Using SSL To Improve Internet Security – A Simple Idea

Posted by jerry as Security, technology

I was headed out with my son today to one of the local jump/bounce places for the birthday party of a neighborhood kid. Having been to these places before, I know that they generally offer free wifi access. I packed up my laptop, thinking that I could work on some web site issues I have been trying to fix.

I got to thinking about the risks of someone sniffing my logins to the sites. That reminded me of a post I wrote recently about an idea to conserve IP addresses. Most of my sites are hosted on a shared IP address on my server. I simply don’t have enough IP addresses to cover all of my sites. Without dedicating an IP address for each, using SSL is simply not possible.

The vast majority of web sites do not have SSL capabilities, in the same way that mine do not.  At the same time, the instances of hacking, snooping and data theft are spiraling out of control.  As well, the “Starbucks” culture of camping out in a restaurant to surf the web on a laptop is growing, leading to many more opportunities for the trivial capture of passwords and other sensitive data.

Certainly, financial data such as credit cards and logins to financial institutions are generally well protected by SSL.  The types of information that can be lost at the local coffee shop is more likely to be a facebook username and password, or the username and password to a webmail account.  Useful to the hacker, and damaging to the victim, but not at the same level of severity as a credit card number.

So, in a nutshell, modifying the SSL protocol to allow for the negotiation of the requested domain *before* the SSL tunnel is established has another advantage – allowing sites on shared IP’s to use SSL to protect the private information of the users of a site.

It seems to me that the certificate authorities would jump at supporting this idea – it opens a substantially large new market.

Using A VPN With A Tethered Wireless Broadband Connection

Posted by jerry as technology

I have a Blackberry 8703 from Verizon Wireless, and use it extensively.  I opted to buy the plan to use the Blackberry as a tethered wireless modem for a PC, for an extra $10/month.

I’ve used the blackberry as a wireless connection on many occasions, and it generally works pretty well, though often seems pretty slow.  One thing I had never been able to get working was the VPN client to my employer.  I hadn’t spent a lot of time thinking about it, but one day I really needed to connect and had no other options.

Now, the VPN connection would establish, but I could not reach any systems on the company network.  I had spent a good amount of time as a network engineer in a former life, so I’m fairly adept at troubleshooting such things, despite my management lobotomy.

I opened up a DOS shell, and tried pinging the intranet web server  Sure enough, the pings were getting through.  But, I still could not get get a web browser to connect to the site.  After pondering it for a minute, I knew the answer.  I tried the ping again, but this time I set the packet size to 1500 bytes, the normal TCP maximum size.  Viola!  The pings did not get through.  I retried the ping, decreasing by 100 bytes each time, until I got to 1100 bytes.  At 1100, the pings worked again.

Next, I went out and found this document on resetting MTU size in Windows.  I followed the instructions in the section labelled “Change the MTU Settings for VPN Connections”.  I followed the directions to reset the VPN MTU to 1100 bytes.  A requisite reboot, and I was connected.

I have since observed that web browsing in general is much faster as well.  Originally, I had thought that the overhead of the VPN client was causing an overrun in the size of the packets, forcing them to be fragmented, which is generally not handled elegantly.

Hopefully someone is able to find this tidbit useful.

What To Do About The Shortage Of IP Addresses

Posted by jerry as technology

For years now, we have heard about the impending end of the Internet as we run out of IP addresses. For a while, it was so persistent and frequent, it became background noise to me. The only way to save the Internet is to move to IPv6, the story goes.

I’ve spent a lot of the past decade in various networking, programming and technology management roles, and dabbled a bit in web hosting work. One thing that is obvious to me is that we are not going to be moving wholesale to IPv6 any time soon.

I was surprised to see an article the other day bringing up the dreaded doomsday of the Internet, predicting that we have 3 years until the end.

Read the rest of this entry »

Securing Adolescents From Exploitation-Online (SAFE) Act

Posted by jerry as politics, technology

The US House of Representatives passed the SAFE act by a 409 to 2 margin.  It also appears likely to pass the senate.  It is interesting to note that one of the 2 “nay” votes on the bill was none other than Ron Paul.  While I agree with his decision to vote against the bill, it will certainly come back to bite him.  “How can you be in favor of exploiting children, Mr. Paul?” 

On the surface, the bill appears to be a draconian measure placed on ISPs, web hosts, public wifi provders, etc, requiring them to report all instances where child pornography is transmitted over their network to the National Center for Missing and Exploited Children.  The penalty for non-compliance is $150,000US for a first offense, and $300,000 for subsequent offenses.  Complying with the law provides civil and criminal immunity from any resulting legal issues of the disclosure.  That’s about the extent of what is being reported in most of the alarmist media.

