Saturday, September 16, 2017

Hurricane preparation for boats on canals - put it in the water

Hurricane approaching, you live on the water, canal behind the house, does the boat go in the water or stay on the lift?  With the experience of hurricane Irma just completed, I can answer this question: Put the boat in the water.

A better answer is "get the boat out of the water, onto a trailer and driving away".  That isn't possible in all cases, especially for larger boats and I will add that if you think you did well and found a trailer before the storm, you will come home to find the canal is already closed off with neighbors tying off a couple days before storm arrival. 

Here in Lighthouse Point (Broward County, Fort Lauderdale, FL), we just experienced hurricane Irma.  A pretty good wind here, nothing like the keys, but strong winds at hurricane strength for 6 or more hours.  We are a couple thousand feet from ocean, but the barrier island of Hillsboro Mile protects us from the ocean.  The Hillsboro inlet is less than 1 mile away.  I have two boats of personal study and both made it through the storm with no damage, one in the canal and a smaller boat on side of house on trailer.

First boat, 1995 Mako 22.1-B center console with T-Top which spends most of its time on an "L" lift rated for more than twice its weight.

For smaller hurricanes, I have left boat on lift successfully. Tied boat to the lift and tied lines fore and aft to pilings far away to keep the boat from swaying and potentially twisting the lift in directions where it is not designed to take high stress.  This worked, but Irma looked more like a "3" than a "1" - this time I put the boat in the water and it was a good call.
Side note is that, oh I do WISH this lift were a 4 post.  L-lift is what I have and as will show later in this post, they don't fare as well as 4 post.  The lateral sway fore and aft breaks "L" lifts and I'll show a photo of another boat in the city that had this problem with Irma.  Look as I could, I could find no example of a boat on 4 post lift failing in this storm - least here where we probably experienced cat 2..3 level damage.

Ropes, line and rode

You're going to need lots of rope.  Find it in the garage, find it in the anchor well, you will never find it at the store unless you thought about this months ahead.  Liberate the anchor lines of your primary anchor and all the spares.  Turns out the chains are useful.  The boat needs to be in a spider pattern in the middle of canal and this will require all of your lines; MORE is better.

Replaced the bow eye and rear tie down cleats

About a year ago, the bow eye on this 20 year old boat was missing.  When did it go away?  Bottom line, it was "missing" which means it failed and wasn't as strong as one might think.  I had to replace the bow eye and when replaced that on the bow, also replaced the other 2 in the stern.  Inspection says that the stainless steel metal had corroded from the inside through, all 3 were weak.  The one on front was missing and one of the two from the stern broke during removal.  That isn't supposed to happen!  Good news for this storm, I had recently replaced all 3 of the U bolts and all 3 are again strong - I used them as primary attach points for lines from dock.

Spread the load

While the towing U bolts are strong, there is not enough area there to tie things to.  A solution is to string ropes through the U bolts and then bring them up to the docking cleats on the top of boat.  Instead of that, I built three (3), 3 to 4 foot long ropes out of very heavy 3/4 inch line to attach to the towing eyes.  Galvanized shackles on one end attached to the boat and on the other end a large braided polypropylene eye to attach lines to and through.  This also has the advantage that everywhere something is connected to the boat, it is underwater during storm, which should keep it cool and help lines survive periods of high load.  It has disadvantage that if the shackle or U bolt fails, the lines will go free with no top side cleat to try to hold on.

On the front, the trailer eye is hard to get to, so I used a large hook with spring lock and here, used metal eye on the water end - connect lines using shackles, as exist on anchor lines - anchor removed.  On some, used anchor lines on shore with chain in a loop around piling - that worked very well.

The canal faces east - there are 2 lines to shore on both the front and the rear of the boat and for bonus points, a pair of north / south (side) lines to keep the boat from getting too close to the shore.  If all goes as planned, these side lines never take a load.  Also, with Irma, weather forecast said strongest winds would be from the south, so added an extra set of lines from the boat right rear U bolt to a separate piling on the shore.  Both lines would have to fail to send the boat wondering. 

When get done, the boat looks like this in the canal.  Most of the front line attachments are not visible - they are all underwater.

A nice photo, observe it also has a different boat on a lift to the left and a jet ski on a floating dock on the far side.  BOTH also survived the storm though the floating dock was doing a backward wheelie at highest part of storm tide with its nose held under the seawall.

Most of the lines were sent from boat to shore around piling and then back to the boat.  This made it possible to adjust line length from the boat to all shore attach points.  I note that it also means that when you get done adjusting all the lines you have to SWIM to shore!  I have seen people make mistake of trying to keep the boat off the dock, but close enough to make the jump. No! put the boat in the middle and swim in.

To do better, each line from shore to boat should be distinct line so that one failure would not allow the doubled line to unwind.  It didn't matter, everything held.  Also, advice from many says that the lines need to be tied DOWN to the dock so they do not get pulled above the piling.  Used small ropes and bowline knots to keep the lines near bottom of the piling, allowing the lines to slide but keeping them held down on the pilings.  This worked out to be extra prep with no return because the water never got high enough for it to matter.

