Recently in Internet Category

Google recently released a SSL enabled version of their main page, which is no bad thing. However it turns out there's a bit of a nasty side effect for companies doing search analytics. When you go from an SSL site to a site without SSL, most modern browsers will stripe out the referrer data. In the case of going from an SSL enabled Google to a normal non-ssl site, it means that the non-ssl site will have no idea of what search terms were used.

Of course there is a way around this. The simplest is just to SSL enable the site. If you go from one SSL enabled site to another SSL enabled site, the referrer data is retained. There are other such as Google appending something like ?query="search term" to each url it returns, however even if this is implemented I can see it being an optional for the user.

Of course the problem with SSL certs is that you need a dedicated IP Address for each SSL enabled site. There's extensions to TLS which would mean that you could host multiple name based virtual hosts on one IP, see Section 3.1 of RFC3546, but I have yet to see significant support for this. As it stands at the moment, IPV6 is probably better supported than the Server Name Indication extension of TLS.

So, if a company wants a fast way of getting the referrer from an SSL Google query, the handiest method is probably to SSL enable their site, which means a dedicated IP address. Anyone who has got this far in the post probably already knows that IPv4 addresses are slowly running out. If every SEO in the place suddenly wants to enable SSL on their customer's sites, there's suddenly going to a lot of pressure on the IPv4 address space.

I know that if a relativity small percentage of shared hosting sites at work wanted to SSL enable their sites in the morning, we'd run out of available IPv4 addresses in a flash. However, we do have ~4,000,000,000 IPv6 addresses available which should be sufficient! It's just a pity that most ISPs wouldn't be able to get to them at the moment.

The big winner in this would be the companies selling the SSL certs. People could use a self signed cert, but do they really want customers/potential clients to have to click through the various warnings. There's other options such as CACert, but not all browsers will recognise them as a valid cert.

My own opinion is that the lack of referrers is no bad thing. It might force sites to stop using under hand tricks and just put up proper content.
It would seem that random pie in the sky figures about server virtualisation is one of my berserker buttons. I work in IT, hence I know that everything in IT is a compromise. So when someone on twitter quoted figures from a Sunday Business Post article stating that the HSE were using 200 servers, and then immediately proclaimed that virtualisation would reduce that number by 75%, I had to respond. Anyone on twitter is free to look it up.

At work we use virtualised servers extensively. Our whole shared hosting/VPS platform is built on Virtuozzo. We have numerous other services which are virtualised in the the background using other technologies such as Xen, KVM, Hyper-V etc. It is a brilliant tool when deployed properly and has plenty of other benefits such as being able to move an virtual server to new hardware in a hurry.

However, if you are to believe the marketing hype, virtualisation will immediately save you X% where X is ridiculously large number like 70 or 80. What they always seem to fail to mention is that they're presuming that you're massively under utilising your current hardware.

This leads to a lovely self fulfilling prophecy. The people who move over are the ones underutilising their current hardware and they will see massive savings. These savings are due to bad planning and over speccing the hardware in the first place though, and virtualisation is the ideal technology to consolidate the hardware while keeping the outward facing infrastructure looking the same. This means there's a massive selection bias in the figures which virtualisation vendors quote, as they seem to only use these customers as examples.

If we then look to the other end of the spectrum, people properly utilising their existing infrastructure. Here virtualisation will still give plenty of benefits. For example, being able to move a virtualised server from physical server to physical server, often with no downtime. However, then you have to consider virtualisation overhead. As virtualisation is simple abstracting away the hardware, there is going to be an overhead in the translation. Depending on the technology used the overhead might be minimal or it might be large enough that new hardware is required to account for it.

There will also be no savings due to less hardware in this scenario as the virtualisation isn't being used for consolidation, but for ease of management. If it's a commercial virtualisation product such as VMWare, there's going to be extra cost involved. This cost might be offset in deceased administration time, but it's not going to be anything near the figures normally quoted for savings.

To go back to what started all this off, the 200 servers in the HSE. We have no way of knowing what the utilisation is like on these servers. For all we know, it's a fairly heavy Java based app running on them and the systems are well utilised. It's also possible that they are underutilised, but without knowing what they're actually doing, it's not possible to pull random figures like 75% out of the air.  

DNSSEC Still Pie In The Sky

Affilias recent put a post claiming that DNSSEC is no longer pie in the sky! The post immediately proclaims than DNSSEC would have stopped the issue on Mar 24th where a Chinese root server was leaked outside of China. While this is technically true, they seem to be vastly underestimating how far off we are from seeing this happen.

