PERSON OF THE MONTH Lee Grant
Davey eats his own dog food when it comes to website encryption, and provides some expert tips for searching through Gmail
p1 16 Lee, who co-runs a computer repair shop with his wife, explains why fixing laptops is getting tougher by the year – and shares the nerve-jangling experience of migrating a customer’s 30,000 emails from Windows Live Mail to Outlook.
Anyone who’s ever gone through the rigmarole of installing, or renewing, a SSL/ TLS certificate will appreciate what a ball-ache it can be. From generating a certificate signing request (CSR) code to configuring it via cPanel or Plesk, not to mention navigating the vagaries of whether you have a text-based certificate or a CRT file to deal with, it’s all stupidly bothersome.
Once up and running, though, your site is secured and visitors get the now required browser client confirmation. This all used to be optional, but a better understanding of security hygiene has led to SEO penalties for sites that aren’t properly secured. From July, the Chrome browser client will flag all unencrypted sites as insecure and display the dreaded “site not safe” message that decimates traffic.
According to Google, 68% of Chrome traffic on both Android and Windows platforms is now via HTTPS, rising to 78% on Chrome OS and Mac platforms. Worryingly, Google also points out that only 81 of the top 100 websites by traffic volume use HTTPS by default.
To my horror, I recently discovered that my own happygeek.com site was among the unencrypted rabble, with the latest Firefox client refusing to connect on the grounds the certificate had expired. This came as something of a shock as I’d already renewed it – or at least I thought I had.
Unfortunately, something had gone wrong in the certificate reconfiguration process, which meant come the day that the old one started singing with the choir immortal, the new one didn’t kick in as valid. The answer? Let’s Encrypt.
I’ve long been a fan of the Let’s Encrypt project ( letsencrypt.org), having recommended this method of securing a site to friends, family and clients. It was time to start eating my own dog food. This automated and open certificate authority is provided by the Internet Security Research Group (ISRG) and lives up to its “enable HTTPS in the most userfriendly way we can” promise.
Anyone with a domain name can get a trusted certificate from Let’s Encrypt for free. If your web host has the Let’s Encrypt certificate management agent enabled, and most have, then the process is automatic: obtaining, configuring it securely for usage and, importantly, fully automating the renewal process. It took me a couple of minutes to make the switch and for my site security to be tickety-boo once more.
But there’s more to Let’s Encrypt than just being a free service, or even one that’s on a mission to make the web more secure. It’s also on a transparency crusade, with all certificates issued or revoked being publicly recorded and open for anyone to inspect. Indeed, even the automatic issuance and renewal protocols are published as an open standard for others to adopt, if they so desire. Look up the Automatic Certificate Management Environment (ACME) protocol at the Internet Engineering Task Force site ( pcpro. link/284acme) if you fancy a technical read.
On the downside, Let’s Encrypt doesn’t provide extended validation (EV), as automating the issuance of this type of certificate isn’t possible. To be honest, most small businesses don’t really need an EV certificate. Yes, it offers an increased level of authentication in that it requires proof of company identity and control over the certificated domain. Yes, it will turn your browser client address bar into a green thing with that name displayed. But it doesn’t change the level of encryption used, and so the confidentiality and integrity of a site with an EV certificate is no different to that of one with a Let’s Encrypt one.
The subject is further complicated by the fact that a domain validation (DV) certificate of the type issued by Let’s Encrypt will still turn your browser bar padlock green; you just don’t get the additional green bar that comes with an EV certificate. Personally, I don’t think the considerable annual cost of an EV certificate is worth it for most folk outside of the retail/financial sectors.
Ovavu funny, Onavo less so…
As regular readers will know, I’m no great fan of the resource hog that is the Facebook app on Android. Indeed, I’ve tried many third-party alternatives. Sadly, I keep coming back to the genuine article as they all seem to die, in one functional aspect or other, over time. I won’t get into the conspiracy theories as to why that might be right now, but instead I’ll jump straight into another controversial topic. Namely, would you use a Facebook VPN? Or perhaps that should be, why would you use a Facebook VPN?
I ask because it seems that Onavo has reared its head once more. The name reminds me of Vic Reeves with his “ovavu” catchphrase, but is nowhere near as funny. Facebook bought Onavo some years back, and it was being pushed to users of the Android Facebook app via a “protect yourself” button a few years ago. You can download it from the Play Store if you like, but I’d advise against it.
