PlingStore

No, not that one

I hope AndrewR has trademarked the RISC OS PlingStore name, or its only a matter of time before he’s on the receiving end of a legal nastygram.

plingstore.org.uk was registered in 2012, pling.com in 1998, but I don’t know when they started using the name PlingStore without a trawl through the internet archive.

Looking in the history, the initial commit was on the 20th of August 2019 when they cloned OCS-Store.

Doesn’t mean they mightn’t try to lob a sueball, but it’s much shakier ground if the use of the name they’re complaining about actually came first.

But, like my CastAVote, size and resources and hassle determines who “wins”, not who happens to be right. For that you need to get legal, and that’s £$€ right there.

Although plingstore.co.uk was registered in 2012, I suspect it was probably done to protect the name, given the registration information. We can see now that it’s registered through GeneSys/Orpheus – but back then (when registrant details were visible) it was registered to Richard.

I see the .com is now for sale – probably expired at some point then picked up by someone hoping to make a quick buck (or 2,395 of them).

On a separate note, is PlingStore down today? Tried it yesterday, and got a few hours of “Please wait…” whereas today, I’m getting “Error on server”?

Also, the Plingstore website no longer works…

yes Plingstore and website are down as confirmed just now by email from Andrew Rawnsley, seems Alan W who runs the site and servers is having major/serious ISP related issues at the moment.

ionos.co.uk hosting – their status page says everything is fine, various randomly chosen servers on adjacent addresses come up with the default host machine response (which is a Parallels Panel instance)

Certificates mildly not correct (subtle sarcasm there) so what you get (if you’re strange enough to follow through) is:

An error occurred during a connection to 82.165.16.152. Peer using unsupported version of security protocol.

Error code: SSL_ERROR_UNSUPPORTED_VERSION

step through that warning and get:
82.165.16.152 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Issuer Name
Organizational Unit Parallels Panel

Validity
Not Before 4/23/2012, 12:16:30 PM (Greenwich Mean Time)
Not After 4/23/2013, 12:16:30 PM (Greenwich Mean Time)

So self-signed, not even vaguely up to date and broken for multiple users hence the fact you can see the underbelly.

I think the hosting company need to do some maintenance on the host boxes, as well as update their status page to give the true state of things.

I don’t envy Alan’s task of chasing that one up.

The Plingstore’s back up.

Only if you access it using TCP port 80 (HTTP)
HTTPS is still broken as the server is offering the certificate I identified rather than one matching the plingstore URL

Given the transfer of security sensitive data for purchased items I would not use the site at present.

Like I said it will be a while before Alan chases up all the problems.

The application does not actually use the website and uses a different secure connection as I understand it. The priority I think was getting the application connecting again. Your card details are not stored on the server etc.

So self-signed, not even vaguely up to date and broken for multiple users hence the fact you can see the underbelly.

Although the Ionos-hosted site I’m involved with still seems to be up, and serving valid-looking certs.

The application does not actually use the website and uses a different secure connection as I understand it.

So the fact that reports here suggested that both broke together just indicates a coincidence, or Fake News?

No Steve, not fake news as I understood it the application was not properly working yesterday then the website went down as well. Application is back up and working but website pages seem to still be down when I tried 30 mins ago.

Your card details are not stored on the server etc.

Meanwhile, in the real world, it’s more like: we use a payment processor so your card details are nothing to do with us ^{1 2}

reports here suggested that both broke together

Ah, but the question is, if it doesn’t use the website, does it use the same host?
As far as I know, the cert for heyrick.eu is for heyrick.eu and not for heyrick.eu port 443 only.

Could be a simple way of distinguishing what needs to be sent. If https, then human readable HTML. If {custom} then machine readable stuff.

¹ Also useful for mechanisms like Verified by Visa.

² Also also useful in that the processor may have a country-local presence, so geoblocked cards can be used.

Could be a simple way of distinguishing what needs to be sent. If https, then human readable HTML. If {custom} then machine readable stuff.

Telnet 443 heyrick.eu :) shows you what happens.

Note: Contrary to the MS default install in Win7 + Telnet client is not a security risk. Telnet server (which also just a tick box away is a security risk

BTW. Pat on head, award yourself a chocolate – the server response comes out as “A” on the SSL Labs testing on both IPv4 and IPv6 access.
Only a limited set of ciphers on TLS 1.2 so you picked the right setup.

“fi3-6.irrelevant.com”

so geoblocked cards can be used.

Off topic, so I’ll keep it short(ish).

There’s a shop over here called Action. It’s a sort of supermarket without much in the way of food (mostly sweets, no cans, no perishables). It’s claim to fame is that everything is dirt cheap.
My Banque Postale card is consistently refused there. After trying “just in case” as that’s my main bank account, the checkout girl being a little more clued up than usual told me it’s because my bank card is blocked to only work in France. Action, being a German Dutch! company, processes payments in Germany Holland. ¹
So here I am standing in not-quite-Brittany ² having my payment declined because it looks like somewhere outside of France…

Not entirely off topic, however, as fraud and such mean that it’s often in the customer’s interest to restrict what their handy piece of plastic can actually do. Which is of relevance as the only payment method I have that would work in the UK is a virtual card that has a predefined limit and for many French purchases and all foreign ones requires me to enter a code that is sent to my phone by SMS.

