Security

HTTPS Update: Google Chrome Displays “Not secure” Warning on More Websites

Posted by Ken Moire & filed under Security.

In January we talked about Google displaying a “Not secure” warning to Chrome users who visit any non-HTTPS web pages that accept passwords or credit card information. Soon, Chrome will display this warning in additional cases, affecting website visitors and site owners.

What To Expect

Coming in October, visitors to any non-encrypted (or non-HTTPS) web page that includes a form or to any non-HTTPS website while browsing in “incognito mode” will receive this warning. This will affect even more sites where search, contact and lead generation forms are prevalent.

Google HTTP Not Secure Warning

Chrome’s HTTP Not Secure Warning

This warning does not necessarily mean the website has been compromised. It is a precautionary move by Google to inform website visitors their browsing and communications are not encrypted.

Why Encrypt

The responsibility for web security belongs to all of us: web developers, website owners, network administrators, hardware and software manufacturers, and of course, users. In this chain, web security is only as good as the weakest link. This latest maneuver by Google, in an effort to make the web a more secure place, highlights the responsibility of site owners to provide safe, secure browsing and online communication for their visitors. For users, it educates them on the risk of using non-HTTPS websites, particularly when collecting personal information.

In light of the recent Equifax hack, it is important for users to know their online communications and personal data are secure. And site owners should take measures to obtain a secure socket layer (SSL) certification and move to HTTPS.

SSL certificates are now more affordable than ever. There are three main methods for securing your site. Domain Validated SSL certificates provide a basic level of encryption, and are relatively easy to implement. Organization Validated (OV) and Extended Validation (EV) SSL certificates require more validation, making them costlier and more complicated to set up.

Talk to your web hosting provider to see what your options are and which solution makes the most sense for your website or application.  

What Happens If You Do Nothing

Having HTTPS is a factor in improving your site’s search rank in Google. Displaying this message to your visitors can have a negative long-term impact on your brand’s trust, and worse, keeps you and your visitors open to potential malicious attacks.

While this change currently only impacts users on Google Chrome, other browsers have historically followed Google’s lead on security issues. Firefox to Microsoft Edge will likely follow suit.

Chrome HTTP “Not Secure” Warning Fixed with SSL

Posted by Ken Moire & filed under Security.

Google, in their latest effort to ramp up security, has begun rolling out changes in its Chrome browser that will alert users when they are visiting any non-encrypted HTTP website. Formerly considered neutral, HTTP websites are now deemed not secure by the browser. If you’re a site owner or developer, this can impact your site’s traffic and trustworthiness.

HTTPS is not the plural of HTTP

When checking your bank account or shopping online, you probably already know to look for the lock icon in your web browser’s address bar. This indicates your client (browser) is passing data to the site with encryption.

By default, a web page is served to the browser using the non-encrypted HTTP protocol. The protocol is the bit found at the beginning of a URL, or web address.

Web address protocol

HTTP is the web protocol

When a site is secure, the protocol changes to HTTPS, which stands for “HTTP over SSL”.  An HTTPS site means that the website operator has secured an SSL (or secure socket layer) certification, and any web traffic passed to that website is encrypted. When using HTTPS, this protocol is often highlighted in the address bar, along with lock icon, to tell users that the connection is encrypted and thus secure.

Until recently, purchasing SSL certificates was expensive and difficult to install, so unless the website provided a login or shopping cart, website operators typically opted not to buy a SSL certificate and relied on HTTP for general web traffic.

Encryption for all!

A lot has changed in the last couple of years, driven in part by high-profile data breaches. In response to the current threat environment, organizations like Let’s Encrypt now provide SSL certificates for free. Furthermore, if your hosting provider uses CPANEL, you are able to use HTTPS instead of HTTP, so there are no reasons to not encrypt your site. Google even rewards HTTPS in search rank – secured sites are deemed more trustworthy by the search giant.

