• Uncategorized

    Changing ecosystems from iPhone to Android

    nexus-4I really, really dislike the word “ecosystem”. It is synonymous with closed environments built around a single dominant vendor or technology, where one chooses to be part of one particular introspective “gang” or another.

    Unlike a lot of technologists I don’t churn my own personal kit every few months. I just find something that works for me, put some effort into tweaking the setup to get it just the way that I want, work out where all the bugs are and learn to live with them if I can and then carry on using it until something manifestly better comes along that makes it worth going through all that effort all over again.

    I’ve been reliant on smartphones to run my daily life ever since I bought a Nokia Communicator for the built in e-mail which allowed me to manage my first business whilst on the road back in the 1990s. After a succession of Sony Ericsson Symbian smartphones (R380 – P800 – P900), none of which really worked that well, I bought an iPhone 3G in 2008. This was a revelation, it didn’t actually do as much as the P990 that I binned when I bought it, but it did work very nearly flawlessly. No more reboots in the middle of calls, crashing e-mail applications and plummeting battery life if I actually tried to use the device – I was in the Apple ecosystem!

    I had an early play with Android and it underwhelmed me with it’s slightly clunky and clearly-nowhere-near-as-well-thought-as-apple vendor specific UI wrappers. Nothing there to make me move away from the iPhone so I meekly upgraded to an iPhone 4 when the 3G became untenable. From the 4, the 4S wasn’t worth paying to upgrade to, and when I saw the first iPhone 5 it was clear that it didn’t offer me any near the incremental value that would be required to get me to pay the price tag.

    It wasn’t the phone that pushed me off my perch tough. Frustrated with my ability to interact (as distinct from just media browse) on an iPad and fed up with lumping even my small 13.3″ laptop around anywhere that I need to work, I tried out  an Asus Transformer last year and I was hooked. Android really has come on leaps and bounds for serious use in recent releases like Jelly Bean. Usability has improved and a decent number of quality apps are available in the Play store now. This device seemed to give me all the best bits of a conventional tablet, combined with a smaller than micro-laptop form factor with a touchscreen, real keyboard and double digit hours of battery life. Apart from the poor e-mail experience if you don’t use Gmail, I was pleasantly surprised to find that Android does just about everything I need on this platform. Not bad for a “phone OS”. At least 90% of stuff that I would break out the laptop for I’m now doing from the Asus (including this blog post!)

    So by the time I bought a batch of Nexus 4’s for use in our tech dept at work, I was already pretty predisposed to Android from the Asus Transformer experience. I popped the SIM out of my iPhone into a Nexus 4 the other night just to test it and it hasn’t gone back since.

    Watch this space for further technical updates on the technical aspects of moving from iOS to Android and Windows to Android and Chromebook…

    Published by:
  • bike cycling

    3 or -3, pick one and give us a few days of it please

    8F58689B-2C5D-48CD-BA98-689759DC1109.JPGAfter a few days of warm and wet, it was -3 again this morning. Now I know that isn’t really cold, but it is just cold enough that there is a decent amount of really wet slippy ice around on my commute.

    I’ve got some really neat Schwalbe spiked winter tyres that I put on a couple of old rebuilt 29er “winter wheels” last year. These are great and give me lots of confidence in really bad conditions (ice & thin snow), provided I run them under about 30psi so there is a decent contact patch. I’m not sure that I’d go with the manufacturers very bold claims that “You have full control on icy roads with this tyre. Even in tight bends and under violent braking everything remains under control” Errmm! The way I see it, Schwalbe winter tyres on my road bike they save my bacon when I’m being overtaken by a bus and hit an unavoidable patch of black ice, but I’m not going to go taking bends at 30 on ice just to test their claims any time soon. They certainly make braking more hairy even on ice-free black stuff when run at anything like a decent pressure and wet manhole covers become very interesting indeed when your contact patch is a few square millimetres of tungsten on steel.

    Reading reviews on these tyres, a few folks seem to report problems with lost studs, but I have to say that I’ve had no such problems. I ran them in on ice free tarmac for a few rides first, as per the instructions and have had no issues at all in several hundred of miles on them so far.

    Looks like I’m condemned to swapping wheels over and being late for work just about every time I get on the bike at the moment though unless we can have a decent spell of one kind of weather please?

    Published by:
  • Is HTTPS security broken

    turktrustFor some years HTTPS web security has been considered pretty dependable. If I’m connected to a website, the right URL is showing in my browser and I have a padlock symbol then I’m probably talking to the site that I think I am (extra points for actually checking the security certificate details to make sure the site owner is who I think it is).

    The security of the whole thing depends on the server credentials issued by trusted Certification Authorities. Once a rogue or negligent CA is included in the list of CAs trusted by my browser then I have no security at all as certificates can be manufactured which fool me into thinking that I have a secure session when in fact I’m talking to a bad guy in the middle of my connection and giving them all of my data.

    Compromise of CAs trusted by mainstream browsers has happened at least 4 times that we know of  and the practice of deploying corporate HTTPS proxies which work with locally installed root-CAs to fake remote sites credentials and allow internal IT departments to snoop employees HTTPS traffic seems to have become a legitimate practice.

    Being gifted trusted CA status by the mainstream browser vendors is almost literally a licence to print money. It allows the organisation to charge a fee for issuing delegated certificates which amount to nothing more than a string of binary digits. It has to be the highest margin industry on the planet, essentially selling a “blessed” version of a free resource. All that is required for the whole system to stay secure is that the CA demonstrably keeps its signing mechanisms secure and issues only specific resource certificates to organisations that are able to prove that they own the subject resource. Surely that isn’t too much to ask.

