A little info on using SSL in your web site

I recently made a rash Tweet saying that if you don’t have SSL (Secure Sockets Layer; what HTTPS uses) your WordPress site will be hacked. That’s an overstatement. I’ve known people who’ve run WP sites without SSL with no problems.

So here’s a little web SSL orientation for people who have better things to do than learn the details of computer security.

First, some people think that you need SSL on your web site/service only if you’re doing things you want to hide, or if you’re doing financial transactions.

My opinion is that your web needs SSL for anything that involves posting or login. As plenty of people have pointed out, if you as a web client don’t use SSL when you post or login to a site, an attacker – an eavesdropper – can easily post or login to that site as you. So if you don’t have SSL, you can’t trust that the poster or login isn’t somebody whose life goal is to sell counterfeit shoes, inflate the Google ratings of their bogus web site, or worse.

Another benefit of SSL is that it gives your web clients better assurance that when they go you your site, say “https://needhamia.com”, they are talking to the real site and not some imposter site (who wants to sell shoes, etc.)

SSL can involve a bit of sticker-shock on the scale of buying web hosting in the first place, so think about the costs to you and your users of your site getting hacked or their accounts or data being stolen. If your site and data need to be safe, you’ll probably choose to bite the bullet and pay the money necessary to make your site secure. (I know, I know, it sounds like a racket doesn’t it?)

SSL also involves a lot of lingo. Thankfully, you don’t have to understand the details of the meaning of the words or how SSL/HTTPS works to use it.

So here’s my recommended sequence of things you need to do to support SSL. I’ve left off the details because I just want to give you an orientation rather than a tutorial.

  1. Get a web host that supports SSL. Most do, but a surprising number don’t. If you’re building your own web host from scratch, I expect you’ll be able to setup SSL.
  2. Buy a domain name.  For example, my domain name is Needhamia.com. It will cost you a small amount per year. This name is necessary for SSL registration. Some web hosts support only domain names that they sell, vs. domain names sold by other domain name registration services.
  3. Once you have your domain name, connect it to your web site. If you bought your domain name from your web hosting service, they can help you do this.  It’s not complex.
  4. Once you have connected your domain name to your site, order an SSL certificate.  It can cost you a surprisingly large amount per year – but think about the costs to you of not having it: suppose somebody hacks your site or impersonates a user. There are several kinds of cerfiticates. Again, some web hosts support only SSL certificates that they sell vs. certificates sold by others or ‘signed’ by yourself. Filling out the paperwork can seem daunting, but it’s not so bad for the simpler types of certificates.
    • “self-signed”. These certificates are the simplest/cheapest because you can make one yourself. It gives your web clients the security they need to keep from being eavesdropped. It doesn’t give them any assurance that your site is real – but that’s ok in some applications.
    • “standard” certificates. These are often the least expensive certificates a web host will sell. They’re probably fine if your site doesn’t deal with money directly.  This is the level certificate I’m using on Needhamia.com.
    • Fancy certificates. These are more about what kind of logos various browsers will show for your site, and how much assurance the certificate gives web clients that your site is who it says and you are who you say you are. Useful if you’re selling stuff.
  5. Once you have your SSL certificate, install it on your web site. Your web hosting company can make this easy for you, especially if you bought the certificate from them.
  6. Ta Da! Now https://yourdomainname uses SSL!
  7. To make your browser-based clients safer, it’s a good idea to make your web site “redirect” http to https. That is, if they type “http://yourdomainname” their browser automatically goes to “https://yourdomainname” instead. I found it hard to find the instructions I needed for this step, but a little searching turned it up.

To sum up: you need to, in this order, get a site, get a domain name for it, get an SSL certificate for that domain, install the SSL certificate on your site, and (optionally) redirect http to https.

Now you can build some really cool web apps!

If at first you don’t succeed…

It was all going so well.

In an earlier post I tuned the chimes. In this post, I find one way not to make a frame for those chimes.

I created the frame for the glockenspiel, with a square frame on the outside so that I could mark the inner part of the frame with 1″ lines, one per chime.

Marking the lines for the chimes
Marking the lines for the chimes

I then aligned each chime in turn with the lines and with the centerline of the frame – the place where the solenoid will strike the chime.

Aligning each pipe with the center and edges
Aligning each pipe with the center and edges

I then drilled a pair of shallow marker holes for each aligned pipe. I could have instead marked the holes by slipping a thin pencil through the chime holes – but I didn’t have such a pencil, so the handy hand drill sufficed.

Drilling shallow marker holes
Drilling shallow marker holes

I then drilled smaller holes centered in the marker holes, and glued a short dowel in each hole.

Then I made the big mistake: I unscrewed the frame so that I could glue it back together – replacing the screws with glue.

Gluing the frame - after drilling the peg holes
Gluing the frame – after drilling the peg holes

Although I was careful to glue the frame pieces along marker lines I’d made when it had been screwed together, the long sides of the frame slipped enough that the dowels no longer aligned with the holes in the chimes.

