Security

Google HTTPS Everywhere: A Case for SSL Certificates

| Posted | Comments | , ,

Note: This post has also been published on Medium.com

A few years back, Google announced their HTTPS Everywhere initiate at Google I/O 2014. Their message was clear: in an effort to promote better security and privacy on websites, HTTPS as a ranking signal will be used more and more in the years to come. Recently, it was announced that Google will start indexing HTTPS pages by default, effectively favoring them over non-secured pages. I’ve been questioning the reasoning for Google’s emphasis on HTTPS since it was announced, trying to understand the reasoning, and what it all means for my clients. I’ve come to the conclusion that Google’s HTTPS Everywhere initiative is a good thing.

Now, many SEO experts, online marketers, and other have jumped on this claiming that everyone now has to install an SSL certificate on every site. Many of the claims just seemed bogus, like the sky was going to fall if your website didn’t have an SSL certificate on it. At first, I was highly skeptical and didn’t understand the need to put a cert on every site. At the time of the announcement it felt excessive, especially on sites that don’t have any functionality that would require securing information with encryption. Not only that but Google was clear that the bump one would get from this was relatively minor. It just isn’t a strong ranking signal. At least not yet.

Setting aside any misinformation and bogus claims, there are some highly legitimate reasons why you should install a SSL certificate on your website:

Privacy

One of the key benefits of HTTPS is the ability to protect users from eavesdroppers. All data is encrypted between the server and browser thus making it really difficult for a hacker to intercept and steal any information. This is especially important if you are capturing any visitor information using a form on your website. Without a SSL certificate, any unencrypted information passed over a series of networks could potentially be interrupted, captured, and collected which is no bueno! Regardless of how passive you think the forms on your website might be, if you’re using them in an unencrypted manner be very mindful of how your visitors might take to having that information being captured by someone other than you.

Another key benefit lies in the ability to inform the user that the site they are accessing is who they say they are. A SSL certificate can be validated by the domain or the organization. This helps the visitor of your website know that the domain they are on is legitimate and gives them a greater level of confidence in performing certain tasks on your website…like filling in and submitting a contact form.

If you have a personal site, Facebook app, a simple contact form, or the like, you can probably get away with having a Domain Validation (DV) SSL certificate. Otherwise, if you run a business then it’s worth looking into either an Extended Validation (EV) or an Organization Validation (OV) SSL certificate. The difference is primarily in the extra steps required to validate your company. OV and EV SSL certificates do cost more but they also imply more trust which might be good for your business…especially if you’re running an e-commerce site.

Security

Security is by far the biggest reason to have a SSL certificate installed on your website. If you are using any sort of CMS at all, you need to secure and encrypt transmissions to and from your website. There isn’t a month that doesn’t go by when I don’t hear about a security issue and/or patch being issued for one of the more popular CMS platforms (cough! WordPress!). Most of these involve either SQL Injection or Cross-Site Scripting (XSS) hacks. Granted, having a SSL certificate won’t alleviate all hacks but it might help to curb off attacks that can’t be done due to the encrypted nature of an HTTPS connection.

Another security problem has to do with the potential for javascript injection at wi-fi hotspots. Within the last year or so, there have been numerous reports of advertising injection on free wi-fi hotspots. AT&T, Comcast, and Time Warner are all guilty of this behavior. In fact, I recently stumbled on a TWC wi-fi hotspot and received this ad:

Did TWC just hack my website?

This has opened up a huge can of worms! The problem I have with this is that if companies with free hotspots can do this what’s to stop a hacker from setting up a fake hotspot that does the same thing? Imagine hopping on what you think is a free TWC hotspot, visiting an unencrypted site, only to learn that your computer just got hacked or, worse, the site you just visited gets hacked!

Google is aware of this and other issues related to the hacking of websites. In fact the whole HTTPS Everywhere initiative revolves around the idea that if every site you visit is encrypted then hackers can’t hack your or them so easily. Thus if I visited a site with a SSL certificate installed I would not have seen that TWC ad on their hotspot. After all, how can they circumvent the loading of a script if the communication between me and the server is encrypted?

Let’s be clear though: Having a SSL certificate alone does not make you invulnerable to hacking. It will certainly slow down a hacker but, even then, if there’s a way to hack your site even with encryption in place a good hacker will know how to exploit it. Regardless, the cost of running a website without encryption is higher than without. Bottom line is that a SSL certificate is a relatively cheap deterrent from hackers on your website.

