Search Blog

Blog

Get the latest on what's happening at itomic

Informative commentary on the web industry from the experts at Itomic.

March 16, 2017

What is Always On SSL (AOSSL)?

By Ross Gerring

Always On SSL, or AOSSL for short, is the practice of ensuring that all pages of a website are always forced (in a nice way!) to be using an SSL certificate.

Q. How do you know that a web page is using an SSL certificate?

The closed padlock, the word ‘Secure’, and https instead of http, show that this page is secure. This should be visible in the address bar of your web browser.

The closed padlock and the word 'Secure' shows that this page is secure

 

 

 

Q. How you know that a web page is NOT using an SSL certificate?

The words ‘Not secure’ show that an SSL certificate is not in use. You may also see http and not https. You may also see an open padlock, not a closed one.

The words 'Not secure' prove that an SSL certificates is not in use.

 

 

 

Q. What does “secure” actually mean?

It means that information you’re supplying to a website is completed encrypted, and not visible/readable in plain text to anyone who might be snooping (maliciously or otherwise) on the data being exchanged. You are exchanging data with a website when, for example when you are:

  1. Filling in a “Contact Us” form.
  2. Logging in to a members-only area.
  3. Buying something, i.e. an e-commerce transaction.

When you are exchanging data with a web page, your data is actually travelling across multiple computer networks, with multiple owners of those networks. At an absolute minimum, there’s the owner of your internet connection (i.e. your ISP), plus there’s the data centre where the website is being hosted. In other words, there are lots and lots of touch points between your data and the destination website (hosting server), and therefore multiple potential points where someone – if they really wanted to – could attempt to capture, store and read your data.

Q. How does a web developer force a website to be always-on SSL (AOSSL)?

Here’s a test: try to visit http://google.com.au. What happens? The URL should get automatically changed to https://www.google.com.au (or possibly a local country version of Google, e.g. google.com or google.co.uk). The page went from not secure, to secure. Note 2 things:

  1. http got changed to https
  2. google.com.au got changed to www.google.com.au. See http://www.yes-www.org/why-use-www/ for information about this.

You (the visitor) went to visit the website on a non-secure (http) connection, and you got automatically redirected to the https version. And it doesn’t matter what Google web page you visit, you’ll (almost certainly!) get auto-redirected to the https version if you initially attempted to visit the http version.

OK, from a website developer perspective, what we do is:

  1. Ensure that the website actually has a valid SSL certificate associated with it in the first place. The great news here is that there’s no longer any excuse for a website to be without an SSL certificate, because some SSLs are now free: http://www.itomic.com.au/tag/free-ssl/.
  2. Add some code to your website which detects if the site is being visited on an http URL, and auto-redirects it to the https equivalent page. Getting more technical, we typically use a thing called a 301 redirect.

Q. Why not just ensure that the pages where information might be exchanged (e.g. a ‘Contact Us’ page) are using the SSL certificate, and not the others?

Two reasons:

  1. Too hard to maintain. It’s technically easier to ensure that all web pages on a website are using the SSL cert, and not just some of them.
  2. Google is actively preferring websites that always have SSL protection, versus those that don’t. Which means that, all other things being equal, a website with SSL protection will rank more highly than one that doesn’t.

Q. Why are sites only now getting on the SSL bandwagon? If all the above is true, surely all sites should have been AOSSL as standard, years ago?

  1. Until the relatively recent advent of free SSL certificates, purchasing an SSL for your website used to be a relatively expensive exercise, especially for small businesses. Therefore many have opted not to bother.
  2. Many websites – even some big ones – offer little or no functional opportunity for a visitor to supply any information. Or if they do, then the information being exchanged is considered to be of low confidentiality or sensitivity, i.e. relative to, say, credit card information.
  3. Google has recently (2016/17) ramping up the pressure to increase security on the web, and one of the ways they can do this is to strongly encourage AOSSL websites by methods that have been identified above.

Q. How do I check if my website currently has an SSL certificate?

Our favourite tool is: https://www.sslshopper.com/ssl-checker.html#hostname=www.itomic.com.au. Look for all ticks, and no crosses, of course.

Q. My website appears to have an SSL certificate, but isn’t auto-redirecting visitors to the https version. Why not?

It’s one thing for your website to have an SSL certificate available, it’s another for your site to be actually making use of it. That’s where you website developer comes in handy, see below.

