The Joys of Having an Expired SSL Certificate

A frustrating waste of time.

A few months ago, when it became clear that the Republican led congress was going to allow ISPs to sell our browsing history to the highest bidders, I got a bit more concerned about security. In my research, I came across an article that recommended that users never visit a website without an SSL certificate.

If you don’t know how to tell whether a site has an SSL certificate, the easiest way is to look at the full URL. If it starts with https:// instead of http:// it has an SSL certificate. Think of that extra character, the s, as standing for secure.

Also, some web browsers display a special icon — such as a lock — near the URL or possibly in the status bar at the bottom of the page.

One thing is for sure: You should only enter personal data in pages that are SSL-protected. So if you don’t know how to check for a secure page in your browser, learn.

Of course, at the time, this blog did not have an SSL certificate. I’d done some research in the past and decided it wasn’t worth the cost. After all, although I do get a few donations — thank you generous supporters! — it isn’t as if this site earns any money for me. Hosting costs enough money; buying a certificate wasn’t in the budget.

Still that article made me wonder if I were losing visitors because I didn’t have that certificate. So I did some more research and discovered that my WordPress host, Bluehost, offered a free SSL certificate for subscribers. I made a few calls, clicked a few links, installed a WordPress plugin, and voila! I had a coveted https:// URL.

And then I pretty much forgot about it. After all, typing in the old URL (without the s) still pointed people to the new one. And who types in the whole thing anyway? If you put in any combination of URLs to get to this site — or if you clicked a link that took you here — some sort of behind-the-scenes magic put you on a secure page.

Yesterday changed that. I went to check the site and was faced with the following message:

Page is Not Secure

WTF?

Of course, I discovered this about 30 minutes before a friend was due to arrive to detail my helicopter and I had about a half dozen other things I wanted/needed to do before he arrived — like get dressed? (It was 5:30 AM.) So I did the easy thing: I called Bluehost and asked them what the hell was going on.

The support guy I got was very fond of the hold button. I don’t know if it’s because he really needed help or if he was working on more than one call at a time. I was on hold for most of the 45 minutes our call lasted. While I waited, my friend came, I greeted him in my pajamas, I made him coffee, and I put a bowl of cherries in front of him, occasionally interrupting our conversation to speak with the Bluehost support guy when he came back on the phone.

My big concern was this: people would be scared away by that message. They’d click a link, get to my site, and leave, thinking they’d get a virus or something. I needed the problem resolved quickly.

I was told that Comodo, the organization that provided the SSL certificates, had sent me some sort of verification email that I needed to click a link in. I told him I’d never gotten a message, although it could have been sorted into spam and automatically deleted. He asked me to check a specific email address. I told him I didn’t have that email address. “Well, that’s where the message was sent.”

This made no sense. It was not the email address I had on file with Bluehost. It was an email address on my domain that I had never set up. I checked and verified that it didn’t exist. Comodo had sent an email message to an address that I’d never created or used.

Seriously: WTF?

Mr Hold Button told me to create the address, which I did while he waited. Then, after putting me on hold for a while longer, he told me they’d send a new message and that I should follow the instruction in it.

By this time, I was tired of dealing with the problem. I needed to get dressed. I needed to pull the helicopter out so my friend could get started on it. I needed to do the other things I needed to do. So I told him I’d check in a while and hung up.

And then I forgot about it.

You see, I have a life and that life does not revolve around dealing with computer issues. That was my old life. My new life is far more interesting.

Besides, I had no intention of adding that new email address to any of my email clients on any of my devices. That meant I had to sit at a computer and go to the Webmail feature on Bluehost to check the message. Not exactly something I’m likely to remember.

But I got reminded again this morning when it still didn’t work right. One of my readers emailed me. I also noticed when I attempted to approve two comments.

I checked that stupid email inbox. Empty.

I got on the phone with Bluehost.

This time I got a guy who didn’t like touching the hold button. He stuck with me while we worked through the problem. There was a lot of silent time. He was texting with Comodo. I was starting to write this blog post. Occasionally, he would update me. Occasionally I’d whine to him about how ridiculous the whole thing was. He was suitably sympathetic. I was as apologetic as I could be. After all, it wasn’t his fault.

In the end, the email message finally came. I clicked the link — but not after lecturing him about how we’re not supposed to click links in email messages. I entered the secret code. He confirmed some stuff on his end. I snacked on some cherries. When he said, “Try now,” I did.

The problem was fixed. It had taken 22 minutes.

We wished each other a nice day. When I got the survey at the end of the call, I gave him a good score.

So it looks like this site is secure again — at least until the next time Comodo decides it needs to verify me.

And yes, this did impact site traffic. I had less than half my usual visitors yesterday and started today at about one quarter the traffic I should have had by noon.