As predicted on the news, the water did get high though. Not like a direct hit, keys style high, but higher than I have ever seen it before at this location. It got about 6 inches above the level in the photo below. The boat was not troubled and found the windy day to be similar to a pretty ordinary day in the ocean.  There was lots of mess to clean up, but no damage.

My immediate neighbors didn't have any issues.  Boats on lifts, boats in water, all fine.  Further down the canal, there was damage.   Below is a picture of a large sailboat that was tied off the dock, but not far enough to allow the lines to stretch.  Both boat and dock suffered damage - a serious eroding of 
piling can be seen in this picture.  

A few canals away, was an example of a boat on an L-lift where the lift failed.  It looks like lateral movement on the "L" lift caused 1/2 of the lift to fail, tossing the boat into the water during the storm.  Boat survived, with damage. In this case, the boat from L lift was at end of canal and tying up "to the street" where I stood taking this picture would have been pretty easy.  Majority of wind would have blown "away" making for a pretty good case for "put it in the water".  To note though, the trees on shore were blown down so it would have taken some work to find a good place to tie on.

Leaving boats on floating lifts was also a losing proposition.  When the water rises higher than the floating lift can ascend, the boat takes a dip.  Answer: Put the small boat on a trailer or put the boat in the water.  Observe that the floating dock rose, damaged the dock, then the water receded, with the floating lift stuck to the dock, putting the back end of the boat into the water.

I have a Boston Whaler very similar to the above but a bit smaller, that one looks like 17, mine 15.  Kept on trailer on side of house, tied to 3 concrete deadmen installed about 10 years ago with chains that just stay there waiting for the rare storm.  The anchors here go down into ground about 4 feet with a few bags of concrete each.  In addition to tying the trailer to the ground, we tied the boat to the trailer and filled the boat anchor well with water to make it heavy.  The boat weathered the storm with no issues. The fence in front of it blew down.  I tied the fence to the boat during storm to keep it from getting loose.

No matter what happened to my little boats, it could be worse. Less than a mile from here is the Hillsboro Inlet and there are some beautiful homes in that stretch of real estate including this one, just a couple houses from the inlet.

This is/was a beautiful monstrous yacht, which did not survive.  I hear the back end came loose during the storm and banged against pilings, and she sank.  That is a bad day.  On the front not visible in this picture is anchor chain tied up into the yard around a very large large silver palm tree, that held.  The back end just couldn't have a big enough anchor?   Big sail, hard to win?


With the experience of hurricane Irma, I observe a few things
  • Boats in canals do better than boats on lifts in strong storms
  • Boats on trailers tied to something heavy can survive lots of weather
  • 4 post lifts do better than L lifts
  • Floating boat docks are not a really good place to be
Ideally, I'd invest in a trailer and put the boat on the trailer for a storm.  Would then need a place to store the trailer and would also have to get out "early" to avoid the nest of boats string across the canal.  Trailer is the best answer - and a truck to tow it away from storm.  Baring that, for category 1, the L lift with bracing will be fine.  For category 3, my ship plan says put the boat in the water.  For category 4 like the Florida Keys just experienced 100 miles south of here, well you're screwed either way and I'm not sure anything would help.

Joe Nord

Sunday, January 1, 2017

Advertures in S/MIME - Certificate renewal

A year after writing the first 3 parts of this series on S/MIME certificates, I receive certificate renewal email from Entrust.  The first encouragement to renew arrived at 90-day warning, then 60, 30 and finally, 10.  This post reviews the renewal process and describes that it is actually a new certificate purchase, not a renewal and describes the installation process and steps required to configure Microsoft Outlook to use the “renewal” certificate rather than the expiring certificate.


Recall from part 1 of this series, that the Entrust website requires use of ActiveX controls so it can perform Microsoft Crypto API operations on the Windows PC.  More than requiring ActiveX, the Entrust control is not digitally signed.  Together, these mean that Internet Explorer is the only web browser that will work with Entrust purchasing system and that the IE trusted sites security controls have to be relaxed to perform the purchase.  I add that today in January 2017, just as a year ago in 2016, the website still does not "fail early" when you visit in Firefox.  You can still get all the way through purchasing and payment and not actually get the private key installed into the certificate store on Windows.

Before you visit the Entrust store to renew certificate, launch internet explorer and temporarily relax the security controls.  Details for this are in the part 1 of this series.  Quick version:
  • Place on “trusted sites
  • Dial security level to “Low” for trusted sites – this permits running non-signed ActiveX controls.  Make a note of the before setting and when done, reverse these steps
  • These should be put back after completing the certificate purchase/renewal

Renewal process

In IE, browse to  Complete the purchase process as in part 1 of this blog series. Receipt will arrive via email.  Side note is that the receipt is 10 pages, 1st page is the receipt and 9 that follow are the EULA.  When print, save a tree, print only pages 1-1. 

A separate email will have the certificate pickup link.  This email process is used to validate that the person who is purchasing the email certificate actually has control of the email address.  The email contains a web link to continue the CA certificate signature process and this is identical to the original certificate purchase.  

