Security

SSL is something which is all over the web. Most people think it’s just a way of saying “This site is secure”,  but in reality, there’s a lot more to it than that. Let’s dive right in!

What is SSL?

SSL (Or TLS now) is a technology which encrypts data between the browser of the user and the web server hosting the site. For example, if you visit gmail.com and log in, when you hit submit, your login details are encrypted so they can’t be read by humans, transmitted over the  web, and decrypted by the server on which gmail resides.

Why should I use SSL?

SSL is a way of enforcing trust in your site users. People don’t trust websites without SSL. Don’t believe me? How would you feel if a website was sending your card details across the internet without some form of encryption? Thought so. On top of that, a whopping 84% of people would abandon a purchase if data was sent over an insecure connection.

Not only does https ensure transmitted data is secure, it also helps with SEO rankings (No, really!). Matt Cutts from Google has confirmed that they use HTTPS as a ranking signal. Yep, you can now rank higher if your site is more secure.

So, at the moment, we know SSL makes websites more secure for customers, and helps with SEO. So what else?

Speed. When using https you can enable http2, which is a faster version of your standard http (Non-SSL). I won’t go into the technicalities of it, but effectively it means you can serve more assets simultaneously.

SSL and Google Chrome

On the 17th of April 2018, Google will release Google Chrome V66. Wooo!!!! Oh, hang on, not relevant to you. Got it!

In this version, any website which is *not* using https, will be labelled as “Not Secure” like so:

SSL not secure chrome warning

That’s the last thing you want your customers to see “Not Secure” next to your domain name!

How can I get SSL?

If we host your website for you, we can supply an SSL certificate for you, install it, and have you up and running in no time. The cost for this depends on what we need to do on your website. You’re not true-SSL unless all the assets on your website reference https based resources. For instance, if you use click dimensions, you need to make sure their code references https:// and not http://. Why? Because you then get mixed content warnings, and only partial SSL.

Mixed content warnings occur when your site is using https, but loads normal http resources. This means that users of your site might be transmitting data over an http (Non-secure) connection, such as a lead generation form from a third party. We as a hosting provider, will make sure these are taken care of for you and you’re running full https!

Cool, get me on HTTPS!

Hold on cowboy, slow down! We need to Audit your site and work out what needs changing first! Give us a call on 01622 755 855 and ask for Ash, Jon or Andy, all of whom will be able to help you out and point you in the right direction! The first step before SSL is checking you’re using secure passwords 😉 You don’t even need to be a customer, we can still advise, or even host your site in a managed, SSL powered environment for you.

Private: Ash Scott

Ash is a front end developer who specialises in WordPress Development. With an interest in pixel perfect, modern designs he can put an entire site together on his own if needed. Ash works on a lot of projects at home, providing small business solutions to streamline their business. Doing this also enables him to keep up with modern Front End and WordPress standards and technology.

Secure passwords are the backbone of internet security, however everyone is guilty of using the same password over and over, for emails, Facebook, LinkedIn. The lot. But why should your password be different for each service, and what’s the best way to manage them? Hint: It’s not writing them down on paper!!

Many people have their website hacked, but cannot find any trace of an intrusion. Why? The “hacker” has simply logged in with your username and password. Oh, you’ve not told anyone your logins? You think you had secure passwords? Strange… Or is it? Let’s introduce you to the basics of website security.

The strange thing is most end users are tunnel visioned, not aware that something they do on one website could affect another. For instance, you log into a website happy as Larry, with “[email protected]” and “password123”. You do what you need to and log out. Cool. No problem, all is good right? Wrong. That website has just been victim of an SQL injection attack, and someone now has all the emails and passwords of all members of that site.

On top of that, said website wasn’t hashing passwords, so they’re all in plain text and human readable. (Note that this doesn’t mean sites with encrypted or hashes passwords can’t be exploited, it just makes it harder. High level hackers can get any information they want if they try hard enough).

Password encryption and hashing is the process of making a password unreadable by humans but processable by computers. While encryption can quite easily be reversed, hashing is a one way process and cannot be reversed into its original form.

The user has your email and password, but how do they know you’re the admin of yoursite.com? Well, there are numerous ways such as doing a Google search for your email address, or doing a whois lookup to see if you’ve registered any domain names. The list goes on. But don’t be fooled. It’s not just exploits which can leak your password.

Phishing 101

Have you ever received an email from someone like PayPal, or Apple saying your account has been locked due to suspicious activity? Well, it could be a phishing email. A phishing email is designed to look authentic, but capture your information. It does this by looking like an official Apple.com email, however the “Unlock my Account” button, goes to a fake website, built to look like Apple.com.

You’re unaware so fill out your username and password and hit submit. The hacker has now been emailed with your logins (In plain text, un-hashed), and you’re redirected to the official Apple.com website login page.

It’s that easy. Once your password is exposed, it’s game over for you, your accounts and more importantly, your business website security. You must also be aware of social engineering. Here’s a video which shows it in my favourite TV show, Mr. Robot. This is how it works. But more on that in another post 😉

How do I know if my password is exploited?

A website security expert, Troy Hunt has built a system which can tell you if your passwords have been exposed. He runs this by acquiring hacked information from the dark web and allowing people to do a lookup on all the lists he has. From here you can see how many times your password has been exposed. You can also see if your email address has been involved in a hack.

So how can you keep complex, secure passwords?

There are tons of ways! I personally and through work use 1Password. It’s a password vault which stores all your password encrypted, in a secure cloud. You log into it with, funnily enough, 1 Password. Which is why this single password (Which gets you access to all your other passwords) should be long, secure and unique. Not dog123, but something around 16 characters long, with numbers, special characters and mixed case letters. Who thought having secure passwords could be so easy eh?

Once you’ve learnt how to use 1Password, you will very quickly be securing everything from Facebook to your internet banking! You can generate secure password on the go, save them into your 1Password account, and use them from the off. I use a family account to help my folks stay secure online.

Private: Ash Scott

Ash is a front end developer who specialises in WordPress Development. With an interest in pixel perfect, modern designs he can put an entire site together on his own if needed. Ash works on a lot of projects at home, providing small business solutions to streamline their business. Doing this also enables him to keep up with modern Front End and WordPress standards and technology.