Q. How do I get my website to have AOSSL?

Speak with your website developer and/or website hosting company. Don’t forget to remind them that SSL certificates can now be acquired at no cost! That said, note that it’s reasonable for a web developer to charge a small fee to make AOSSL happen on your site, given that skilled labour is required. Itomic does.


October 7, 2016

Itomic Offers Free SSL Certificates for Life to all Website Hosting Clients

By Ross Gerring

Let's Encrypt LogoItomic is very pleased to announce that we are now supplying free SSL certificates to the owners of all new websites that we develop and host. And for all existing clients, we’ll be offering the same over the coming months.

We strongly recommend that all websites have an SSL certificate, as explained in our still-valid 2014 article “Does your website need an SSL Certificate?”.

How are free SSL certificates possible?

Two stars have aligned:

  1. ‘Let’s Encrypt’: genuine, industry-standard SSL certificates for $0.
  2. Automation: the certificates self-validate and self-install, so we anticipate minimal involvement from Itomic. Let’s Encrypt certificates are issued for 90 days, and automation ensure that certificates are reissued every 90 days.

Let’s Encrypt SSL certificates are provided by the Internet Security Research Group (ISRG). This group is sponsored by many big players including Cisco, Facebook, Google Chrome, Mozilla and Shopify. It recognised that a) online security is very important, and b) putting a price tag on security will naturally put SSL certificates out of reach for some. You can read more about the how and why here: https://letsencrypt.org/about/.

ISRG has worked hard to ensure that the process of validating and installing the certificates is 100% automated. (author’s note: I’ve been hands-on with SSL validation and installation since about 1998, and it’s always been prone to error, human and machine. It’s been one of my least favourite tasks over the years!). Luckily for us and our clients, the hosting platform that powers all our hosting servers, cPanel & WHM, has integrated their software with the Let’s Encrypt service. They call it AutoSSL. So we are now able to enable this service for our clients.

Are there any catches?

For existing Itomic clients wishing to have this service enabled, you’ll need to have an active service & support contract with a minimum balance of 3 hours of labour. In the unlikely event of any technical issues associated with the SSL installation and configuration, this allows us to attend to these issues without delay. If you don’t have an active service & support contract with Itomic, just ask!

What if my site already has a current, paid, SSL certificate?

A Let’s Encrypt SSL cert will automatically replace your existing certificate shortly after it reaches 3 days to expiry. Your existing paid SSL will be absolutely fine and unaffected until then. If you wish to continue paying for your SSL certificate – and some organisations will (more on that below) – then we will continue to offer this service as before.

Are these free SSL certificates as secure as the paid ones?

They provide identical levels of encryption to the paid ones, and therefore will be suitable for the vast majority of our clients.

It’s important to note the difference between encryption and authentication. A Let’s Encrypt SSL certificate provides a website with genuine, industry standard encryption, but it does not authenticate that the organisation using the encryption is who they say they are.

Let’s Encrypt supplies a type of SSL certificate known as Domain Validated (DV) certificate. This validates that the domain name is registered, and someone with admin rights (in this case Itomic) is aware of and approves the certificate request. No official proof (authentication) of your entity’s official registration is required, e.g. that your organisation has an ABN number, as all recognised entities have here in Australia.

If you evaluate that your website needs to display a higher level of authentication (e.g. because you’re a large high-profile organisation, government department, etc.), then you need an OV (organisation validated) or an EV (extended validation) certificate. These types you have to pay for, not least because of the additional manual overhead in acquiring and installing them. Note that, just because a website is using an OV or EV certificate, it doesn’t guarantee that the organisation behind it is reputable, or handles your data securely or responsibly after receipt, or that the website hasn’t been hacked.

For more information on the different types of SSL certificate: https://support.dnsimple.com/articles/ssl-certificates-types/

Does an SSL certificate (Let’s Encrypt or otherwise) make a website ‘secure’?

Only in the sense that it guarantees that data being transferred between your device (e.g. desktop PC, tablet, etc.) and the hosting server is fully encrypted. This means that it’s extraordinarily unlikely to be unencrypted and read by a 3rd party. An SSL cert is only a single component of a comprehensive data security strategy. Other components include, for example, ensuring that your website and web server is regularly updated with the latest recommended security patches.