The FAA’s Irrational Application of a Rule

A little about my Vertical column and the responses to it.

If you’re a helicopter pilot, you’re likely familiar with Vertical Magazine. Simply put, it’s the premiere helicopter pilot/operator publication, with great articles and amazing photography. It not only informs those of us in the helicopter industry, but it keeps us enthusiastic about being part of what’s admittedly a rather elite club.

Vertical MagazineIf you read the June/July issue (download here as a pdf), you may have seen page 10’s Talking Point column. And if you know this blog, you probably realized that the Maria Langer who wrote that month’s column is the same Maria Langer who has been blogging here since 2003. Yeah: me.

I haven’t blogged about this yet because, frankly, I still can’t believe it happened.

While I wasn’t paying attention, the FAA issued FAR Part 135.160, which requires Part 135 on demand charter operators like me to install a radio altimeter. The rule has a loophole, which my Primary Operations Inspector (POI) at the Flight Standards District Office (FSDO) told me about: a waiver was available for helicopters less than 2,950 pounds max gross weight. My R44 has a max gross weight of 2,500 pounds and is VFR-only. Surely I’d get the waiver.

I didn’t.

What’s the Big Deal?

If you’re not familiar with what a radio altimeter is, you likely don’t understand how incredibly idiotic it is to require one in an R44. Here’s the deal. A radio altimeter — which is also sometimes called a radar altimeter — uses radio waves to measure the exact height of an aircraft over the ground. It then sends this data to a readout on the aircraft’s instrument panel so the pilot has this information handy.

Of course, a Robinson R44, which is what I fly, is a VFR-only aircraft. That means it’s only legal to fly in VFR (visual flight rules) conditions. That means you can see out the aircraft window. And that’s what Robinson pilots — all VFR pilots, for that matter — do when they want to know how high off the ground they are. They look. After all, they’re supposed to be looking outside anyway.

So for the FAA to require this kind of instrument on an aircraft that’s never going to need one makes absolutely no sense whatsoever.

Being the gadget person I am, I might not mind having a new toy in the cockpit. The trouble is, my cockpit’s panel must be modified to accommodate it, thus reducing my forward visibility, and the damn thing is going to cost me $14,500 to buy and have installed. And the helicopter will be offline for about a week while the mechanic tears it apart and drills holes in the fuselage to put it in.

There’s more to the story, but it’s mostly covered in the Vertical column. Go read it now; it’s on page 10. It’s short — they wouldn’t let me have more than 1,000 words. (I know; I gave them 1,200 and they cut 200 out.) See if you can read my frustration between the lines.

Responses

I got a number of responses to the column.

credits
This is kind of cool: they listed me as a contributing editor in that issue’s masthead.

The very first was from my friend Mike in Florida. He sent me an email message that included the Contributing Editor list you see here and a link to the article with his congratulations. Mike has also written for Vertical; he has a ton of experience and great writing skills.

A handful of other folks I knew texted or emailed me that they’d seen it. That was gratifying. I really do like writing for publication and should make a conscious effort to do it more often.

Then, the other day, about two weeks after it was first published, I got a call from someone at Helicopter Association International (HAI). HAI is a professional organization for helicopter pilots and operators. I used to be a member. It cost $600 a year and the only thing I got from them was a wooden membership plaque and a lot of paper. Safety posters, manuals, letters, newsletters, magazines. All kinds of crap to add to the clutter that had already taken over my life. When I dropped my membership after two or three years, they called to find out why. I told them they did nothing for small operators like me. They promised to change and conned me into joining for another year. Nothing changed. I was throwing my money away. I dropped my membership for good.

The HAI guy who called started by asking why I hadn’t come to HAI with the radio altimeter issue. After all, part of their member benefits was to be the voice of helicopter operators in Washington DC. Wrong question. I told him I wasn’t a member and then explained, in many, many words, why I’d quit. Then we talked a bit about the radio altimeter issue. He said he’d been working on it for a few days and he certainly did know a lot about it. He said that he wasn’t sure, but thought that HAI, which had been involved in the rulemaking comment process, had assumed it would only apply to medical helicopters. He said I shouldn’t get my hopes up but he and HAI were going to work on it. He wanted to stay in touch. Whatever. I gave him my email address.

When I hung up, I wondered why they were trying to close the barn door after the horse had already gotten out. After all, the FAA was not going to change the rule, especially after so many operators had already gone to such great expense to meet the requirement. HAI had dropped the ball for its small operators yet again. At least I hadn’t paid them to do it on my behalf.