Conclusion

I’m going to be frank: Not having a SSL certificate installed on a website is getting close to being considered irresponsible. If you are capturing visitor information on a form in an unencrypted manner (Which I have been doing for years! Sigh.) then you’re doing something wrong. It’s so easy to simply say “It’s just a simple contact form!” and not encrypt the page with an SSL certificate. But in doing so you do your visitors a great disservice. Beyond that, there are other privacy and security issues that go well beyond just the encryption of form submissions. The cost of having your visitor’s personal information stolen or your website getting hacked is so much higher than the cost of a SSL certificate each year. In most cases, you can secure a personal site for as little as $10 a year. There’s just simple no excuse not to do it anymore.

Be nice to your visitors and enhance their experience with better privacy and security on your website! Install a SSL certificate and be a part of the HTTP Everywhere initiate! :)

A Lesson in Password Management

| Posted | Comments | ,

With the recent news of the Heartbleed Bug, I have begun resetting all my passwords for online accounts. In the process of doing so, the thought occurred to me that many folks have no idea how to properly manage their passwords. I’ve seen situations where many of my family members, friends, and clients use the same passwords over and over again for just about every account they have online…even for important accounts like their email, banking, and social media; accounts that, if hacked, would reek holy havoc on their digital life. If this is a problem for you too then hopefully this blog post will point you in the right direction in remedying this issue.

The key to keeping your online accounts secure is having strong passwords. However, even that isn’t always enough because a website can still get hacked if there is a vulnerability in the software. The main problem with the Heartbleed Bug is that you end up being vulnerable regardless of whether you have a secure password or not. The good news is that most of the major sites have already updated their servers with a security patch to fix the Heartbleed Bug (see The Heartbleed Hit List). Even then, there are thousands of other sites that haven’t been fixed yet. If you are unsure whether a website is effected by this bug, your best bet would be to simply notify the site owner and ask them, especially if this is for an online account that is important to you.

Aside from any vulnerabilities, the best way to protect yourself is to do the following:

  1. Use strong passwords
  2. Always use a unique password for each account
  3. Routinely change your passwords at regular frequencies

All of this may seem daunting. After all, what does a strong password look like? If you have to use unique passwords on every account, how are you going to remember them all? Not only that, but changing passwords take a lot of time, especially when you have to come up with all those unique passwords and record them for safekeeping, right? That’s where a good password management tool comes into play.

While there are a number of good password management applications, my favorite is 1Password by AgileBits. One of the reasons I like it is that, along with managing website passwords, it can handle other tasks such as storing credit card information, filling out registration forms, generating strong passwords, and more. And, because it’s cross-platform (Mac, Windows, iPhone, iPad, and Android) you’ll have access to all of your secure information wherever you go. It’s truly the Swiss Army knife of passwords and other secure information. With 1Password, you don’t have to remember all your passwords. The application handles all your secure information by storing it in a highly encrypted database that can’t be accessed unless a person knows the password to the database, thus the reason for the name of the application. You only have to remember the one password required to access your 1Password database.

If you’ve never used a password management program like 1Password, learning how to use it and getting comfortable with it might seem a little hard, which is completely understandable. Fortunately, AgileBits has plenty of online documentation and tutorials on their website. Along with that, ScreenCastOnline recently posted a free tutorial on how to use 1Password.

Because 1Password comes with a password generator, creating strong passwords is easy. Most sites will let you know what the password requirements are, which you can adjust the 1Password password generator to accommodate for. For sites that have little or no restrictions, I tend to crank up the password length all the way to 30 and set it to include at least three number and three special characters. The 1Password generator will give you an idea on how strong the password is with the strength meter.

Remember, the whole point of this application is to help you generate passwords that can’t be hacked easily. Let the program do the work for you and generate as complex of a password as possible that still adheres to the requirements of the site you’re generating it for. When creating a new online account or changing a password, try to use a different password for each account. The reason is that, if a hacker knows one password, they could potentially hack any account you have that uses the exact same password. Better to err on the side of caution and simply generate a different password for each online account.

I personally try and change the passwords for all my important accounts at least once a year. To aid in knowing which accounts to concentrate on, I created a number of folders in 1Password to help organize accounts by importance. I have a folder called ‘Accounts’ for all my important accounts like email, banking, shopping, and other accounts with highly sensitive information. This is the one folder that, when a major security issue occurs, I address first. Along with that, I have other folders separated by business, personal, clients, organizations, and miscellaneous. I always change the important stuff in ‘Accounts’ first followed by personal and business accounts.

I won’t lie, changing all your passwords can take time. However, a tool like 1Password greatly helps in cutting down time spent changing passwords. If you concentrate on the most important ones first then you can change others over time. 1Password does have tools that allow you to target accounts that have really old passwords. Once you get the hang of it, you’ll find managing passwords and other secure information with 1Password a piece of cake.

Got any other useful tips for managing passwords? Leave a comment in the comment section below! :)