If you ACTUALLY READ THE BILL, you will notice this interesting section:

`(f) Protection of Privacy- Nothing in this section shall be construed to require an electronic communication service provider or a remote computing service provider to–

•   `(1) monitor any user, subscriber, or customer of that provider;

•   `(2) monitor the content of any communication of any person described in paragraph (1); or

•   `(3) affirmatively seek facts or circumstances described in subsection (a)(2).

Very interesting.  So, the law doesn’t require the providers to proactively monitor traffic.  So, what does it do then? 

Providers that use technology to determine if someone is viewing an inappropriate site – from a known list of sites or from some form of intelligent analysis of the image content – they are compelled to report such traffic to the NCMEC.  If a web hosting company discovers that a customer is hosting child porn, the hoster must report it.

The other important aspect of the law is what must be reported.  Essentially all identifiable info that is know must be submitted, presumably in an attempt to track back to the owner.

In some respects, this bill just makes something that’s illegal even more illegal.  The bill does add some additional mechanisms to find the child pornographers, distributers and those that view it, and does not appear to place a major burden on providers. 

The downside, as usual, is in the interpretation of child porn.  It’s interesting that a definition of “child pornography” is not included in the bill, yet many other things like “web site”, are.  It is conceivable, as some reports of the bill contend, that clothed children in lascivious poses could constitute child porn.  I wonder how the average Abercrombie & Fitches catalog would fare?

Intoxicated by hydrogen

Posted by jerry as alternative fuels, technology

Here we go again: http://www.businessweek.com/magazine/content/06_48/b4011432.htm?campaign_ic=bier_innvg

First hydrogen fuel cell motorcycle.  Yay.  We can crank these things out for the 3rd world masses and urban dwellers and our pollution problems are solved.  One of the comments on that page sums up the great misconception about hydrogen fuel cells well: you just put water in, the fuel cell splits out the hrdrogen, then converts the hydrogen into water which produces electricity.  Sadly, that’s not how the world works, Johnny.  If it did, I’d quit my job and I’d cranking out electricity from the Chattahoochie River like nobody’s business. 

You Cannot Get Something For Nothing

Fuels cells are simply a method of converting a fuel directly into usable energy, without most of the waste heat losses involved in burning it to turn a turbine, push a piston or boil water.  You must supply it with hydrogen to use.  That hydrogen has to come from somewhere.  The only real method we have to produce hydrogen on any scale is through electrolysis of water.  That takes electricity.  More electricity than is obtained through the fuel cell. 

Hydrogen is NOT an energy source

Unlike gasoline, hydrogen is NOT a source of energy.  It is a storage media.  It is the equivalent of a battery.  Electricity has to go into it, in order for anything to come out of it.  The only exception to this is if we somehow found a deposit of “pure” hydrogen or we were able to magically pull the hydrogen out of water without using more energy than can be obtained from the extracted hydrogen.  So far, neither seems likely.

Hydrogen Economy

You may have heard of the “hydrogen economy” before.  Basically, that’s the production and distribution of hydrogen on a scale equivalent to diesel or gasoline.  Major “refineries” which would extract hydrogen from water, pipelines and tanker trucks to move the presumably liquid or compressed hydrogen around, and fuel stations to deliver the hydrogen. 

All Is Not Lost

While hydrogen is not the panacea that many people understand it to be, there are some big advantages.  The primary advantage is that it uses electricity to create.  That means that we can use conventional nuclear power, solar power, geothermal power, wind power, wave/tidal power, or the more traditional coal/natural gas power.  Large scale production will yield efficiency improvements in extracting hydrogen from water.  The second great benefit is that it’s really easy to create.  Conceivably, a small “reactor” could be bought for home use that would plug into your house electrical system, connect to your garden hose to feed it water, and output hydrogen directly into your “gas tank”.  Gas stations are no longer a necessity and will likely have a hard time competing with home produced hydrogen, unless the mass produced variety can be produced much more efficiently.

Problems Ahead

Hydrogen has some steep drawbacks.  The attribute that makes is a good energy storage media also makes is very dangerous.  Hydrogen is very energetic.  Fires or explosions that result from hydrogen tanks on vehicles will be very deadly.  Hydrogen is also very hard to contain.  It’s small molecular size allows it to seep through even solid metal containers, however slowly.  Refueling will also be much more dangerous than it is with gasoline.