Google is not waiting for developers

Initially, only pages that accept a login or provide a shopping cart will show the alert, but eventually this alert will be displayed site-wide across all HTTP pages.

Chrome-HTTP-warning

The Not secure warning in Chrome

Receiving this alert may be alarming to site visitors who are already skittish about web security, so if you own or operate a website you should get to work implementing a SSL certificate for your website. In web security, we’re only as strong as our weakest link, so this push by Google to encourage all websites to go HTTPS is a step in the right direction.

How To Fix It

Site owners and developers should take immediate steps to implement a SSL certificate to avoid the not secure warning in Chrome. Instructions how to do so can be found here.

How Cybersecurity Fails Created The Panama Papers

Posted by Ken Moire & filed under Security.

The Panama Papers leak reveals the shadowy workings of the Panamanian law firm, Mossack Fonseca, in establishing offshore corporations for businesses, politicians, heads of state, athletes and celebrities for the sake of providing tax shelters and channels for arms and human trafficking. Illegal activities aside, what is particularly shocking is the lack of cybersecurity that may have contributed to over 2.6 terabytes of emails and documents (totalling over 11.5 million in all) being nabbed by hackers and landing at the feet of the Consortium of Investigative Journalists (ICIJ), who broke the story a year after obtaining them.

Security experts have analyzed the methods by which the attackers were able to obtain the data, and what’s come to light is an astonishing lack of basic web security practices on the part of Mossack Fonseca and their web administrators. Data breaches occur every day to government, business, and personal websites with varying degrees of damage. Although the Panama Papers sheds light on secretive and largely illegal activities, security vulnerabilities like these can affect legitimate companies who want to protect their customer data.

Panama Papers, Süddeutsche Zeitung

Image courtesy of Panama Papers, Süddeutsche Zeitung

To understand the level of the security shortfalls, it helps to understand the software that Mossack Fonseca uses to power their multiple web properties. The firm uses two of the more popular content management systems (CMS) around, WordPress and Drupal, to power their public and client-facing websites, respectively. The client portal was used to share sensitive documents between the law firm and its clients. Both are written in PHP and are open source, meaning that their code base is free, accessible, and developed and maintained by community developers. While these systems can be secure environments for storing important data, the manner in which these systems were maintained, or not maintained, by Mossack Fonseca has been attributed as the cause for how attackers were able to steal the damaging documents used in the reports.

WordPress security company Wordfence analyzed the law firm’s web hosting environment following the leaks to determine how attackers may have obtained all of this data. Wordfence determined that the WordPress site was over three months out of date while their Drupal site was almost two years out of date. Furthermore, the company was using outdated third party plugins for WordPress which may have opened the doors for hackers to access other systems and passwords.

Website owners can learn from the mistakes made by Mossack Fonseca. Here are some of the main takeaways from the Panama Papers:

Protecting the Core

Both WordPress and Drupal have a large community of web developers contributing code to various aspects of the platform, also known as “the core”. Because they are open source, the code is able to be viewed by a larger user base, which can lend a hand at exposing potential security risks in the code base. When this happens, those vulnerabilities are typically brought to the core development teams who then fix the issue, release an update, and publish bulletins to notify web developers and users of the risk and the fix.

Mossack Fonseca’s client portal on Drupal was vulnerable to hacking due to running a version of Drupal that was over two years old. In that time, Drupal security teams had brought to light major vulnerabilities and urged website administrators to patch the software. Because these security bulletins were ignored by Mossack Fonseca, it was entirely possible for hackers to access sensitive files and data from their client portal.

In WordPress, security updates are typically announced at WordPress.org, while Drupal has their own security team and security bulletins are announced via news lists. WordPress by default will automatically update itself when security updates are released, which makes it painless to keep core WordPress up-to-date. Drupal updates need to be manually applied, which means that it’s vital for website admins to pay attention to update notifications and apply security updates immediately.