In the pickup email, this text
Attention: Be sure to use the same browser to retrieve your certificate that you used to order it. For example, if you used Mozilla Firefox to order the certificate, use Mozilla Firefox, on the same computer, to retrieve it. Do not click the link on a different browser or a different computer.
Cute!  Parts of the Entrust website believe this process works with something other than Internet Explorer.  Don't click the link.  Have to copy / paste it into IE which is hopefully still up after the purchase.

OK, done!  Not really done.  Request for enhancement here for Entrust.  You are already running native code on my computer as the presently logged in user.  How about walking me through the backup key process and automatically importing the newly purchased key into my email application rather than just having the certificate available in Internet Explorer.  This must be done manually and is covered in part 1 of this series.

This is not a certificate renewal

The "renewal" certificate is a completely "new" certificate and the installation process is same to the installation of the "first" certificate a year ago.  Entrust “renewal” emails started arriving 90 days before expiration.  In my case, I renewed 6 days before expiration of the first year and notice that this caused a loss in validity period of 6 days with a loss in value of  6 / 365 * $20.  Yes, this is a cost that I can handle, but it goes to show that the process is not a renewal.  Separate certificate issuance and not same day expiration dates drive home the fact that this is a new certificate purchase and there is zero incentive to renew early, or even on-time.

Properly implemented, the “renewal” should change the expiration of the original certificate.  That is, the public key of the original certificate should be sent to Entrust to be signed as part of renewal rather than a fresh key.  The certificate signing request should denote a 1 year extension of the expiration date – which would fix the disincentive for early renewal.

Notice that in a renewal, the private key should be unchanged, but the key will then have a fresh “attest” that it is legitimate and new expiration date. This is not what happens with Entrust “renewal”, it’s a new key pair and a new certificate on renewal which precisely equals a first-time purchase and there is no alignment of dates.

Security wise, there’s some advantage in generating new keys, but there is a real usability impact of having multiple certificates.  It means that to be able to validate signatures on emails sent in the past, the user must maintain ALL of the previous generation certificates.  In my case, there are now 2 certificates and next year there will be 3.  

Install the certificate for use in Microsoft Outlook

In Outlook 2016, this is Alt-File, Options, Trust Center, Trust Center Settings, Email Security, Digital IDs, Import/Export.

Browse to the key backed up earlier, exported from Internet Explorer (part 1 of this series).  Browse to the file holding the certificate with the private key.  When import the key you will be prompted to enter the password saved when you exported, and … done.  Conceptually done, but not actually done. 

Outlook is still using the old certificate

Send a signed email to someone and you’ll see that outlook is still using the “old” certificate.  To validate, you must actually send an email to see what was used for the signature.  After send, open sent items, open the mail that was sent and then inspect the security of the signature.  Multiple screens required to get to this information.

Click the icon, push through a few more screens.

Almost there. When view the certificate we will see that the wrong one was used.

  1. Outlook is still using the old certificate
  2. We need to tell it to use the renewal certificate, which is actually a new certificate, but we need to do this without deleting the old certificate
  3. Yes, that was a whole bunch of steps to verify that this didn’t work

Configure Outlook to use the new certificate
File, Options, Trust Center, Email Security, Encrypted email, Settings, Signing certificate.  Below image implies that everything is all set, but it isn’t.  You have two certificates (or more) for the same email address and you have to change Outlook configuration to tell it to use the one that was just purchased

Things to observe
  1. The default certificate selected is the “old” certificate
  2. If select “OK”, Outlook 2016 dialog hangs and must be closed
  3. Selecting “More choices” is the correct thing to do 

The “default” certificate for this account is the “old”.  Select the new certificate and press OK.
Get another dialog to set encryption parameters. 

Just like a year ago, the default hash is SHA1 which is depreciated by NIST so should not be used.  The people of the world still using a computer with Windows XP before Service Pack 3 will have to upgrade to receive your email.  Change the hash to SHA2 / SHA256.

Click OK to close out the set of configuration panels.

Verify it is now working

Send another signed email and this time the new certificate will be used.



It is always fun to go back in time and read “Why Johnny can’t encrypt”.  That was written 1999 and today in 2017, this remains true.  Users should not be expected to have this level of expertise just to send a secure email, but they still are placed in this situation causing for the most part a complete inability to have secure email on the internet.  With work by using parties, it can be accomplished.  I hope this small blog assists.

For the Entrust “renewal”, I summarize to 
  1. The Entrust email certificate “renewal” is actually a fresh certificate purchase
  2. There is no advantage in renewing early, and indeed there is a a disincentive to renew early
  3. Since renewal is a new certificate, actions must be taken to convince Outlook to use the new certificate rather than the old
  4. Entrust purchasing website expecting ActiveX to be available and browser configured to be willing to run non-signed controls in modern times is hard to justify
  5. A native application is needed!  The application should be downloaded and executed to guide the user through the certificate purchase, backup and certificate installation process.  While in there, also implement true "renew"
I’m in for another year and this will work.  Not ideal, but it will work.

Joe Nord