Starting at the client level, whether it is a browser, mail server or mail client. At the moment very few clients have native support, and most seem to need to be patched which is not something the vast majority of end users would be comfortable doing. Microsoft only seem to be supporting DNSSEC in Windows 7 and Windows 2008, although I could be wrong on this. Then there's the variety of browsers on the variety of mobile devices. In all cases it's more likely that you'll have IPv6 support!

The next step would be the dns resolver that the client talks to. This could be your ISP's resolver, your local router, a third party such as OpenDNS and Google or possibly a dedicated local server. At the moment then chances of them being DNSSEC enabled is minuscule.

In the case of local routers (CPE), Nominet tested a cross section of CPE devices in 2008. The result?
As a consequence, we conclude that just 6 units (25%) operate
with full DNSSEC compatibility "out of the box." 9 units (37%)
can be reconfigured to bypass DNS proxy incompatibilities.
Unfortunately, the rest (38%) lack reconfigurable DHCP DNS
parameters, making it harder for LAN clients to bypass their
interference with DNSSEC use.
Of course even if the router supports DNSSEC, you then have to make sure that the upstream DNS servers support it, which is by no means a given. Comcast are still only testing it which probably puts them well ahead of their competition.

Then you have to make sure that any firewalls between you and the upstream DNS server are correctly setup. It's not unknown for Network Admins to only allow UDP packets over port 53. This will break horribly with DNSSEC as the response to a query will be a lot bigger so it's very likely that the server will have to fall back on TCP. Even if the the Network Admin has opened TCP port 53, it's possibly that the firewall "knows" that a DNS packet can ever be larger than X bytes, and will indiscriminately drop any packets larger than it's set limit.

Then there's the root servers and the various TLD servers. The earliest that we'll see a signed root zone is July 2010, and that's presuming that their testing goes well. PIR have implemented it on .org already, and various other cctlds have either implemented or have testbeds. Verisign have said that Q1 2011 is when they expect to have it rolled out for .net and .com.

Presuming that all the above has been fully implemented, it's possible that DNSSEC would have stopped what happened on Mar 24th. However, then there's the leaking of more specific routes such as what happened Youtube in 2008, but that's a different problem with different fixes.

The above is only a very quick and nasty overview of the issues with DNSSEC at the moment as far as a client is concerned. There's plenty of other issues to be sorted out such as transferring domains and key rollover among others.

Then there's the human element. Phishing won't be cured by DNSSEC, most phishing attacks use absolutely random urls, such as  The deployment of DNSSEC also won't force people to upgrade their browsers, IE 5 and IE 6 still make a good percentage of the the browsers out there!

Unfortunately, DNSSEC is going to remain very much pie in the sky for the time being. 

Enhanced AIB Security?

Just after logging into my AIB Internet Banking account, and I spotted the following security notice:

From June 23rd you will be required to enter two codes from your AIB Code Card in order to complete the following actions on AIB Internet Banking:

This is only required for certain transactions, but it still seems to be a useless change. If someone has one code, the odds are extremely good that they have the code card. If not, the second code can probably be obtained using exactly the same method as was used to get the first.

If they really wanted to enhance their security, they might be better off deploying something like Rabo Direct's Digipass. I believe they already have something similar for their Business Banking. Unfortunately, this probably won't be done due to cost.

To go slightly off topic, the new AIB Internet Banking site is a vast improvment over the previous incarnation.

Useful New Filter Technology

I'm just after coming across the Stupid Filter project. Now I'm waiting for the Spamassassin and Support Desk plugins!
I created a quick Opensearch file to add the PHP Function search to my search bar. If anyone is interested it's available here.

Update: To make life even easier, use ctrl-k to select the search box, ctrl-up and ctrl-down to select the different search providers.

DHL Tracking Madness

| 1 Comment
I ordered a nice new toy from Komplett over the weekend and got a email with a "Track And Trace" code for DHL Europlus. I went to, saw a nice DHL Fast Track search box on the top right and entered my code. I got a page entitled "Tracking Good Afternoon" (at 6 in the evening) and search boxes all over the place. Besides not looking well in Firefox, it didn't show the code I had just entered anywhere.

I put my code in the top search box (Air Express), pressed search, and up popped a box saying entitled "DHL Road Express Shipment" telling me:
You may have entered a DHL Road Express Licence Plate Number / Identcode Number.

