I’m Having Problems with LoTW

We hear this complaint from our users every day, often from multiple people. What in the dickens is wrong here? LoTW works, and is used by many tens of thousands of people and yet every day, we at QRZ see complaints about it not working.

As many of you know, we recently upgraded our servers and like all system upgrades there were a few hitches, but these have all been mostly resolved. Now that the system is up and running again, we’re receiving more messages that “My LoTW is not working”, with users thinking that it was a result of our upgrade. It isn’t. The problems that LoTW users are having existed before the upgrade, and will exist for years to come unless we can convince LoTW to do something about it.

There is a actually a simple explanation to all of this: LoTW’s security model is overly complex. It’s a sledgehammer solution to a flyswatter problem. A picture of the logical process clearly demonstrates this:


(source: ARRL website)

Note that this diagram is just the procedure to obtain a callsign certificate. Using it is another matter that has it's own flow chart diagram.

Logging authenticity is the goal behind this process, which seeks to maintain that the person submitting logs is who they actually say they are. The process creates a digital certificate, which to us humans looks like a long string of gobblty-gook numbers. To the computer, however, it is a secret code that is unique in the world and which belongs to you. Using this certificate as a key, it then encrypts all of your logs before they are sent to LoTW. LoTW then uses their copy of your certificate to validate the log submission. It’s a solid plan that works well. The only problem is that its rooted in 20th century assumptions and 20th century methods of user identification.

For starters, it can be seen in the diagram above that the United States Postal service (and possibly foreign postal services) are involved using “snail mail” not once but TWO times, just to obtain a certificate. That means on waiting for the postman twice in order to get this ball rolling. Once you’ve complied, you then must take the information received by mail to use a computer program that you download to create yet another file which you then Upload to LoTW. Remember, we’re still just getting setup to use LoTW.

To actually submit logs, you must provide the correct certificate to either your logging program or some other TQSL Signing program that will prepare your logs for upload to LoTW. Then, you upload the signed (encrypted) file to LoTW.

None of this sound all that bad until you realize that we’ve just spoken of a level of computer literacy that many of our members do not possess. It doesn’t matter how many flow charts you produce, how many descriptions or tutorials you write, or how many YouTube videos you create, the process remains as confounding as ever to a great many potential LoTW users.

Dear LoTW: We all have the same goal. We want authenticity in our logbooks. Authenticity is assured when the verified person submits logs for upload. Fortunately, we have much more user friendly methods at our disposal that are arguably more secure than the TQSL model. The best alternative that comes to mind is MFA or Multi Factor Authentication, also known as Two Factor Authentication or 2FA. With 2FA, your password can be as simple as “123456” and yet your account remains un-crackable because potential hackers, even if they have your password, will be unable to access your ID because they don’t have the “second factor”. What’s a second factor? A second factor is a one-time-use code that is generated by your smart phone app, a program on your computer, or a message sent via TEXT from the site you are logging into. QRZ uses this technology every day, as do banks, financial institutions, and government agencies. It’s the fastest growing user security mechanism for a reason: it’s easy to use and super-secure.

Once a user is logged into a site using a 2FA method to a secure website (one which uses https), it is completely unnecessary to further encrypt the data that he/she is about to upload. When sites are hosted using HTTPS (aren’t we all now?), then the data is encrypted over the wire anyway. That means that even if someone has hacked into your personal network and can see all of your outbound network traffic, they will not be able to decipher a single bit of it or capture anything that would enable them to impersonate you. So, we ask again: why must we encrypt the LoTW file and then transmit that oven another encrypted channel? The short answer is, we don’t. The only reason to do this is if you’re based in a 1999 world where secure web protocols like HTTPS are only sporadically used. They're the default today.

Flatly stated, LoTW’s security model is outdated, overly complicated, and slow. It is a methodology that first relies on paper and postal mail to setup, and then it requires modest computer skills to use. In today’s day and age, such methods are non-starters and no successful website could ever sustain requirements.

I can already predict the response to this article by those who use LoTW daily: “It work’s just fine, nothing needs to be changed.” It’s true, it does work fine, IF YOU KNOW HOW TO DO IT. If you don’t, however, you will be completely locked out of the LoTW experience and we at QRZ can attest to the fact that tens of thousands of people are effectively locked out.

By and large, we ham radio operators are an older group, and the resistance to change is often monumental. Speaking from experience, we’ve never created a single thing at QRZ that user’s didn’t complain about, at first. Fast forward a year or even a few months and all of the complaints and nay-sayers were soon forgotten as the new technology takes hold. So, LoTW, do not fear the complaints, as they only get in the way of progress.

It’s time that we urged the ARRL and LoTW to wake up and smell the 21st century. If they changed their LoTW to use 2FA/MFA all of these problems would evaporate, and LoTW would see increased growth and adoption, benefitting the entire ham radio community.

Sincerely,
Fred Lloyd, AA7BQ
QRZ.com Founder