I got to thinking about the risks of someone sniffing my logins to the sites. That reminded me of a post I wrote recently about an idea to conserve IP addresses. Most of my sites are hosted on a shared IP address on my server. I simply don’t have enough IP addresses to cover all of my sites. Without dedicating an IP address for each, using SSL is simply not possible.

The vast majority of web sites do not have SSL capabilities, in the same way that mine do not.  At the same time, the instances of hacking, snooping and data theft are spiraling out of control.  As well, the “Starbucks” culture of camping out in a restaurant to surf the web on a laptop is growing, leading to many more opportunities for the trivial capture of passwords and other sensitive data.

Certainly, financial data such as credit cards and logins to financial institutions are generally well protected by SSL.  The types of information that can be lost at the local coffee shop is more likely to be a facebook username and password, or the username and password to a webmail account.  Useful to the hacker, and damaging to the victim, but not at the same level of severity as a credit card number.

So, in a nutshell, modifying the SSL protocol to allow for the negotiation of the requested domain *before* the SSL tunnel is established has another advantage – allowing sites on shared IP’s to use SSL to protect the private information of the users of a site.

It seems to me that the certificate authorities would jump at supporting this idea – it opens a substantially large new market.

I’ve used the blackberry as a wireless connection on many occasions, and it generally works pretty well, though often seems pretty slow.  One thing I had never been able to get working was the VPN client to my employer.  I hadn’t spent a lot of time thinking about it, but one day I really needed to connect and had no other options.

Now, the VPN connection would establish, but I could not reach any systems on the company network.  I had spent a good amount of time as a network engineer in a former life, so I’m fairly adept at troubleshooting such things, despite my management lobotomy.

I opened up a DOS shell, and tried pinging the intranet web server  Sure enough, the pings were getting through.  But, I still could not get get a web browser to connect to the site.  After pondering it for a minute, I knew the answer.  I tried the ping again, but this time I set the packet size to 1500 bytes, the normal TCP maximum size.  Viola!  The pings did not get through.  I retried the ping, decreasing by 100 bytes each time, until I got to 1100 bytes.  At 1100, the pings worked again.

Next, I went out and found this document on resetting MTU size in Windows.  I followed the instructions in the section labelled “Change the MTU Settings for VPN Connections”.  I followed the directions to reset the VPN MTU to 1100 bytes.  A requisite reboot, and I was connected.

I have since observed that web browsing in general is much faster as well.  Originally, I had thought that the overhead of the VPN client was causing an overrun in the size of the packets, forcing them to be fragmented, which is generally not handled elegantly.

Hopefully someone is able to find this tidbit useful.

I’ve spent a lot of the past decade in various networking, programming and technology management roles, and dabbled a bit in web hosting work. One thing that is obvious to me is that we are not going to be moving wholesale to IPv6 any time soon.

I was surprised to see an article the other day bringing up the dreaded doomsday of the Internet, predicting that we have 3 years until the end.

SSL Sites

In the early days of my experience with hosting, I was troubled to find that EVERY web server that serves HTTPS traffic with a unique digital certificate requires a separate IP address. What a waste, it seemed to me. There, of course, is a logical explanation:

When a browser opens a connection to a web server, a handshake to establish the SSL tunnel is performed based on the hostname used in the browser. From the perspective of the server, it is simply an incoming connection that needs to establish an SSL session. The server does not have context of what host the browser is trying to reach, and so relies on a one-to-one mapping of IP addresses to SSL certificates.

Modifying the SSL protocol to include the context of the domain that is being requested at the time of handshake should provide an additional number of years before which we must convert to IPv6. The change could well be fairly easy to accomplish, assuming there is a mechanism for backwards compatibility. Of course, web server software writers and browser authors would have to implement the protocol enhancement, then push those updates out to the world.

The number of certificates issued each year is not a published number, so it is difficult to tell just much the growth rate of IP’s could be slowed with such a solution.

Portable Net Blocks

At several points in my career, I had the responsibility of procuring IP addresses for several fast growing companies. In all cases, the companies were using non-routable addresses that were address translated by a firewall, which essentially only used one “real” IP address for the hundreds systems on the company’s network. Each company was implementing redundancy with it’s ISPs – essentially connecting to two or three ISPs in case something bad happened to one or two of the other ISPs. In order to facilitate this, we wanted to obtain our own IP addresses. Each of our ISPs was willing and able to assign IP addresses that could be used across multiple ISPs. However, those IP addresses remained the “property” of those ISPs. So, if we decided that ATT stunk and we were using ATT, we would need to re-address our enterprise.

We did not actually need that many addresses – less than a class C (or /24) of 255 addresses. At the time, at least, the minimum size allocation that ARIN would make was a /21 net block, consisting of 32 class C net blocks, or 8,160 addresses. In each case, I had to justify the use of that many IP addresses. The companies were large enough that it was pretty easy to justify that many IPs, assuming we assigned each host on the network a “real” IP address, in addition to showing the contracts that we had with the various ISPs, indicating our intent to “multi-home” our networks. And re-IP we did. I did this 4 times, wasting somewhere around 30,000 IP addresses. Yay for me.

