down? It’s almost as if a student can run a SSL affiliateship/reseller business from his or hers dorm room. Who is checking procedures? What is being done when things go wrong?

It wouldn’t surprise me if this is some sort of conspiracy of the large SSL brokers. Allow cheap uncontrollable SSL certificates. Cause ‘fear and distress’ among the Internet users by issuing certificates when you’re not supposed to, and sell lot’s of those overpriced Extended Validation (EV) certificates to make people feel good.

Sure, encryption (by using SSL) of user id’s and passwords while traveling the net is a good thing. Same goes for knowing that you’re on the right website. But when they’re issuing a certificate for less than $30 US (which is almost 5 euro nowadays ). You can’t expect them to do a lot of work in verifying the certificate buyer.

I think that there’s gonna be some security issues with el-cheapo SSL certificates in the near future (Mozilla issue, or the PlayStation 3 versus MD5 case). Just to ‘guide’ the sys-ops and security people to the overpriced EV certificates, because more expensive is probably much better.

/me is getting my aluminium hat

WebTrust broken?

When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn’t the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You’re no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it’s a Comodo affiliate that’s screwed up (there’s no other way of describing this), but what are the chances that some of those trusted 100+ CA’s make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you’re using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn’t know…. You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

MTV placed a ton of music video’s online. There are even several charts available. Guess which one is ranked numero uno @ ‘Top Rated’?

A usenet posting suggests that XS4ALL will provide a filtering service to their subscribers. The filter would consist of 5 levels. Ranging from fully open to ‘fully’ closed. The first will give you the possibility of running your own services at home, and the latter means you’re only able to e.g. surf and e-mail (through the XS4ALL SMTP server).

The filters would give the basic/ignorant user the opportunity of preventing the spreading of malware and other stuff by default. The more tech savvy subscribers can remove the filter for running a bunch of services (webserver, ftp, mail, DNS, etc).

Definitely a good decision. I just hope that the other ISP’s will do something similar, because most of the virus/malware/massmailing ’software’ is running on PC’s run by the average user. Totally ignorant of the malware running on their PC’s.

Yet another ‘thumbs up’ for the quality provider of the Netherlands

Like most security conscious people I use Firefox (FF) for my everyday browsing on the Internets. So when the Mozilla guys released version 3 I installed it on all my machines (2 Windows and 2 OSX platforms).

It was a bit getting used to. The underlying FF part had been changed. Bookmarks, history etc are all stored in sqlite databases. So no more flatfiles. This took me a couple of hours to figure it out, but finally I got ‘there’.

Using FF was business as usual… Apart from one very annoying bug; Opening new windows (not new tabs) results often in an empty bookmarks bar. And this is happening on Windows and OSX versions of FF.
The bookmarks are ‘there’ but not click-able. Using the right mouse button (on OSX: ctrl-mouse click) on the bookmarks bar and selecting ‘Open All in Tabs‘, FF opens every bookmark in the bar.

The only way of restoring the proper bar is the completely shutdown FF and restart it. After that it works for a certain amount of time.

The problem isn’t isolated to my environment. Just google on the issue, and you’ll find more people. There’s one suggestion I haven’t tried yet. Starting with a fresh/clean profile, but I do need my settings/passwords/bookmarks. I’m lost without those

UPDATE: I tried a new profile, and this seemed to work. After this I started to repopulate the new profile with the old settings, etc. Everything went fine until the point where I added the extensions. It seems that even old / not active extensions (SwitchProxy in my case) are still able to f*ck things up.

I, and probably the rest of the world as well, am being hit with spam in the comments at this moment. Over 100 comments a day are intercepted by Akismet.

It seems that all the spamjerks have found a way of creating userprofiles on public websites/forums/blogs and are referring to those in the spam. Below are some examples URL’s which were active at the time of me writing this:

• http://www.lonelyplanet.com/thorntree/profile.jspa?editMode=true&userID=678271
• http://mu.wordpress.org/forums/profile.php?id=699061

I send an e-mai lto Lonely Planet descibing their problem. Let’s hope that they fix it soon.

In the mean time; All hail Akismet!!!!

Mozilla released Firefox 3 during my holiday. So the first thing I had to do was upgrade v2.x to the latest version. Initially everything seemed fine…. INITIALLY…

The trouble began when I tried to add bookmarks. The new bookmark interface (it’s called Library) showed up empty. When I tried to add a bookmark, it was impossible to remove it.

“Why would you want to remove a bookmark??” Well, because every bookmark I added ended up with the URL to some ad. At first I thought I had some weird virus or trojan on my Mac. But it seemed that every Mac had the same problem.

E.g. If I added the SnipURL button to my toolbar (which is basically a javascript) it would work, but when I pressed the button, it would show a Google ad. There was also no way of removing or changing it.

Today I started digging into the /Users/<username>/Library/Application Support/Firefox/ folder. This was the place where all settings were stored. After fooling around with importing the old bookmarks.html file I ended up with 3 times the amount of bookmarks and no way of deleting them.

It seemed that Firefox 3 uses a SQL-like database called ‘places.sqlite‘. This database imports the old bookmarks.html file upon the first launch. Possibly, that html file was corrupt (or what ever), because when I removed all bookmarking files (I did make a backup of the old bookmarks.html file!!!!) and relaunched Firefox 3, the bookmarking interface worked correctly. Now I imported the ‘old’ bookmarks.html file, and everything was back to normal (so far).

For those interested; I removed the following files under the /Users/<username>/Library/Application Support/Firefox/ directory;

• Everything with bookmark in it’s name (make sure to backup the ‘original’ bookmarks.html). This includes backups etc.
• places.sqlite

After starting Firefox 3, you may want to import and (re)organize the old bookmarks.

Note that this scenario occured while upgrading from the latest Firefox 2 version to 3 on an Intel Mac. Other scenario’s might show similar ‘bugs’, but are not tested in any way.

Apart from this ‘minor’ issue, I’m very happy with the new browser. Speedy, less memory consumption, etc.

Now I need to figure out if bookmark-syncing is available in FF3.