You can see in the photo below that, for example, the “D” chime hole is nearly 1/4″ away from the peg above it, that it should have been able to rest on. This offset is true for almost all the chimes, indicating that the long parts of the frame shifted between the time I drilled the dowel holes and the time I tried to drop the chimes onto the dowels in those holes.

The holes don't line up
The holes don’t line up

So, my plan now is to make another frame, and to glue the frame together before I mark and drill the dowel holes (duh) that the chimes will fit over. If at first you don’t succeed, find the root cause of the problem and correct it :-)

My next post has the details of the working frame for the chimes.

I knew the project wasn’t unique, but…

Imagine my surprise, after working on my robotic glockenspiel for weeks, when I opened the Signals Catalog, and page two revealed Chimes of the Seasons Music Box, $90. The product has since been discontinued, but it was fun to see it in the catalog.

I knew the project was far from unique, but hadn’t seen such a thing in stores for years – cool that returned to the zeitgeist.

Cutting and Tuning Robotic Glockenspiel chimes

Cutting Glockenspiel pipes from 1/2" EMT Conduit
Cutting Glockenspiel pipes from 1/2″ EMT Conduit

After a few weeks of experimentation, I think I can now write sensible notes on how to cut and tune the chimes for a glockenspiel (metal xylophone) out of metal conduit. This is the first step of my Robotic Glockenspiel project, which I hope to end with a network-connected, Arduino-controlled set of chimes that can play Christmas carols.

Continue reading Cutting and Tuning Robotic Glockenspiel chimes

Nerd Christmas Tree

I’ve successfully assembled my second soldering kit: The Velleman MK130 ‘3D’ Christmas Tree.  It’s a set of blinking LEDs that sit atop a 9V battery… or you can add some long wires and hang it as a Christmas ornament.

At any rate, it was good practice for soldering, and the result is kinda cute.  See my YouTube Video of the Kit for the whole experience.

I figure I’m ready to build an Arduino proto Shield next!

Ah, the lovely incense of (lead free) solder

Since I’ve been doing Arduino work, I’ve accumulated a few board and Shield kits that I need to put together. I haven’t soldered since college, so I decided to brush up on my rusty skills by buying one of those little electronics project kits: a Velleman MK102 Flashing LEDs kit.

It turned out really well, thanks to my Hakko FX888D Soldering Station from SparkFun, and my QuadHands 3rd hand from Amazon. The circuit worked right away.

Check out the really, really boring video of the finished board blinking away at YouTube – whee!

The front of the board doesn’t look too bad; only a few parts pulled away from the board a bit:

Velleman MK102 kit
The component side of my finished Velleman MK102 Flashing LEDs kit

The back is the real giveaway that I’m a newbie: most of the soldering looks pretty good, but I see a couple cold solder joints, a couple dirty solders, and one pair of soldered points that are a bit too close for comfort – fortunately they didn’t short out.

Velleman MK102 kit, solder side
Solder side of my finished Velleman MK102 Flashing LEDs kit.

Not bad for a first effort, and on par with the handiwork on many cheap electronic gizmos you might buy. Next I’m planning to solder one of those little Flashing LED Christmas Trees, which has many more components. Then I think I’ll be ready to have a go at one of the Arduino board kits!

I’ve blocked Comment Spam… I think

Chirk Castle barred door
A barred door in Chirk Castle, England.

Comment Spam is the bane of blogs: fake comments that are nothing more than links to sites offering  high-fashion shoes, purses, and porn (curious set, no?)

I’d love to accept real comments from anyone who is not anonymous, but unfortunately Spam Comment robots happily provide fake identities. So I’ve had to restrict comments to people who have created an account on my site.

…but even that doesn’t take care of the problem. As this WordPress FAQ explains, the WordPress comment settings affect only future posts; existing posts are still targets for spam.

So now I’ve set up comments to work only for people who have accounts on this site, and have turned off comments for all my old posts.

Hopefully my new posts will welcome your comments, as long as you create an account with me. Sorry for the trouble; blame the Comment Spammers.

The Squirrels predict a cold winter

The Co-Presidents never put much stock in rural folks tales of very wooly caterpillars predicting a bad winter… until one year when we noticed a squirrel had made a huge pile of fir-cone nibbles, a few months before we were snowed in for a couple weeks.  A similar thing happened before the last bad winter: we noticed a squirrel tossing down hundreds of green pine cones, to stash the goodie-parts away for the winter.

So a few weeks ago when we noticed that a squirrel had dropped hundreds of these Douglas Fir cones onto our deck, a suspicion grew within us that this winter could be a doozy.

So here’s our prediction: 2014-2015 winter in the Portland Oregon area will be unusually cold.  There, we’ve put our bet down. Let’s see how winter turns out.

Fir cones on our deck foretell a hard winter
Fir cones on our deck foretell a hard winter