ARIN has since updated it’s allocation policies, now providing minimum net blocks of 4 class C’s. Based on my experience, I cannot fathom how many IP addresses are allocated and sit unused or used poorly because of situations like mine. Unlike the SSL issue, there doesn’t appear to be a good solution to this. There is a practical limitation to the number of individual networks that can be announced on the Internet. Continuing to make the minimum allocation smaller and smaller will create a different kind of problem on the Internet – routing may become unstable without major upgrades to the Internet’s network equipment.

On the surface, the bill appears to be a draconian measure placed on ISPs, web hosts, public wifi provders, etc, requiring them to report all instances where child pornography is transmitted over their network to the National Center for Missing and Exploited Children.  The penalty for non-compliance is $150,000US for a first offense, and $300,000 for subsequent offenses.  Complying with the law provides civil and criminal immunity from any resulting legal issues of the disclosure.  That’s about the extent of what is being reported in most of the alarmist media.

If you ACTUALLY READ THE BILL, you will notice this interesting section:

`(f) Protection of Privacy- Nothing in this section shall be construed to require an electronic communication service provider or a remote computing service provider to–

•   `(1) monitor any user, subscriber, or customer of that provider;

•   `(2) monitor the content of any communication of any person described in paragraph (1); or

•   `(3) affirmatively seek facts or circumstances described in subsection (a)(2).

Very interesting.  So, the law doesn’t require the providers to proactively monitor traffic.  So, what does it do then? 

Providers that use technology to determine if someone is viewing an inappropriate site – from a known list of sites or from some form of intelligent analysis of the image content – they are compelled to report such traffic to the NCMEC.  If a web hosting company discovers that a customer is hosting child porn, the hoster must report it.

The other important aspect of the law is what must be reported.  Essentially all identifiable info that is know must be submitted, presumably in an attempt to track back to the owner.

In some respects, this bill just makes something that’s illegal even more illegal.  The bill does add some additional mechanisms to find the child pornographers, distributers and those that view it, and does not appear to place a major burden on providers. 

The downside, as usual, is in the interpretation of child porn.  It’s interesting that a definition of “child pornography” is not included in the bill, yet many other things like “web site”, are.  It is conceivable, as some reports of the bill contend, that clothed children in lascivious poses could constitute child porn.  I wonder how the average Abercrombie & Fitches catalog would fare?

First hydrogen fuel cell motorcycle.  Yay.  We can crank these things out for the 3rd world masses and urban dwellers and our pollution problems are solved.  One of the comments on that page sums up the great misconception about hydrogen fuel cells well: you just put water in, the fuel cell splits out the hrdrogen, then converts the hydrogen into water which produces electricity.  Sadly, that’s not how the world works, Johnny.  If it did, I’d quit my job and I’d cranking out electricity from the Chattahoochie River like nobody’s business. 

You Cannot Get Something For Nothing

Fuels cells are simply a method of converting a fuel directly into usable energy, without most of the waste heat losses involved in burning it to turn a turbine, push a piston or boil water.  You must supply it with hydrogen to use.  That hydrogen has to come from somewhere.  The only real method we have to produce hydrogen on any scale is through electrolysis of water.  That takes electricity.  More electricity than is obtained through the fuel cell. 

Hydrogen is NOT an energy source

Unlike gasoline, hydrogen is NOT a source of energy.  It is a storage media.  It is the equivalent of a battery.  Electricity has to go into it, in order for anything to come out of it.  The only exception to this is if we somehow found a deposit of “pure” hydrogen or we were able to magically pull the hydrogen out of water without using more energy than can be obtained from the extracted hydrogen.  So far, neither seems likely.

Hydrogen Economy

You may have heard of the “hydrogen economy” before.  Basically, that’s the production and distribution of hydrogen on a scale equivalent to diesel or gasoline.  Major “refineries” which would extract hydrogen from water, pipelines and tanker trucks to move the presumably liquid or compressed hydrogen around, and fuel stations to deliver the hydrogen. 

All Is Not Lost

While hydrogen is not the panacea that many people understand it to be, there are some big advantages.  The primary advantage is that it uses electricity to create.  That means that we can use conventional nuclear power, solar power, geothermal power, wind power, wave/tidal power, or the more traditional coal/natural gas power.  Large scale production will yield efficiency improvements in extracting hydrogen from water.  The second great benefit is that it’s really easy to create.  Conceivably, a small “reactor” could be bought for home use that would plug into your house electrical system, connect to your garden hose to feed it water, and output hydrogen directly into your “gas tank”.  Gas stations are no longer a necessity and will likely have a hard time competing with home produced hydrogen, unless the mass produced variety can be produced much more efficiently.

Problems Ahead

Hydrogen has some steep drawbacks.  The attribute that makes is a good energy storage media also makes is very dangerous.  Hydrogen is very energetic.  Fires or explosions that result from hydrogen tanks on vehicles will be very deadly.  Hydrogen is also very hard to contain.  It’s small molecular size allows it to seep through even solid metal containers, however slowly.  Refueling will also be much more dangerous than it is with gasoline.