    In the early days of this industry it all worked pretty well, a small number of players that fully understood the technology signed server certificates directly with their root certificate after performing proper real-world checks to ensure the person that they were handing the certificate to really did exist and own the resource. For good technical reasons many CAs introduced an extra level of delegation so that the certificate which actually signed the server credentials was an intermediate which carried the authority of the root CA. This ability to delegate a signing authority has always been a designed in part of the mechanism and it improves the security of the whole signing process provided both stay firmly in the control of the CA.

    Since then there has been an explosion of CAs and an inevitable race to the bottom to offer the cheapest and most accessible way of buying a “padlock” for our websites. This site has an SSL certificate which could give you enhanced confidence that it is my words you are reading now. Your confidence is pretty unjustified as, whilst it is a full legitimate SSL certificate, it cost me just under £10 late on Friday night in a transaction that took a couple of minutes all told from start to finish. I paid for it by paypal from an e-mail address that wasn’t even associated with the domain, not even a real credit card transaction. The only verification that was needed was the ability to read one e-mail in my choice of mailbox associated with the domain for long enough to grab a confirm link from it. That’s about the same level of verification than you would need to say sign up to an e-mail newsletter.

    It isn’t exactly news that I can get a basic SSL certificate for my no-name website for pennies without having to show who I am, and to be fair there are much more secure EV certificates at the other end of the market that provide much higher levels of checking and therefore confidence, but does the average person in the street know the difference when deciding to trust a site?

    Of far more concern are the instances of CAs manufacturing intermediate signing certificates and then losing control of them. These intermediate signing certificates carry the full authority of the CA and they can be used to generate certificates which allow anyone to pretend to be, or snoop traffic for, any Internet site they wish. In a recently disclosed incident a CA called TurkTrust, who were trusted by all of the major browser vendors managed to give fully capable intermediate certificates away to two end users, apparently by innocent accident. One of the recipients later installed it on a traffic interception device and started using it to intercept user sessions to gmail.google.com.

    In another similar incident a CA sold one of their intermediate signing certificates to a company for the purposes of intercepting secure web sessions originating from within their corporate network. To their credit, once this was publicised they did a U-turn, decided to revoke it and stated that they would never do this again. On balance of probabilities it is likely that more of these intermediate signing certificates are lurking out there on the Internet. If a CA could be persuaded to risk their credibility and therefore entire business by agreeing to generate one for a corporate in exchange for money, I wonder what happens when a government agency comes knocking.

    If that doesn’t sound like too much of a real world problem unless you are a gangster or terrorist, consider that the state involved may not be be a liberal democracy that respects due process of law or free speech. One of the notable recent CA failures was DigiNotar a Dutch CA who’s systems were compromised to issue certificates which were then used in Iran by persons unknown to grab secure traffic intended for Gmail, Yahoo!, Facebook and Tor (an anonymous web browsing service) among others. It’s not hard to see why a repressive government may be prepared to go to quite some length to get an “Internet master key” that allows them to see straight through any private traffic from citizens within their country and it isn’t clear to me that our current sprawling browser CA landscape is particularly resilient against this or other similar threat models.

    So what do we do about this: do we need fewer trusted CAs in our browsers by default – if so which ones and how do we choose?

    Should trusted CAs be forced to disclose all intermediate signing certificates that they generate and be explicitly banned from allowing unconstrained signing certs to leave their own control?

    Should we have laws to set expectations about what CAs should do? Establishing national laws to fix Internet problems doesn’t have a great track record for pretty good reasons, but it does seem reasonable to have society set legal expectations that manufacturing, handling or applying fake digital credentials are unacceptable behaviours. Forging bank notes or written signatures are very serious criminal matters in most cultures, unlike undermining the entire global web security model which seems to have no hard sanctions at all. Sure it won’t prevent criminals from doing their thing, but it would make the CEO of a CA subject to criminal sanctions if their organisation steps over a line in passively or actively enabling such activities. All that browser vendors then need to do is ensure that any CAs they bless establish their operating bases in a country where these laws exist.

    Perhaps we should ditch the whole concept of browser vendors blessing a vast commercial CA swamp and try to find a workable model where users get to choose which certificate issuers they want to trust. This is a bit like the PGP style web of trust where users personally verify any party that they trust and then rely on their verification of others. There is a major technical problem with this approach because, unlike PGP, X509 only supports a single certificate per public key so the trust inheritance is a strict tree rather than a web, as a server administrator I can only present one chain of certificates and if the trusted party my visitor has chosen isn’t in my CA chain then they aren’t going to get the green padlock.

    The only place we can currently have a one to many trust relationship is at the root CA list level so maybe the fix is to have independent lists of root CAs at this level assembled by folks other than the browser vendors. At install time, present users with a meta-list of possible CA roots and have them choose one. The only CA pinning needed in the browser would then be to the repositories of the meta-CAs. Users could decide if they wanted to use a list curated by for example their favourite security vendor, government or perhaps the EFF. That way if I want a root CA list which contains only those who guarantee that they don’t sell intermediate signing CAs to dodgy foreign government telcos or issue or $10 no questions asked “domain validation” certs then I choose a list curated with those criteria. I can see that some browser vendors would want to keep their direct relationships with the CAs, but others may just jump at the chance to get out of the business of vetting Honest Achmed’s business plan

    Published by: