Citrix ADC and Certificate Maximum Password Length

It appears that Citrix ADCs have a maximum password length when importing a certificate with a private key:

That has to go into the category of what were they thinking. 31 characters should not be an upper limit for a password, especially if it was possible to create the file with a longer password.

 For a supposed security device, this is just not good enough!

No way to report abuse of forms.office.com

We received what is probably a phishing email:

The email contained a link to a page in forms.office.com. Unfortunately, Microsoft don't seem to publish any information on how to report such a page.

It's just not good enough.

2016 and Adobe still wants a reboot after an Acrobat upate

Adobe have released a security update for Acrobat (hardly a rare occurrence). So, being the security conscious user that I am, I went ahead and updated. Now Acrobat Reader wants me to restart my system.

Why? This is October 2016, not the 20th century. User space applications should not require a restart of the system. Firefox doesn't require a restart every time it updates. Chrome doesn't require a restart every time it updates. Even Wireshark doesn't require a restart.

It's just not good enough Adobe.

Bentley using a non standard port

Say you want to log in to Bentley's website, so you go to https://connect.bentley.com. You enter your email address and password and then hit the Sign In button. You would expect to be logged in wouldn't you. But, not necessarily if you are connecting from a corporate environment (and let's face it, most of Bentley's customers will be). Instead you may well get the error Secure Connection Failed:

And why is that? Well, for some totally unfathomable reason someone at Bentley has decided that this page should use TCP port 8443, instead of the standard port of 443 for HTTPS traffic. And of course most enterprises restrict outbound connections to standard ports for security reasons.

So why has Bentley done this? Who knows. But whatever the reason, it's Not Good Enough.

Java installs Ask unless the user opts out

The Ask.com toolbar is a controversial browser add-in often labelled as malware. Unfortunately Oracle Java installs and updates installs it by default:

The user can of course opt-out. But as Wikipedia points out:

The Ask.com toolbar is often unintentionally installed during the installation of partner software, including Oracle Java; this may take advantage of a user's lack of critical evaluation.

It's just not good enough.

Web pages using non standard ports

There seems to be a number of sites using non standard port numbers for some reason or other. For example: http://www.sismologia.cl:8000/ Why does anyone think this is a good idea? Don’t developers and designers realise that, for very valid security reasons, many companies restrict outbound traffic to common ports such as TCP/80 and TCP/443? Why make it hard for your customers?

It’s just not good enough!

WSUS and Multiple Reboots

I had to update a Windows 2003 server that hadn’t been updated in a fair while. The server gets its updates from WSUS. Each time I clicked on the Windows Update icon in the task bar Windows went off and downloaded and installed updates from the WSUS server (including Service Pack 2). After the updates had been installed I was invariably asked to reboot the server. After each reboot there would be more updates to install.

So far I have had to reboot the server five times. That means that its gone off to WSUS and downloaded five sets of updates (actually six, it also downloaded and installed the latest RDP client but that didn’t require a reboot).

Why do I need all these reboots? Why do I have to update it multiple times? Why can’t it download and install all the required updates together – like Linux does? If this server had been running Red Hat or Debian or Ubuntu I would have only needed to update once – and rebooted once. Instead it’s taking me hours.

It’s just not good enough!