Cloud Providers compromise Domain Security

This just in via email from More information is available here:

Cloud provider vulnerability causes Let’s Encrypt to disable SNI domain validation

A major issue with some cloud providers allowed the unauthorized issuance of Let’s Encrypt certificates. Although the issue clearly lies with the cloud providers, Let’s Encrypt nevertheless has decided to disable the corresponding validation method.

Frans Rosén discovered that he could use the SNI validation method from the ACME protocol ( to issue certificates for domains hosted on certain cloud providers. He explicitly mentions Heroku and Amazon CloudFront.

TL;DR: I was able to issue SSL certificates I was not supposed to be able to. AWS CloudFront and Heroku were among the affected. The issue was in the specification of ACME TLS-SNI-01 in combination with shared hosting providers. To be clear, Let’s Encrypt only followed the specification, they did nothing wrong here. Quite the opposite I would say.

The core of the issue is that these providers allow users to upload certificates that the system will serve automatically to TLS requests with the corresponding server name. The ACME SNI validation method uses temporary certificates that end with .acme.invalid.

After the issue was reported, Let’s Encrypt almost immediately disabled the TLS-SNI-01 validation method. Let’s Encrypt subsequently decided that, with a few exceptions, it will stay disabled. The newer TLS-SNI-02 method is vulnerable as well. A new TLS-SNI-03 method that considers this problem is being developed, but for the time being users should switch to either the HTTP or the DNS validation method.

Citizen’s Arrest – Indiana


IC 35-33-1 Chapter 1. Arrest

  Section Any person
     Sec. 4. (a) Any person may arrest any other person if:

(1) the other person committed a felony in his presence;

(2) a felony has been committed and he has probable cause to believe that the other person has committed that felony; or

(3) a misdemeanor involving a breach of peace is being committed in his presence and the arrest is necessary to prevent the continuance of the breach of peace.

(b) A person making an arrest under this section shall, as soon as practical, notify a law enforcement officer and deliver custody of the person arrested to a law enforcement officer.

(c) The law enforcement officer may process the arrested person as if the officer had arrested him. The officer who receives or processes a person arrested by another under this section is not liable for false arrest or false imprisonment.

As added by Acts 1981, P.L.298, SEC.2. Amended by Acts 1982, P.L.204, SEC.7.

IC 35-33-1-5Definition

     Sec. 5. Arrest is the taking of a person into custody, that he may be held to answer for a crime.

As added by P.L.320-1983, SEC.3.

UI Cause of Hawaii Missile Scare

When salespeople started calling themselves “web designers” web sites became little more than confusing, over packed, repositories for cartoon graphics: lots of color and little clearity. Clean, usable, UI design is one where the human using the interface, hence User Interface, easily knows what to select.

No more than seven (7) actionable items should be on any screen (where the menu counts as one item). No menu should have more than seven (7) choices and there should not be more than three (3) levels to any menu object. Choices should be logically arranged, following international norms and standards (in apps for years we have had File, Edit, View, … Help but sadly there is still not enough cross site predictability on web pages for even menus ending with … About Us, Contact Us, Privacy Policy). “Artistic License” belongs on artistic entertainment web sites, not on business sites employees use to get work done.

From a recent solicitation email from

On an otherwise quiet Saturday morning, the State of Hawaii learned the hard way about the consequences of relying on a poorly designed user interface (UI).

An employee at Hawaii’s Emergency Management Agency triggered an emergency alert last Saturday indicating that a ballistic missile was about to hit the islands.

Your first impulse might be to blame the employee for creating this statewide false alarm. But in the discipline of User Interface Design, there is no such thing as user error. Well designed software should anticipate the needs of its users, provide clear warning messages when users are about to take drastic actions, and make errors easy to catch and reverse.

Take a look at the remarkably confusing UI that caused the error:

The employee accidentally clicked “PACOM (CDW) – STATE ONLY” instead of the similarly named option “DRILL-PACOM (DEMO) STATE ONLY”, creating massive panic until a follow up message 40 minutes later revealed it was a mistake. offers their web site UI programming course description at for those who might be interested.

Best Buy for Mobile Services

Picture of my TING mobile phone bill for two phones, $18 total

Of course one phone would cost half what my bill is. My mobile bill for two phones has stayed at about $23, including unlimited Internet. charges per use, so if I go over my first 100 minutes, it’s $9 for 500 minutes instead of $3 for 100 minutes: you use as much as you decide that you need to use never getting “limited” or cut off.

They do what they say: we’ve had it since August 2016. Coverage is good. No actual problems that I remember.

If this is cheaper than you have now, and you want to change, you can use my link below and you will get a $25 credit (to pay your bill a couple months or to buy a new phone). Here’s my link:

Meltdown attack targets Intel processors

For some reason I have felt the preference to buy AMD processors in all my builds for the last decade. I am not against Intel – I used Intel and Motorola processors from the 1970’s onward. I do use liquid cooling and other after market heat sink arrangements which causes me to prefer the socket arrangements for AMD because I feel the AMD is more mechanically solid, but I could identify nothing really significant in my mind that caused this preference. Here is one more little nudge in the AMD direction.

From Information Week’s Dark Reading

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. “If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure,” the researchers wrote in an FAQ about the attacks. “Luckily, there are software patches against Meltdown,” referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.