Leaving The Door Open With Plugins and Modules

Third party code that extends the functionality of the core CMS platform are known as plugins and modules (for WordPress and Drupal, respectively). Besides using an outdated version of WordPress, Mossack Fonseca was using the Revolution Slider plugin, a plugin that is “one of the most common WordPress vulnerabilities” when not updated. In an update to the original report provided by Wordfence, because Mossack Fonseca’s email server was hosted on the same server as their websites, it is likely that their email was hacked via a vulnerability in Revolution Slider.

Plugins and modules have varying degrees of scrutiny and oversight by security teams based on the platform, the popularity and the method by which they are distributed. In general, Drupal has wider and more stringent security review of community-developed modules for its platform than WordPress, however, plugins that are distributed via the WordPress Plugins directory must pass a security review and are typically maintained and supported. Revolution Slider, which has had known vulnerabilities going back to 2014, is not available at WordPress and is instead sold and downloaded directly from the company website and also from the popular software storefront Code Canyon

When you obtain code directly from plugin developers (or via sites like Code Canyon) you are on your own to determine whether the plugin is maintained and to find out if there are security updates. In these cases you will rely on the individual developer or development team to assure that the plugin is maintained and patched as new and potential vulnerabilities are exposed, so look for plugins that are frequently maintained and actively supported. If they are not, avoid using them lest risk your site and data being exposed to attackers.

Separation of Concerns

The reports reveal other shoddy practices that likely led to stealing of of the 11.5M+ documents that would be known as the Panama Papers. In web security, the practice of “separation of concerns” means that you mitigate the risk to any one system by decentralizing where your data lives and how it is accessed. Mossack Fonseca hosted their email server on the same server as on their web server, and had passwords for their email stored visibly in the WordPress database. With a compromised WordPress installation, it would have been easy to obtain email passwords and retrieve email. If emails had been on a separate server, it would have made it harder for hackers to obtain the emails even if the website was hacked.

Ask The Right Questions

The largest data breach in Internet history was likely caused by a lack of security best practices. Companies should understand how their website is hosted and information stored. Demand to understand from your developers or web hosting team how data is secured and risks to hacks and attacks are mitigated. It could save your business, as well as your client’s business.

5 Questions To Ask Your Web Partner About Security

Posted by Sheila Burkett & filed under Security, Tips.

Has your website ever been hacked? If it has, you know how difficult it can be to get it back up and working. As a business owner, you pay thousands of dollars to have your website built, but how do you make sure the website and server are being maintained to prevent it from getting compromised?

Here are five questions you should ask your web partner about the security of your website.

What content management system (CMS) will my website be built on?

CMS’ such as WordPress and Drupal, are open source platforms that interactive agencies use to build websites. There are programmers around the world dedicating their time and effort to the maintenance, enhancement, and expansion of each CMS. This results in the frequent release of new updates that fix problems within the code base, plugins or modules that provide website functionality. What does that mean to you? Each month, the company or individual who maintains your website should review the code that was released, apply the updates to your website platform and test to make sure everything is still working.

What development and testing processes will be taken to ensure my website is secure?

Your website isn’t just pretty pictures and content. Most websites today allow users to log in, make purchases, submit applications for jobs, or monitor service requests. The website code that makes this possible should be written with security in mind and tested to make sure the “bad guys” can’t get through easily. Hire a company who understands these issues and can talk to you about the procedures they take to develop secure websites.

What hosting service will my website be using?

Source = AustinSEOguy.com

Websites run on a computer called a server and the websites are “hosted” or run on these servers. It is important to understand the following about the environment:

  • Where are these servers are located?
  • Which security measures does the company take?
  • What monitoring procedures are in place to identify a threat?

Websites are often hosted by specialized companies that utilize different forms & levels of security. Some hosting companies limit web teams’ access to server level software, which may limit their ability to keep the web server and website secure.

Who will manage the security and software on the hosting server?