In other words, I’m not whinging about not being able to buy stuff for the lulz, nor am I not buying stuff because I have no money ³, it’s more of a fact that if your payment methodology is stuck in the early ‘90s then it just isn’t secure enough to work. Give me WorldPay or Ogone (Ingenico?) and we can talk. Give me a site or app that wants my card number to push through to somebody to enter manually into a terminal, then I might as well give you random numbers for all the good it’ll do you… 5439 9971 4709 7239 or something.

¹ Some sort of tax dodge?

² Whether or not Loire Atlantique is or isn’t Brittany depends upon who you ask and how far back you look (it also explains the “BZH” graffiti). Given the impressive chateau in Nantes is the ancestral home of the dukes of Brittany, one can help but to think that they have a point. But since Rennes is the administrative centre of Brittany and Nantes is the administrative centre of the Loire region, sorting that out would be a nightmare.

³ Though, that is the next excuse… 😉

Pat on head,

Pat Rob’s head. I just asked if it was possible to do encrypted. He’s the one who made it all happen.

award yourself a chocolate

Oh god no.

Yesterday I opened a bag of Maltesers while settling down to watch stuff on Netflix. One movie and three episodes later I realised with horror that I was now holding an empty bag.
My brain goes all yoyos for Maltesers (they’re just so damn good). My stomach gets all of a quiver for an entirely different reason. So today was a rice-pudding-and-yogurt day and I’m on a self inflicted no chocolate until the weekend.

Oops.
Tragic thing is, drop a bag of Maltesers in front of me, rinse and repeat…

[like a girl I used to know in junior school – severely lactose intolerant, pathologically unable to say no to raspberry ripple ice cream]

Whether or not Loire Atlantique is or isn’t Brittany depends upon who you ask and how far back you look (it also explains the “BZH” graffiti). Given the impressive chateau in Nantes is the ancestral home of the dukes of Brittany, one can help but to think that they have a point.

We here on the Wirral Peninsula have a similar problem.

We are deemed to be in “Liverpool City Region” – but we are only connected by two tunnels; close them and we’re in the clear!

As I’ve said on other fora, it’ll all end in tiers!

Some sort of tax dodge?

Doesn’t really work around Euroland – recall the fuss¹ about electronic payments and ensuring all tax is paid to the tax system of the country the purchase was made in/from? i.e. where the customer is determines which taxman gets the dosh.
Keeping records on the transactions and sending the bundled total to the right set of taxmen would be easier for them in one system.

Also lowers their employee fraud potential at a guess.

¹ I think Chris Evans was complaining about his wife’s little pin money business and the problems.

Action, being a German company

Dutch, actually.

Dutch, actually.

Ah, I probably read “dutch” and my brain fuzzed that into “deutsch”.

Thanks for the correction.

Telnet 443 heyrick.eu :) shows you what happens.

Nothing. Just tried in Hearsay and it gives no reply and disconnects after two characters entered (presumably they’re not the expected characters).
I can speak HTTP/1.0, but my brain isn’t up to doing TLS on the fly.

I can speak HTTP/1.0, but my brain isn’t up to doing TLS on the fly.

Now that’s one of my illusions shattered. :)

Just tried in Firefox and plingstore seems to be working correctly. Can log in and update my apps.

Interesting. I noticed that previous tests were flicking through something to the page I checked – www.plingstore.co.uk
Note that the site you all know and love resides on (https://) www.plingstore.org.uk on the same hosting.

https://www.plingstore.org.uk is up, using TLS 1.0 so Firefox should be complaining at you Chris. If it isn’t then you made an exception sometime back.
Click the padlock with red triangle, click the arrow at the side of the “this page uses weak encryption” message and then it offers the option to remove the exception. At the bottom of the panel is “more Information” take that option and it offers a “view certificate” option.
There you see that the certificate is:

1. For Parallels Panel, not Plingstore
2. Self signed (no certificate authority)¹
3. Only valid between 23/4/2012 and 23/4/2013

So what you see is an out of date, self-signed, certificate for a different organisation and machine which is only doing TLS 1.0

So, if Firefox is working with it, you made a conscious decision to allow TLS 1.0 and 1.1 as recent versions disable those during the upgrade – with a re-enable button currently.

SSL Labs doing a remote test give the site an “F” rating.

The site might function as a web page for viewing but I wouldn’t put any trust in the security or validity of the site.

¹ As Rick points out the “certificate authority” status is an interesting discussion. However, putting any faith in the validity of a site operating with a self-signed certificate is foolish.