Monthly Archives: December 2010

Gmail irritation #1

Sometimes Gmail decides your session has expired, when you’re in the middle of writing an email.

Gmail: Your connection has expired

If you’re lucky you might be able to copy the text from the draft out. If not, the most recently saved draft may or may not be up to date.

This is bad design. Why interrupt like this when you’re in the middle of something?

If you must have sessions that expire, than at least give the user a bit more time to actually finish what they’re doing — send and/or exit the draft — and then ask them to logon again.

uTorrent crapware

The latest version of uTorrent comes with an unwelcome friend — some kind of app host called Conduit, and a waste-of-time toolbar in IE and Firefox.

I don’t know if they’re dangerous or not (you’d hope the uTorrent people wouldn’t have allowed them in if there was any risk), but I certainly think they’re unwelcome, and the semi-auto update from the previous version of uTorrent didn’t give me the option of having them or not.

To remove them, go into Control Panel, Add/Remove programs and remove:

Conduit
uTorrent toolbar

You’ll also need to go into Firefox and in Tools, Addons, do the same.

That seems to do it (touch wood). uTorrent, unsurprisingly, seems to work fine without them.

Hey uTorrent guys, love your product, but stick to your core business, eh? Don’t let bundled crapware like this drag you down.

Update 24/12 — also noted: it changes your Firefox home page without asking, too.

Citylink: Poor security

Interesting article from The Age about Melbourne’s Citylink (Transurban) falling foul of a Google Chrome error: There’s no space like Chrome

Leaving aside the introduction, with its very amusing description of Google Chrome OS as:

an internet-infused operating system for computers that takes on Microsoft’s MS-DOS

… it talks about the Google Chrome browser refusing to connect with the Citylink web site due to an SSL error.

I tried to connect (I have an account there) and sure enough got an error when trying to logon.

Here’s the detail from Google:

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to setup a secure connection but, due to a disastrous misconfiguration, the connection wouldn’t be secure at all!

In this case the server needs to be fixed. Chrome won’t use insecure connections in order to protect your privacy.

You may find that the site works in other browsers. This is because other browsers, unknowingly or intentionally, work around the broken servers. But this doesn’t change the fact that the servers have a glaring security hole and should be fixed.

Technical details

This error message is triggered if the SSL/TLS handshake attempts to use a public key, smaller than 512 bits, for ephemeral Diffie-Hellman key agreement.

For website administrators

If your website has this problem, either:
1. use a 1024-bit (or larger) Diffie-Hellman key for the DHE_RSA SSL cipher suites, or
2. disable all DHE SSL cipher suites.

The Age article seems to assume that Citylink must use a 1024 bit key… but then, if the writer thinks Google Chrome OS is trying to compete with MS-DOS, it’s clear he may not be the most IT-savvy person.

My reading of the error is that it’s a combination of the DHE keu agreement and the small key that is the problem. I’m not a net security expert, but that’s what point 2 appears to be saying.

It’s certainly not the case, as implied in the article, that they must use a massive 1024-bit cipher key — I’ve just logged into the Commonwealth Bank’s site, and all is working fine with their 256 bit key.

While Citylink/Transurban might be whinging that they’ve done nothing wrong, given all the other secure sites I use with Chrome are working perfectly, the conclusion I come to is that indeed there is a misconfiguration on their end.

It’s important that they get this right. After all, one wouldn’t want personal information being transmitted insecurely. It could get picked up by a passing Google Streetview car doing packet sniffing!

Update 10:45am: The reference to MS-DOS has now been removed from the article, which now reads: an internet-infused operating system for computers that takes on Microsoft.

It also no longer says Only one browser was available… in 2000, but has been changed to say One browser was dominant.