HTTPS and SSL in practice

To the administrators of the Oxford Student Self Registration website,

When accessing https://www.studentsystem.ox.ac.uk/ for the first time, I was surprised to see Firefox claim that it uses an invalid security certificate. As somebody who does understand the risks involved, I was unwilling to simply blindly accept the certificate, and had a closer look.

It turns out that the signing authority of your certificate, known as "Cybertrust Educational CA", is not included in Mozilla browsers by default, and thus Firefox rightly rejects your certificate. I was able to locate this CA certificate; it is, in turn, signed by a CA known as "GTE Global Root", which is included in Firefox.

Please configure your server to supply the intermediate certificate, "Cybertrust Educational CA", to browsers. This is the correct procedure and the only way in which the site will be accepted by Mozilla browsers, and any other browsers with security policies that are, as they should be, similarly strict.

This newsgroup thread may be of interest: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/dcad2183363667f1?pli=1

Allow me to explain why I feel this is important: by using an apparently invalid security certificate, especially on a website students must use, you are requiring students to simply trust an unknown certificate in good faith, in effect training them not to take these security warnings seriously. While it is true that in this case, it was possible to verify the certificate manually, most students will probably never possess the necessary expertise - why should they? - and instead "learn" to treat computer security with an attitude that leaves the door wide open for fraudulent sites and man-in-the-middle attacks.

Coming from an education institution, this is particularly worrying.

Yours faithfully,

Thomas Jollans

PS: The contact form I'm using uses an unencrypted connection to send the email, even when this website is being accessed over a secure connection. This might also be worth changing.

Addendum: I just sent this letter to Oxford University Computing Services (OUCS) using their so-called suggestions form. Perhaps not the best place, but of those potential addressees I could find this was the one where I felt most confident that my message would end up in the right place. This whole episode reminded me of, and indeed my writing this letter was perhaps inspired by, a blog post by my cousin Leon about a month ago, concerning a similarly problematic attitude at the University of Greenwich.

Emperor 0.1: File manager for GNOME

 I am pleased to announce the first released version of Emperor: version 0.1 "Aurelian"

You can download Emperor from its website or get the most recent version of the code from GitHub

Emperor is a new Commander-style (“orthodox”) file manager for the GNOME desktop. It is writte in Vala and, unlike similar programs such as GNOME Commander or mc, it uses GIO in order to integrate with the GNOME desktop and to take advantage of GVfs-FUSE.

While it is not yet full-featured, it is complete enough to be useful and has good support for network file systems and automatic mounting of archive files.

Emperor strives to provide a user interface familiar to users of Total Commander, Krusader, or GNOME Commander.

Dependencies:

• GTK+ 3
• Libxml2
• Libgee 0.7

Additional dependencies when building the source from Git:

• Vala 0.12
• GNU Autoconf, Automake, Libtool, and Gettext
• Python 3.x

Updating the blogroll

Who to link to in a blogroll? How to refer to their blogs? The list of links that is my blogroll is now slightly longer than it was, perhaps it will grow in the future, and I've changed the names a bit: Instead of linking the author's civilian name, I use the blog's title — I'm still not sure which is the better practice, but at least one of these blogger doesn't use their civilian name on their blog, so I probably shouldn't disclose it here either. My most important criteria for inclusion here are probably that the blog appears to be active, and that I (appear to) read it. Looking through the list, I also find that I've met all the authors but one in person, a fact that one could assume played a role in the selection.

My current blogroll consists of:

• Benny Bachmaier's Flugfieber.net
• Recently created KlimmtJaques.de — I'm looking forward to following this blog
• My cousin funcakes
• Olivier Cleynen's aria da capo “occasional”
• Tim Dobson's new blog
• Sean Whitton's notes from the library
• maloki's blog
• Maladjusted by @reality
• bobobex's blog

Check them out. That's why I link to them.

Bagless

Last Friday, August 12, 2011, on my way to OggCamp I flew from Munich Franz-Josef-Strauß to London Gatwick Airport with a friendly airline known as EasyJet. That's usually a perfectly pleasant experience, I've done it before, but I've never had to check baggage before. This time, however, I wanted to bring a tent for #oggcamping.

So, I land at Gatwick, walk through miles of bland corridors that I'm sure exist only to punish people for not paying the Heathrow premium, strolled through passport control, and waited for my backpack to pop up on the friendly neighbourhood baggage conveyor belt.

It never did.

Fair enough, these things happen. So, as you do, I go to the desk, report the mess, tell the friendly baggage people that they could contact me at the Farnham Maltings until Sunday.

Nothing happens.

So, after a couple of days of OggCamp, I ring up the EasyJet offices again on Sunday to ask what the hell is going on. Turns out: they hadn't found it yet. Yeah. Wow. So what do I do? I give them my mobile phone number, stress again that they won't be able to deliver it to the Maltings after Sunday, buy a cup of coffee, and go stand next to my stunt double Fab to allow my friend Tim to take pictures of us with his fancy ass-camera.

Then, nothing happens, or so I think. It actually turns out that EasyJet did find my bag on Monday or Tuesday (apparently their internal records aren't completely clear on that) and try to deliver it to — surprise — the Maltings in Farnham, Surrey. Naturally, they failed, and gave up. That does make me wonder: why ask until when I will be at the temporary address provided, if they're not going to use that information? Why ask for a phone number if they're not going to call? EasyJet has all the marks of an excellently organized company with highly intelligent employees.

At least now, after phoning them up again, I know that my bag still exists, and is supposedly on the way to me.

Commenting improved

I've taken some time to improve my blogs' commenting systems to go beyond what your standard, classic, blog comments section does. Firstly, I finally implemented the front-end to a feature I had planned, and integrated into the back end, all along: threaded discussions. You can now reply to a reply.

More importantly, however, I integrated identi.ca and Twitter. I got this idea from Psychedelic Squid, who only supports identi.ca. My blog now automatically announces new posts on identi.ca and twitter, and periodically (half-hourly for now) checks those services for replies to the announcement that can be imported.

As you can see, I've added the appropriate reply buttons to the bottom of the post, so each user can chose completely freely how to interact with my blog. I'm speculating that this will increase the amount of comments very slightly every now and again. Yeah, right.

All this works better with identi.ca than it does with Twitter: with identi.ca, I can import a complete conversation tree, no matter whether the notices are addressed to me or not. The Twitter API, on the other hand, only allows me to read my own replies timeline, so there's a greater chance of missing replies-to-replies.

I haven't yet added the new buttons to the RSS feeds, or to the summary at www.jollybox.de. I'm planning to do that in due course.