While the “protect yourself” option has vanished from the
Facebook app, it’s resurfaced within the iOS one. Click on this menu option and you’ll be redirected to the App Store for that Onavo download. So, what’s my complaint here? Simple: it’s the old be-careful-what-youdon’t-pay-for thing. I’m not suggesting that Onavo is being deceitful. Indeed, go to the Play Store and the app description clearly states that it “may collect your mobile data traffic” and will use it to “improve Facebook products and services”. If that’s what you expect from your VPN app, then no problem. Frankly, I don’t – and can’t see who will benefit from using this.
VPN apps are generally used to provide a layer of privacy, not only regarding your location but also the traffic being sent. I don’t want my VPN app to be sharing with Facebook information that includes, according to the iOS app description, “the applications installed on your device, your use of those applications, the websites you visit and the amount of data you use”. Rather than sounding like something I’d use to protect my privacy, it sounds like something I’d want to prevent infecting my device. In other words, it sounds like spyware.
But, hey – you get what you don’t pay for, right? Which is why when I need to use or recommend a VPN app, I use or recommend the paid-for variety. One that’s based in Panama (outside of the Five Eyes nations surveillance agreement) and doesn’t record any logs and doesn’t track me in any way. Using a VPN that compromises your privacy makes absolutely no sense. I can see why it would make a lot of sense to Facebook, obviously. What’s that old internet adage again? If you’re not paying, you are the product...
Chinese security takeaway
Regular PC Pro reader Eli got in touch to ask: “What are your thoughts on the US government coming out against Huawei? I’m currently using an Honor 7, manufactured by Huawei, and I’m considering buying another Huawei device. Do you think there’s any meat to the US government claims that I’m compromising my security by using a Chinese device, or is it just politics talking?”
“No and yes”, would be the simple answer to that question. Or, you could ask yourself another question and extrapolate from there. How much of the technology you use is made in China? If there was any real and present danger from using Chinese devices, then that threat would surely be distributed across almost everything you own with internet connectivity. You’d have been pwned a long time ago, along with the US government.
I’m not alone in thinking this, as the decision by the National Cyber Security Centre (NCSC) in the UK to continue using Huawei kit confirms. Furthermore, Huawei even has a security operations centre (SOC) known as The Cell, which runs from the GCHQ in the UK. Researchers at The Cell are supervised by the NCSC and monitor for any threats within Huawei equipment.
In my opinion, announcements by the FBI, CIA and NSA carry the Trumponian stink of protectionism, rather than a genuine concern over security. The US senators who have introduced a bill to ban Huawei phones for government personnel use is just more proof of this pudding that’s so happily eaten by the Trump base. So, don’t worry; continue to use the great kit made by Huawei and other Chinese firms, while employing best data security practice, and you’ll be fine. Probably. At the time of writing, there are six unread emails in my inbox. Well, showing as unread in the “important and unread” view. This isn’t bad considering I have 162,656 Gmail “conversations” with 39,033 emails currently in my inbox. I’ve also sent some 13,586 emails apparently.
To find out this kind of information yourself, head into your Google account and hit the “Personal info & privacy” option. Scroll down, and under the “Review activity” heading, you’ll find a link to your Google dashboard, where all becomes clear. Finding a particular email among all these conversations, less so.
Sure, there’s that prominent magnifying glass that points to the search function in the Gmail window, but most people fail to get the most out of it. One such person being a sometime client of mine who recently complained that considering Google is the “God of Search” – let’s not even go there – it’s poor at finding what he wants in his Gmail archive. It turns out that he used the Gmail search like he uses Google itself: poorly. Banging a couple of keywords into the input field and hoping for the best is no way to treat such a truly powerful tool.
To get more out of Gmail searching you need to hit the More arrow, which reveals an instant and easy-to-understand ability to search by folder, by from or to fields, the subject line, with included and excluded words, for messages with an attachment and within date perimeters, for example.
Boolean operators are used to narrow a search, and you’ll probably already be aware of using AND as well as OR, for example. Gmail automatically assumes an AND operator if you use more than one word in your search, so typing Intel Processor will return messages that include both words. If you want to find emails containing the precise phrase of “intel processor
security”, then containing it within those quotation marks does the job. The case is irrelevant, by the way, which makes life a bit easier.
Start playing around with operators and you could hone this search even more by using something like subject:“Intel processor security”, which would only return messages with the phrase in the subject line. What about subject:“Intel processor security” -Spectre, which would perform the same search but exclude any messages about the Spectre vulnerability?
“Advice by the FBI, CIA and NSA against using Huawei phones carries the Trumponian stink of protectionism ”