malware

Looking forward to Free SSL!

Updates on Website Security and Free SSL

Securing your website is increasing in importance to the point that soon your site could be disregarded by Google and avoided by visitors if they don’t see the familiar “https://” with a tiny padlock icon at the beginning of your url. Last year Google announced that websites secured with Secure Socket Layer encryption, or SSL, are getting added favor from the search engine company, increasing their rankings in search result pages at google.com. A number of recent high-profile security breaches such as the one at Sony Pictures demonstrate the possibility that any site can be hacked and illustrate the business-halting disaster that the ensuing data loss can cause. The little understood hacker phenomenon, combined with our fascination with the idea of artificial intelligence, has inspired numerous movies on the subject since the birth of the internet, with the Girl with the Dragon Tattoo released in 2011, The Hacker Wars released last year and Black Hat (Chris Hemsley) leading several new ones slated for release in 2015. Television writers have also explored the phenomenon in many shows, my own personal favorite being “Kill Switch,” one of the most thought-provoking episodes of The X-Files and possibly an inspiration for Transcendence (Johnny Depp). Such fascination reveals how little most of us actually know about what hackers do and how they do it, even the filmmakers, as most movies do not represent hacking with much accuracy. Nearly none of them show the ethical side of hacking — those we can thank for testing sites for vulnerabilities and helping design software to protect the rest of us from that shadowy threat we know nothing about aside from its existence. And of course there’s Anonymous, a group of hackers who seek social justice via computer-hacked threats. Most of us — that is, those of us who do not operate ecommerce websites that conduct credit card transactions online — have been able to get away without SSL up until now, but clearly that era is ending. As responsible citizens of the internet, we all need to step up to the plate and secure our websites to protect our investment in the site itself and any data it may contain, but also to give our visitors confidence by demonstrating our commitment to protecting them from “drive-by” malware infection. Taking these measures will help us retain (and hopefully boost) the search engine rankings we work so hard to gain.

My own website www.soartists.com (The Southern Oregon Artists Resource) was attacked by malware early in 2011. The entire site was taken down and its companion blog, Art Matters!, had to be reconstructed. Fortunately we did not receive any reports of massive spam attacks or anything else that indicated a loss of critical data for any of our listed artists or visitors to our site, but it was a painful wakeup call that directed my attention to the importance of internet security. As a result, all my clients with WordPress sites will see at least one and often three or more security plugins. I set these up to notify me when unauthorized attempts to gain access to the admin portion of their websites result in a “lockout.” This keeps my email inbox quite busy. For those clients who do not have WordPress sites, I recommend a security overhaul to install some basic code that will help protect their sites until they are able to purchase a SSL certificate that will encrypt all activity to, from and on their websites, making the “transactions” that include visitors’ activity invisible to hackers and ever-watchful malware bots looking for opportunities to inject malicious code on vulnerable websites.

So what has kept us all from investing in a SSL certificate that would protect our sites and their visitors? Most of us have a tendency toward complacency, clinging to naïve thoughts that justify inaction. One I hear often is “Why would hackers want anything from my website?” Trust me, it’s nothing personal. If you are not engaged in ecommerce, they probably do not want anything from your site itself, but like parasites they are always looking for “hosts” from which they can silently conduct their mischievous and often damaging activities. In early 2014, a client for whom I needed to create a website on a very restricted budget opted out of security measure “for now.” By Thanksgiving, her site had been blacklisted by Norton Safe Web and had to be cleaned of malware before it could be reinstated. I breathed a deep sigh of relief that we caught this before Google had blacklisted her, as their reinstatement procedure can be much more time-consuming. Still, the process wound up costing her an unexpected sum for cleaning and submitting her site for reconsideration as well as installing security measure that would prevent future infections—no fun for either of us, yet a relief once it was reinstated. For those who chose to look into a SSL certificate for their website, the dealbreaker has most often been the price. SSL certificates have been expensive, and the lineups of less expensive to most expensive types of SSL were not only confusing, but discouraging, making us feel that if we invested in a “minimal” (cheap) SSL certificate, it might not be effective and therefore a waste of money. But there is good news! A couple of days ago I received a little/big gift from one of the security companies whose plugins I use–a link to an article in my inbox with good news for 2015 – SSL will be free, and much easier to install, as of Q2 2015! Following is the source of the information reported in this excellent article. I strongly suggest you read both articles!!

Let’s Encrypt: Delivering SSL/TLS Everywhere

Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch?The challenge is server certificates. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”), a California public benefit corporation, to deliver this much-needed infrastructure in Q2 2015. The ISRG welcomes other organizations dedicated to the same ideal of ubiquitous, open Internet security.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

If your website needs attention to security or you want to get a SSL certificate and you’re not sure what to do, please contact me at webmistress@hannahwestdesign.com or call 541.899.2012 to discuss your needs and what I can do to help. One of the primary lines of defense is simply keeping your WordPress installation, theme and plugins updated, and backing up your website regularly so you can easily restore it if a disaster does happen. I know you’re busy and have other priorities on your mind and your schedule, so let’s talk about an inexpensive annual contract that will allow me to do that for you so you won’t have to!