When you purchase hosting services from companies such as WIX or GoDaddy, they typically are maintaining the servers and monitoring for security issues at the server level. Some hosting services do not maintain the server security or software, however. It is important to understand what level of security support the hosting company actually provides at the web server level and/or with your website content management system.

Will you make sure my CMS is updated and secure?

A monthly review of the CMS and any plugin updates that are regularly released is highly recommended, as well as implementing a monitoring process that includes alerts when security patches are made available. Security patches should be applied within 24 hours of the announcement.

An area where we frequently see security issues arise is with plugins and modules that have been installed on the CMS that are no longer supported or maintained by the original developer.. When code isn’t maintained, it creates a security hole that makes your website vulnerable to being compromised. Here at Spry Digital, when the technical team identifies plugins or modules that are no longer maintained, we immediately look for a replacement of that code to minimize the security risk. Once your website is built, you should expect additional support costs for your website team to address these issues.


Your website is the digital front door to your company. Not only do you make sure that all of the doors to your building have a lock, but most of us have security alarms, cameras and security codes to ensure our buildings are safe from intruders. It is important to make sure your web partner is employing the same level of security and maintenance for your website.

Personal Security: Password Management

Posted by Ken Moire & filed under Security.

Every year, companies spend billions of dollars on IT security infrastructure. Despite that, hackers continue to adapt and find new ways to exploit vulnerabilities and expose sensitive user data. Many go unnoticed, but in the last year alone, several high profile hacks were reported, most notably Target and more recently, eBay. In the case of the notorious Heartbleed Bug, a back door was left open with a vulnerability in OpenSSL, used by most of the Internet for encrypted, secure connections.

Given these large-scale security breaches, it can feel like there’s very little one person can do compared to the scale and severity of these exploits. But in fact, there are measures we can take to help protect our online information and minimize the impact of these breaches. In this Personal Security series, I’ll share ideas, tools and steps to keep your online activities more secure.

Password Managers

In many cases, the first thing that users are asked to do following a known breach on a website or application is to change their password. But if you’re using the same password across multiple sites, that means you need to update your password everywhere it was used. Do you remember all of the places you’ve used it? Probably not. And the risk for you is even worse if you’re using a weak password because they can easily be cracked. If your password is ‘admin’, ‘12345’ or your kid’s birthday, it’s time to upgrade your passwords and start using a password manager.

In a nutshell, password managers allow you to create unique, complex passwords for each website or application that you visit and store them in a central secure system. The best ones use AES 256-bit encryption and other strong security measure like one-way salted hashes. The passwords are not stored locally (like in your browser) — rather, when you visit a website, your password manager passes an encrypted token between your machine and your password service’s server, assuring a secure connection before a password is retrieved. Once the secure “handshake” is made, the password manager can auto-complete the login form, so in essence you will never need to remember the password stored for any particular website (trust me, it’s better this way).

There are several popular password managers on the market. Dashlane and LastPass are two of our favorites, but there are many more, each with their own price models and feature sets. You should explore all of the options and pick the best password management system for the way you use passwords.

Benefits of Using A Password Manager

Besides generating and storing complex passwords, there are other benefits of using a password manager:

  • They keep track of all accounts you’ve created across the internet. Without a password manager, it’s easy to forget your account history.
  • Many password managers provide helpful security reports, like a list of accounts that are compromised by known exploits. When Heartbleed was announced, LastPass provided a report for all of the sites that could be affected so you knew immediately which passwords needed updating.
  • Most password managers alert you if you’re using the same password across multiple websites. It’s a habit that most of us fall into if we’re not paying attention. Password managers help pay attention for us.
  • Some password managers include a mobile app that lets you retrieve passwords while on your mobile device.

There are several other best practices for using passwords, however, using a password manager can make the job of managing your accounts and passwords easy. Do yourself a favor and use a password manager service and get peace of mind.