Friday, 22 August 2008

Lunatic politicians over Oslo parking permits (beboerparkering)

Oslo Kommune, my local council, have some time ago agreed to launch a parking permits scheme( Beboerparkering). Up till now the residential areas of the city have enjoyed free curb side parking. The scheme may start at the end of the year.

I have lived and visited many places with such schemes, and they have always been exceptionally limiting, and a real nuisance, especially to guests. So I am really annoyed the council have agreed to this.

How can people and politicians be so blinkered?! I keep reading articles, interviews of people on the street, and no one seems to think this is a bad idea, and no one is asking the obvious questions. Will this improve their parking problems? No it wont!

I was surprised most political parties supported this idea, not just the petulant spoilsports of SV and KRF, but all large parties on the left and right. Suppose it is a sneaky way to grow their coffers and ban people from the freedom of cars.

I live on Industrigata in Majorstuen in Oslo, which is part of the initial trial area. It is an area very close to the city centre and has a popular shopping street, Bogstadveien, going straight through it.

The parking situation up till now:
* Free curb side parking.
* During day time, busy but some available parking spaces on every street.
* In the evening, impossible to find a space, average 20-40 minutes search, especially if you work late.

Reasons for permit scheme:
* To stop commuters parking here during office ours and then walking to city centre.
* Allow local residence parking.

Details of scheme:
* Charge for permit. Initially 300kr/year.
* Limited permits, for residence only.
* Need permit between 09-17 weekdays and 09-15 Saturdays.
* Visitors can stay for 2 hours at any time.

So what does that entail?

* More free spaces during daytime. Which means unemployed and pensioners can park. Great. Do they need a car?
* Shoppers targeting specific shops will still be able to park.

* No change for the evening. Will still be as chocker full as before.
* We now have to pay for parking. What is to say this charge will not increase?
* General shoppers are now unwelcome, if it is not a brief visit.
* Tourists whom drive are now unwelcome.
* Businesses resident in the area are now unwelcome, even if they get a few permits.
* Visitors are now unwelcome, if it is not a brief visit. Staying over is not an option, even if drinking.
* Will encourage more residents to drive to work, as they may not have permit to park both cars during daytime.
* Commuters will now park in another area, causing more congestion in that area.
* Residents with no permits, or 2nd car owners will have to park in next door area, causing more congestion in that area.

This is what the blinkered people don't realise. They will NOT be able to park any easier as it will still be full in the evening. This is because in the evening it is 99% residents whom are parking. The outsiders is negligible at this time. And there simple is too many resident per car park space. And a scheme will not change that.

The only way that there will be noticeable more spaces in the evening, is if the residents themselves wont get enough permits. And that is not a good solution. That is beating the locals with a stick.

And enforcing commuters to not park in the area, is not a good idea. Yes some misuse the free parking, but others actual work in the area, need to drive due to kids/distance or poor public transport options. Not to forget they usually leave some business behind by popping into shops in the area on the way home. And blocking them out is not needed as there are spaces available during daytime.

And I don't even own a car!

Firefox 3 ACHTUNG ACHTUNG self signed certificate

Lately as a techie geek, a very minor thing have annoyed me. (Non techies can switch off now).

Firefox 3 was launched a few months ago, and it is a great evolution in the subject of browsers. The progression in security and anti-phishing is very laudable. But one thing really annoys me (hence this post):

The huge ACHTUNG ACHTUNG process when encountering a site that uses a self-signed certificate for SSL. And the reasons and responses to why this is so.

A self-signed certificate is SSL certificate for encrypting and authenticate the site you are visiting. Self-signed means, that the certificate has not been signed by a 3rd party (at least not one you browser knows), thus the authenticated can not be guarantied. However the traffic is still fully encrypted.

Banks, web shops, medium to large businesses and high volume web sites do not have a reason for using self-signed certificates. They should afford the the costs and effort of setting up proper authenticated certificates. Expired and invalid certificates should not be accepted from them.

However for smaller organisation, charities, tiny business, personal sites and application, and small application, self-signed certificates is a great help. They are free and ensure encryption.

I have perhaps 50 odd tiny applications and web sites on a range of domains. I am not about to hand over $500-5000 a year to some 3rd party racketeering company to secure and authenticate all these sites. Especially as I probably make only about $100 a year on them, mostly from ads!

Yes, some of the sites are only used by me and a limited known user group, so the warning is shortlived. However for many of them they are for the general public, and needs volume to be make any money or to be of any interest. If any becomes a huge success, then I can get a decent certificate, but most of them will never be. Nor for the rest of the web with similar issues as mine.

So what is the problem with Firefox 3 ?

When encountering a self-signed, the new version of Firefox displays a full page alert. This ACHTUNG, ACHTUNG, alert in striking yellow and a policeman stopping you, is quite off-putting. To still view the site you have to go through 4 clicks of yes, really yes, accept etc.

Previous version, Firefox 2, displayed a pop-up box, where you could view the certificate, reject or accept it. Other browsers displays similar warnings, but not quite as rigorous as FF 3, which are not necessarily better.

With this new warning page, the majority of the casual web users will either be put by either the effort needed to enter the site, or scared off by the warning. The minority of the users which are technologically savvy will not be put off by the alerts, and will still be able to view the site. Also the users which are very specifically interested in the site, will perhaps ask for assistance first, but may still view the site. Depending whom your target users are, the majority may now never visit your site/app or will already be slightly peeved off.

So Firefox 3 is by its actions recommending web sites not to be encrypted.

Why the new warning?

