Many of you logged on to the Lost Coast Outpost during the noontime hour (and a little after) and were confronted with an alarming message that went something like:
UNSAFE UNSAFE UNSAFE! HIE THEE TO SAFETY AND AWAY FROM THIS WEBSITE FORTHWITH!
This was an alarming experience for many, judging by the calls and emails we are still receiving, well over an hour after everything has been all cleared up. And though that’s OK, there’s no reason to actually be scared. Everything worked as it should. Cambridge Analytica does not have your data. Here’s what happened and why.
It was a strange confluence of events. Three things happened to make the world’s web browsers not trust the LoCO for a little over an hour:
- The Outpost’s public-key security certificate — the thing that puts the “s” in “https://” — expired at precisely 12 p.m., while…
- Your Lost Coast Outpost was meeting with the delightful people at the
OSHAOsher Lifelong Learning Institute’s regular “Brown Bag Luncheon,” at a time when …
- The mighty LoCO webserver had been running on weeks and weeks of uptime. Too strong for its own good!
Let me explain.
The Outpost gets its TLS certificates from Let’s Encrypt. These certificates help your computer interact with the Outpost on a secure basis — third parties cannot intercept your activity on the Outpost, because all communications are translated into a string of nonsensical characters before they are sent out over the wire. This is a good thing. Everyone agrees that all internet communications should be encrypted these days, for a whole lot of reasons that you can read about here.
Also, encrypting everything lets the Outpost do a lot of things that it otherwise couldn’t do, like be much faster than it would be otherwise and run fun things like “Press the Button.”
But public-key certificates are good only for a specified period of time. They still work after they expire, but browsers will not trust them anymore. And that’s a good thing. You want fresh certificates.
The Outpost is always checking whether its certificates are fresh. When they go stale, they grab a new one. But — key thing — our webserver has to be restarted for it to start serving the new one instead of the old one. Not usually a problem, because usually various things are restarting the webserver on a semi-frequent basis. (It only takes a split second, and the average user wouldn’t notice.) But this time it had been up for too long and was still slinging the old, expired certificate.
Meanwhile, I was jabbering with the wonderful people of OLLI. I knew there was a problem, but I didn’t realize how bad it was. I didn’t realize that effectively no one could get the LoCO. Sorry!
But everything is OK now, and nothing terrible happened except people couldn’t reach the website for a bit. If you got the DANGER WILL ROBINSON message, you should be glad that your web browser is looking out for you. An invalid security certificate isn’t the only kind of bad thing that can happen to you on the internet, but without this kind of system in place shady people would be able to do some shady internet things that they now cannot.
OK! All is well.