28 August, 2013

certificate transparency

I went to a certificate transparency hack day at google london.

Dodgy x509 host certs really annoy me - they were a hassle when I worked on globus where we pretty much have out free host certs without any checking, to anyone who asked.

An achievable goal seemed to be to get a nagios plugin to check for certificates issued against a given hostname. I sort of have that working, with both OK/CRITICAL and a graph:

For now, the plugin is looking for certificates with the substring google in the subject name - there are plenty of such certificates in the log

When new certificates are discovered, they count as suspicious: they appear in red on the graph and the nagios notification system sends me an email. When an administrator (i.e. me) approves of the certs (by running an appropriate script), they turn into OK certificates and go green on the graph.

The underlying python code I'm using has a terribly slow ASN.1 parser, and so is only getting through a few hundred of the 2 million certs in the log every minute (see the blue line on the graph) - in a few days time hopefully it will have caught up. At least gives a pretty graph over time. In real life I'd expect a much smaller number of green certificates and hardly any/zero red certificates, as a flat line over time.

My original intention was to use this for matching domain names, but someone pointed out that it could be used to matching eg. trademark names anywhere in a certificate for some anti-phising detection.

Plenty of flaws:

  • doesn't check certificate alternate names (subjAltName)
  • doesn't check domain names at all
  • doesn't check consistency of data coming from the log server
  • doesn't deal with multiple log servers
  • doesn't deal with multiple domain name probes efficiently (eg by caching or sharing download/ASN.1 decoding between domain names) - this is perhaps better implemented by using Nagios's passive plugin interface where a monitor could push interesting results (for various domains) into Nagios, rather than the present active/polling style (whichI chose because its easy to do)
  • doesn't deal with unknown certificate extensions (at the moment, it ignores them which I think is sometimes the wrong behaviour - if the extension is one that authorises the use of new names (such as subjAltName does...)
  • its fairly synchonous which is a bad thing for nagios probes - spending 2 days to verify the initial log is not good for a probe that should take less than 10s

27 August, 2013


Standing at bar. Older gentleman comments how when he gets new missed calls appearing way down the missed calls list. conversation continues. After a while comments that SMSes also appear way down the list. Eventually I jokingly comment "is your clock set wrong?" to while he replies "yes- is that what's causing it?"

Mostly I find that interesting because it seems an unbelievably obvious problem if you've grown up immersed in computers, but isn't if you have different abstractions: post doesn't stack up on your doormat in the order of the clocks in your house; it stacks up in the order that normal time flows.

21 August, 2013

STV with restoration of eliminated candidates

STV eliminates candidates (and transfers their votes) until someone hits quota and win a seat. Then that winner's leftover votes are redistributed according to the next preference on those vote papers, and the process is repeated until there are no seats left to win.

One of the complaints about STV is that someone who is no ones first choice can get eliminated, even when it might turn out that they would get many second choice votes later on.

What happens if, after eliminating candidates enough times for someone to win, then in the next round those candidates are put back into the race, so can receive next-preference transfers?

It seems to make the counting process more complicated, but if you're doing this electronically, not devastatingly so. It puts candidates back in to receive transfers even if they weren't good enough to stay in the first round election.

What led me to wonder about this is some previous musing about proportional representation in the hereditary peers bit of the House of Lords, which is a bit like a stretched-out-over-time system that puts candidates back in for each seat.

14 August, 2013


At school we had lots of BBC Micros. When I was near the start of school, these were very new indeed and almost none of the teachers or classroom helpers knew how to use them.

When you turned it on, you got a beep and a relatively unfriendly command prompt along the lines of: Acorn MOS >

To load and run the default program off a removable disk, they had a shortcut key combination: press shift+break to get that behaviour.

Easy, right? Except very few people understood instructions along the lines of "press shift and break together" to mean "depress shift and keep it depressed. Press and release Break quickly as if typing a letter. Release Shift".

So instead, minutes of pressing shift and break together, trying really hard to get them at the same time, would ensue at the start of each session until accidentally shift got pressed before the break.

07 August, 2013

ping error

Got this while pinging Google DNS from my mifi:

64 bytes from icmp_req=302 ttl=50 time=2095 ms
64 bytes from icmp_req=303 ttl=50 time=2107 ms
wrong data byte #52 should be 0x34 but was 0x45
#8      8 9 a b c d e f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
#40     28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 45 0 0 54
64 bytes from icmp_req=305 ttl=50 time=2127 ms
64 bytes from icmp_req=316 ttl=50 time=11091 ms
64 bytes from icmp_req=317 ttl=50 time=10083 ms

Interesting to me that i) ping is doing more checking than I thought, and ii) there are link layers around that corrupt data (rather than drop packets) in reality not just theory.