My site is basic, with no e-commerce. Do I even need an SSL certificate, free or otherwise?

  • Many basic sites have a backend admin area for the purpose of managing the content on your site. It’s better to login to this section of your site using a secure (encrypted) connection, than a non-encrypted one.
  • Google prefers sites with SSL protection. All other things being equal, your website will rank more highly in a Google search if it has an SSL certificate, compared with one that doesn’t, i.e. it’s better for SEO (search engine optimisation).

Will Let’s Encrypt issue wildcard certificates?

Currently no, but it is a possibility in the future. Thanks to Let’s Encrypt, wildcards certificates are no longer necessary for the vast majority of websites because it’s easy to get and manage free certificates for all subdomains. Prior to Let’s Encrypt, Itomic always recommended wildcard SSL certificates over single SSL certificates so that the same certificate could protect all subdomains without having to purchase additional single SSL certificates per subdomain.

Are other SSL Providers getting on the free SSL bandwagon?

Yes, they’ve got no choice, e.g. https://ssl.comodo.com/free-ssl-certificate.php. We’ve chosen Let’s Encrypt because they are clearly the first movers and leaders in this field. We want to acknowledge and reward them for their efforts.

Remember that an enormous amount of money has been made over the years by companies who issue SSL certificates. There are some major vested interests who’d prefer to hold back the tide as long as possible.

Why aren’t all hosting companies offering these free SSL certificates?

We assume that, eventually, all hosting companies will. In the meantime, it’s just a question of hosting companies satisfying themselves, like we have, that this service is a) good and b) here to stay. Then they have to ensure that they have the administrative and technical systems and procedures in place to support them.

OK, so my website has now got an SSL certificate. Why is it still showing http and not https (with the padlock symbol) in my browser?

If a website has an SSL certificate installed, it’s only actively being used when either:

  1. You directly visit the https version of the site, and not the http version, OR
  2. You directly visit the http version, and the site or hosting account has been programmed to automatically redirect the visitor to the https version.

When Itomic initially installs the SSL certificate on your site, #1 will apply. Over time (no desperate hurry!), we will work with our clients to ensure that #2 applies as standard.

I’m still unsure about whether or not I should pay for SSL certificates (OV or EV) in the future, as I’ve done in the past.

  • As previously mentioned, government departments and larger, high profile business may decide that they wish to demonstrate a higher level of authentication than a DV certificate provides. That’s totally fine by Itomic, we’re happy to oblige.
  • Do your own Google searches to better educate yourself about the pros and cons, and see how others are debating this question.

Still unsure? Ask Itomic!

Further reading:

https://letsencrypt.org/docs/faq/ – FAQs about Let’s Encrypt.
https://en.wikipedia.org/wiki/Public_key_certificate – Wikipedia on SSL certificates and related.

For your interest, below is how a Let’s Encrypt SSL certificate presents to a web browser, using our Itomic’s own site https://www.drupalise.com.au as an example:

Let's Encrypt SSL certificate for Drupalise


May 23, 2016

Itomic’s Firewall. How we protect the websites we host

By Ross Gerring

… a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.

source: Wikipedia

firewall image

A firewall helps to protect a server from unwanted visitors

Itomic has been hosting websites since 2000, a responsibility we take very seriously. After all, your website will likely be the first impression your prospective clients have of your organisation, and we want this to be a great one.

A wise man once said that a truly secure server is one that is unplugged from everything, encased in concrete, and sitting at the bottom of the ocean. But that wouldn’t making for a very good website hosting service, so we have to make compromises 🙂

One of the ways we make compromises is to employ a firewall. It’s a service that attempts to permit the good guys (e.g. yourself, your clients, and other stakeholders) to view and interact with your website, and block everyone else – the bad guys – from doing so.

But how to tell the good guys from the bad guys? Sometimes it’s obvious, sometime less so. When it’s less so, should we give the visitor the benefit of the doubt and let them in regardless? Or should we block them just-in-case, and risk a “false positive” block? It’s the firewall and associated services that are responsible for making these decisions in the blink of an eye, and taking appropriate action(s). Firewalls don’t get it right every time, but through manual and automatic intervention they tend to get better over time.

Getting a lot more technical (you have been warned!)…

We use ModSecurity and CSF in tandem.