Please use the European Road Express Parcel Tracknet below to track this shipment.
The main page also had a section entitled "DHL Road Express Parcel Tracking", so out of interest I tried the code there and got the same popup. I then clicked the European Road Express TrackNet as they wanted, and figured out how to add my code and submit as needed. The tracking as it turns out is pretty dire. According to them, my package is in Tilberg, NL since yesterday morning. It better be wrong!

The point of this rant? Their system was smart enough to realise that the code I entered was a European Road Express TrackNet code. Why didn't it simply redirect to the proper page from the main page rather than carrying me into a page with multiple search boxes? Instead of a popup explaining where I need to go, why doesn't it redirect to the right page? Or even a link to the right page in the popup? Was there any UI testing done at all on the site?

I was talking to someone who once worked in a company bought by DHL. I was told that their biggest problem is that as they are buying up smaller local companies to do local deliveries, they are aren't integrating the new IT systems properly. This does explain why the tracking mightn't as great as it should be. However it doesn't explain why they can't add a small bit of intelligence to their site.

Eircom Wireless SSL

I'm in Heuston Station for a while and I have had to use Eircom wireless to access to the internet. What was disappointing was that the login page for Eircom's wireless does not have a valid SSL cert.

I logged in anyway (naughty, I know) as the IP it was pointing at was an eircom ip, and I am stuck. I am surprised that Eircom can get away without using a valid SSL cert for pages that have to handle credit card details.

I would have thought that one of the requirements for Credit Card processing would be having a valid SSL cert!

Quick Pros And Cons Of Nokia E70

After three years of service, my Nokia 6630 finally decided that enough was enough, so I upgraded to a Nokia E70. After a few hours of playing with it, it seems to have been a good purchase. Below is a quick list of the pros and cons that I've found so far.

  • Qwerty keyboard. Normal mobile text input methods aren't up to much when using applications like Putty. The qwerty keyboard is comfortable to use, and works out a lot faster than T9 for me.
  • Wifi: Free internet access is always going to be better than paying Vodafone for 3G or GPRS.
  • Active Standby: The standby screen on older Symbian S60 phones has always been sort of boring. With recent versions of Symbian S60, there are now a couple of shortcuts along with calender entries and recent text messages on the screen.
  • Compatible with older car kits. One of the big problems for me is that a lot of the newer Nokia phones don't seem to have cradles compatible with the CK-7W car kit. With the MBC-13L, I can get into the car, throw the phone in the cradle and drive away safely, while having the phone charging and ready to use. If I forget to take the phone out of my pocket, it will still hook up to the car kit over bluetooth.
  • Small Screen: Compared to phones like the N95, the screen is very small. This becomes a slight problem when using applications like Putty. The default font on Putty is so small, that a microscope is required. Luckily there are more friendly fonts available here.
  • Active Standby Plug-ins: According to the manual, there should be an Active Standby plug-ins option
     available in the phone settings, however this seems to have been disabled, presumably by Vodafone. These plug-ins should allow handy things like showing number of waiting voice mail messages and notes entries on the standby screen.
  • Lack of automatic key lock. A fairly standard feature in Nokias has been the ability for the phone to automatically lock the keypad after a few minutes of inactivity. There is third party software available to do the job, namely Autolock, however it's still a strange omission.
After I've used the phone for a couple of weeks, I'll probably be able to add more items to both the pro and con sides.

Copyright Fun And Games

Michele posted about the fun and games with Domainnews and copyright two months ago. Domainnews seem to have finally realised  and their "Chief Editor" has replied claiming innocence. Unfortunately he still does not seem to realise what he has done wrong, and he still hasn't as much as apologised yet. In fact Michele had to send a DMCA Takedown notice to Google before anything was done. For fun and giggles I had a look at the Domainnews site and spotted a post attributed to "press" which is a copy of the press release here. According to Domainnews: "press is one of our editors and not someone we are trying to credit this to". What's even more fun is that the DotAsia press release is covered by a Creative Commons Attribution License (look at the icon at the bottom left of DotAsia's press release) which probably means that DotAsia would at least like a link back. Even if they didn't have the CC license, it is just a common courtesy to link back to the originating site, even for a press release. There is no point posting about DotAsia starting a new program, if the reader can't click on a link and have a look around to get more details. The whole whole point of the Internet was/is to share information.

About this Archive

This page is an archive of recent entries in the Internet category.

Gadgets is the previous category.

Linux is the next category.

Find recent content on the main index or look in the archives to find all content.


OpenID accepted here Learn more about OpenID
Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.02