The most recent response came just today and it prompted me to write this blog post. It was an email from a Facebook friend. I actually got two versions of it; I think this is the one he sent first which he apparently thought he lost:

Hey Maria
My name is Scott ##### and I took a $40 ride with you at the 2006 Goodyear Airshow out to PIR and back.
In 2007 I started flight training. We’re “friends” on Facebook and I always enjoy your posts and writings on your blog.
I just finished reading your article in Vertical magazine and couldn’t resist contacting you with my comments.
What a horrible situation for you. I’m severely confused as to why a Federal, as in a single national government agency, interprets the rules differently at each FSDO. It should be the same across the United States! How frustrating I’m sure this is for you.
This industry is tough enough as it is and for a single pilot, single aircraft operator, you’ve been extremely successful. Now this?
At least you got the temporary A160 but you shouldn’t have to have the radar altimeter installed at all! To me it’s very cut and dry: 135.160 does not apply to VFR aircraft weighing less than 2,950 pounds! Where’s the Misinterpretation?
I guess you can’t just cancel your installation appointment at Quantum in December, but hopefully you can get around paying for equipment you’ll never use.
Good luck to you Maria.

First, I have to say how gratifying it is to have been instrumental in a person deciding to learn how to fly helicopters. Wow. Just wow.

Second, it’s cut and dry to me, too! And most of the folks I spoke to that don’t happen to work at the FAA. And there’s nothing I’d like more than to cancel my December appointment with Quantum to get the radio altimeter installed.

But I wrote him a more informative response and I thought I’d share it here. It says a few things I couldn’t say in Vertical. (Or maybe they were in the 200 words that had to be left on the cutting room floor.)

Hi, Scott. Thanks for writing.

Unfortunately, every word of my Vertical piece is true. The FAA will NOT give me the waiver. They don’t care that my helicopter is small or VFR-only or or that the panel is full or that the rule was written in such a way to exclude R44s like mine. They do not operate logically. I worked with AOPA and an aviation attorney. I got my Congressman and one of my Senators involved. I had an email correspondence going with THREE men with the FAA in Washington who are responsible for making the rule. My lawyer spoke to people in Washington, too. They won’t budge. In fact, they told my lawyer that they’re going to rewrite the guidance so R44 helicopters can’t be excluded.

Problem is, medical helicopters crashed and people made noise at the FAA. The FAA needed a fix to turn down the heat. Radio altimeter makers promised a solution that would work and lobbied hard for it. They’re all over the comments for the regulation proposal. And since they have more time and money to throw at it, they won. The FAA bought into their Band Aid — or at least made us buy into it — whether it can help us or not. They didn’t seem to care that the real fix was better pilot training, less pressure on pilots to fly in IMC conditions, and a company culture that values safety over profits.

Understand this: the FAA doesn’t care about small operators or even pilots. They exist to regulate and ensure safety — or at least the illusion of safety. Your best chance of having a successful aviation career is to stay off their radar.

I pissed off a lot of people with my radio altimeter fight and I suspect they gave me the temporary waiver just to shut me up. I got a call from HAI the other day and they say they’re going to follow up. Too little, too late. But at least someone else will be making noise since I, like my fellow Part 135 Robinson owners, have given up.

I’m nearing the end of my career. I figure I have about 10 years left as a pilot. So I don’t mind throwing myself under the bus in an effort to seek fairness and logic. I don’t recommend you doing the same.

Unless HAI or someone else is successful in talking reason into the FAA on this matter, I’ll be plunking down $14,500 in December to have this useless instrument installed. And then I’ll pull the circuit breaker and let the panel stay dark so it doesn’t distract me from what’s outside the cockpit — which is where every VFR pilot should be looking.

And life will go on.

I’m fortunate in that even though it will take YEARS for me to earn that money back with Part 135 work, my cherry drying and frost work puts enough money in the bank to make the expenditure possible. Without that, I’d likely have to cease charter operations and possibly close up shop. I suspect others have found themselves in that situation. So much for government helping small businesses.

Thanks for your concern. Best wishes with your endeavors.

Maria

And that’s about all I have to say on the matter.

Wells Fargo New Payee Scam

Another sloppy phishing attempt that might fool you.

My only interaction with Wells Fargo is the truck loan held by Wells Fargo Dealer Services. So imagine my surprise when I got a message from billpay@wellsfargo.com to confirm that a new payee had been added to my Bill Pay service.

Wells Fargo Phishing
Honestly, if you’re fooled by this and open the attached file, you should have your Internet privileges revoked.

Of course, it’s a scam. They want you to open the attached file. Malware is likely installed when you do so.

Don’t open attachments in email messages unless they are from someone you personally know and you are expecting the attachment.

This is pretty sloppy, too. The message makes no sense. But all they need is for people not paying attention to open the file. Then they’ve got another victim. Don’t let it be you.