Announcements

Fraud Alert: Telerus Claims to be an Agent

Today we were notified by a customer that they were contacted by a company called Telerus who claimed to be an agent for Roller Network. We have not engaged Telerus for any services, nor does Telerus have any agent or resale agreements with Roller Network.

Telerus is NOT an agent for Roller Network, nor affiliated with Roller Network in any manner. Any claims otherwise are fraudulent.

If you are approached by Telerus claiming to represent Roller Network, we recommend declining to proceed; otherwise you risk falling victim to a scam or other fraud.

Migration to HTTPS and Why HTTPS Everywhere

We’ve recently migrated all of our sites to HTTPS. The account control center and webmail will continue to use Extended Validation certificates like they always have, while everything else will now be using certificates from Let’s Encrypt.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. This helps create a more secure and privacy-respecting web.

Why HTTPS Everywhere?

Recently there’s a lot of buzz about moving to an HTTPS-only web. Previously, the cost of obtaining lots of HTTPS certs, having to manually install them, renew them, and pay fees for them discouraged using HTTPS unless needed. Let’s Encrypt solves many of those problems. Deploying HTTPS does take a little more effort, but there’s another reason why you should do it even if you think your site isn’t really that important to go encrypted: to help protect your visitors from their ISP.

We’ve personally experienced content hijacking with Charter, the local cable provider in Reno, NV (that now likes to be called Spectrum but we’re still going to call them Charter). Charter, for example, will hijack HTTP requests on residential and business coax service to provide content other than what you’ve requested. This is not the same as DNS redirection. HTTPS not only protects your privacy, but encryption ensures that the content you’ve requested passes between you and the site in its original, unaltered form without being rewritten or hijacked by your ISP, in addition to preventing eavesdropping. This is also known as a “man in the middle” attack. References: here, here, here, and here (plus we’ve seen it ourselves on home cable).

It is our opinion that an ISP altering content is entirely unacceptable for any reason. The only way we can truly protect ourselves is with encryption, not laws or depending on ISPs to “do the right thing”. Read more at EFF: Encrypting the Web.

Mail/DNS Reseller Accounts Discontinued

We’re discontinuing the reseller accounts feature of the account control center. This decision comes after observing that it hasn’t been used in a long time, and with updates working on for the account control center we can save a lot of time if we don’t have to maintain the code for reseller accounts.

Because the feature is not being used, this change should not affect any account holders.

Two Factor Auth Q and A

We’ve received a bunch of questions about YuibKey two factor authentication, so we’re going to summarize them here.

How can I add a YubiKey to my account?

Email support@rollernet.us with your account name and your 12 character key IDs. Online management is in development. Once keys are associated to your account you won’t be able to log in to the account control center without providing the OTP at login time.

Do you support multiple keys?

Yes. In the current test phase we’re only supporting two keys per account: primary and secondary. We plan to allow an arbitrary number of YubiKeys to be associated with an account and support both OTP and U2F.

How do I recover access if my key is lost?

We encourage a backup key (or two) for safekeeping in case the primary is lost, stolen, or damaged. Most people will carry their primary key with them on a daily basis. The backup key(s) should be kept in a safe, secure, or trusted location. We don’t like the idea of disabling the second factor to “recover” access because doing so defeats its purpose if it can be easily turned off.

Are you going to support Google Authenticator?

We’re also looking at support for Google Authenticator (TOTP) and Authy as other methods, but for now we’re focusing on YubiKey since we use them internally at our office.

Control Center Updates

We’ve made a few minor updates to the account control center in preparation for a major update to the account profile section, which will include a new way of selecting service levels for Mail and DNS accounts that we intend to be less confusing than the current method.

The main login screen has also changed slightly: there’s an additional field for a YubiKey OTP. This two factor authentication method is currently in early testing, so if you have a YubiKey and want to add it to your account, please contact us with your 12 character key ID and account name. Up to two keys are supported at this time. If you don’t have a YubiKey, leave this third field blank and the normal login process with password-only remains unchanged. Once you have a YubiKey associated to your account you must use it to log in.