The reasoning for a warning, is because the site can not be authenticated, thus perhaps a phishing attempt and/or it may be possible a Man in the Middle Attack has occurred. And the new extended process is so users are more aware of this than previous.

Valid points and I believe the users should be informed somehow. However I do not agree the scale of the warning is justified. And it does create a huge hindrance for many valid web sites.

Benefits and risks of using certificates

If the site has a 3rd party signed certificates, which all important sites should have, especially where money is changed hands, then only a a valid signed certificate is acceptable. Fair enough. But 3rd party authentication does not guarantee authentication, you may still have misstyped the url. The 3rd party may not have rigoursisly checked the authentisity of the site before singing the certificate. etc. But it is usually a safe bet that it is secure.

Expired or invalid certificates for important sites, is not acceptable either. But again for the less important, less resource rich people and organisation, it should be to a degree. At least it is authenticated. But for general web sites, these certicatesd is lax on behalftheir IT, and should be noted in some way.

Self signed certificates, are great in ensuring encryption. This prevents network snooping of passwords etc, which is very easy to do. Yes it can not authenticate the site. And Man in the Middle Attack is possible if it is the first time you visit this site. However Man in the Middle Attacks are extremely rare and difficult to do. Self-signed is not for banks etc.

Changed certificates. Sometimes for valid reasons a certificate is changed, e.g. when the old one expires. This should be warned of and yes, especially for self-signed certificates, a big alert warning should be prompted.

No certificate, as in plain http, unencrypted traffic. I believe we should use SSL/TLS as much as possible. When you need to log on in any way, the site should be encrypted. Any data specifically to/about you sent over the net should not be able to snooped on by casual listeners.

Developers responses and people comments

What really also annoyed me is the reasoning by developers and the advocacies by people comments in articles about this warning.

They say it is better to block people than to allow access to unauthenticated sites. Or people really need to be warned, and if they are not smart enough then too bad. Which is just bad business and ignorant.

Or no excuse not to cough up for certificates and that self-signed sites does not deserve any pity. Well that is okay for rich people, but not me, and not the millions of tiny sites that make up the majority of the web!

Or the typical techie replies that the warning is no problem, only a few clicks and they really like the information etc. Which is again ignorant of the huge portion of users which will be terrified with this unfriendly warning.

Or that Man in the Middle Attacks is really dangerous and should over prioritise any usability. No, MitMA are rare, very rare. Yes, important to protect about, but we should not stop people using the web by doing so.

Or that unauthenticated SSL is worse than plain http due to perhaps impression of authenticated. No, plain unencrypted http is terrible, as snooping is easy and common. It really is a problem with how the browsers show the distinction between unauthenticated and authenticated sites, not the sites.

The outcome and my suggestions

The current police warning by Firefox 3 is a very bad solution. It will cause:
* Many self-signed sites to convert to unencrypted.
* More easy snooping of peoples passwords as sites go unencrypted.
* Some self-signed to purchase certificates.
* Loss of information spread, ad revenue and business for small sites.
* Confidence in Firefox in progressing usability

What Firefox needs to do is to distinguish the different states of certificates (which it already does to a degree).

Signed 3rd party certificates.
Display the new signed favicon as it does. with lock in status bar etc. no problems with it.

Expired or invalid signed certificates.
Warn but allow access.

Changed signed certificates.
No warning.

Self-signed certificates on 1st encounter
Warn but allow access. But not the ACHTUNG ACHTUNG approach. A simple change of icon to a red broken lock as in previous netscape versions is enough information. A cleaner drop down bar like the new remember password bar, to allow import of cerficate, inspection and links for more information would be much better. Maybe colour location bar red, till the certificate is accepted. If not the certificate is not kept once the session is over.

Self-signed certificates on re encounter with previously accepted certificate
No warning. Just the red lock. Or with a question mark over the favicon.

Changed self-signed certificate.

No certificate, unencrypted.
Maybe this should be changed to show users that it is not secure in any way?!

enough ranting. no one will read this (not the whole post anyway ) :)

(Ps. Man in the Middle Attack is when some other machine between you and the site pretends to be the site and intercepts your traffic, and responds with its own fake certificate)


I am sometimes worried about myself (or perhaps human kind ).

Real issues and problems, like wars, famine, murders etc while it is obviously really bad for the people concerned, and I do have some sympathies, ( and its interesting in a news sense), but it does not really upset me. Ok, I am not cold harted and do get involved, sometimes.

However little minor everyday things really ticks me off. Like being overtaken while queing in a car or shopping queues. Or how general things annoy me, like how my fellow Norwegians are quite cold and rude, my former fellow Englishmen are quite ignorant. Or that Norwegian SV politicians really pisses me off as most things they say and do generally is trying to make most people's life worse, in a quite sadistic and petulant way. Or when the people above/next door have their bass on slightly too loud, never mind people being slaughtered in Georgia/Sudan (or wherever my biased one-sided news channel reports it from), but the extra noise is really bad...

Or in a more selfish example, when e.g. encountering a Romanian beggar on the streets, I am not upset enough that an EU country can have such huge problems with social differences and discrimination of minorities, I am however annoyed that they are allowed into this country, do not work and disturb me. Terrible, I know.

In the local news, a car parking permit scheme is about to be introduced in Oslo, and that really got me annoyed how blinkered people and politicians are. And I don't even have a car! Think that will be another blog post.

Lately as a techie geek, another minor thing have annoyed me. Firefox 3 new ACHTUNG ACHTUNG alert for self-signed certificates. Think will be another blog post as well.