The purpose of ModSecurity is to prevent common malicious web based attacks and close security holes in applications. ModSecurity focuses on HTTP(s) traffic. ModSecurity prevents attacks in real time but does not permanently/temporarily block IP addresses, it assumes other software will be used to parse the log entries for this purpose. Modsecurity works at the application level.

CSF is an IPtables frontend used to automate/simplify firewall tasks. LFD (part of the CSF suite) watches logs to count how many times an attack occurs from an IP address and the timeframe. CSF/LFD work at the server/account level.

This ties in with ModSecurity since attacks are logged each time they are triggered. Here’s an actual example from our log files of a specific IP address (194.150.168.95) being repeatedly flagged as malicious because the activity coming from that IP matched a certain ‘bad guy’ rule (id 210831):

root@ariel [/home] # grep 194.150.168.95 /usr/local/apache/logs/error_log|grep mod_sec
2016-05-11 00:11:02.644 [NOTICE] [194.150.168.95:32986] mod_security rule [Id ‘210831’] triggered!
2016-05-12 20:46:56.986 [NOTICE] [194.150.168.95:40251] mod_security rule [Id ‘210831’] triggered!
2016-05-13 02:26:24.048 [NOTICE] [194.150.168.95:44563] mod_security rule [Id ‘210831’] triggered!
2016-05-13 13:20:25.426 [NOTICE] [194.150.168.95:53039] mod_security rule [Id ‘210831’] triggered!
2016-05-20 09:20:54.438 [NOTICE] [194.150.168.95:39174] mod_security rule [Id ‘210831’] triggered!

LFD obtains the IP address from the log and creates a counter and a timer. The counter increases by 1 each time a rule is triggered up to 10. If an IP address triggers a certain number of rules (e.g. 10) within a certain time frame (e.g. 1 hour) the IP is blocked using CSF. If an hour passes and the IP did not trigger 10 rules the counter is reset to 0 for that IP.

Need assistance with your website hosting, shared or dedicated? Call Itomic today on 1300 ITOMIC for all-Australian website hosting.


June 18, 2014

What is 2-factor authentication, and why you should be using it

By Ross Gerring

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened

source: How Apple and Amazon Security Flaws Led to My Epic Hacking

2-factor authentication goes by various names including:

  • Two-factor authentication (of course!)
  • 2-step authentication
  • Multi-factor authentication. OK, multi-factor authentication could involve 3 or 4+ steps, but the principal is the same. This movie clip shows a fantastic example of multi-factor biometric authentication  😀

So the words ‘authentication’ and ‘verification’ are interchangeable, as are ‘factor’ and ‘step’.

It’s a very easy concept, wrapped up in big words. All it means is that you’ve got to provide more than just one method of verification (such as a password) to successfully access something, but typically a computer system such as online banking.

By having to provide more than a single method of verification, you’ve sacrificed a little bit of time & convenience for exponentially greater security. Which makes 2-factor authentication a very, very good thing to be taking advantage of whenever you’re offered the opportunity. (authors note: I use 2-factor authentication for approximately 10 different systems at time of writing, and I want that to rise).

2-factor authentication app

The most common forms of providing a second method of authentication are:

  1. Using a smartphone app to generate new passwords for you that change every 30 seconds or so. Such passwords are also known as one-time passwords. One such app is called Google Authenticator (see Samsung smartphone image to the right) and is available for Android, iOS and Blackberry. Don’t think that just because it’s a Google app it’s therefore biased towards Google devices or systems. Quite the opposite. Any computer system can choose to use it – or other similar apps – to provide one-time passwords for users of their systems.
  2. A physical device such a security token or dongle that your bank might provide and that can hang on your keyring – see image below-right (the RSA SecureID). Such devices offer exactly the same service as your Google Authenticator app, except that they’re typically limited to providing security for just a single system – so less versatile. You certainly wouldn’t want to be carrying 10 different dongles on your keyring for 10 different systems.
  3. Good old fashioned SMS. When you try to login to a system (or indeed perform a significant event inside a system such as a money transfer from your bank account), it sends an SMS to your phone (smart or otherwise!) that you must first enter before the transaction will complete.
  4. Biometric security, such as a fingerprint or eye (iris or retina) scan. In other words, any method that is able to distinguish you from anyone else on the planet with a sufficient degree of confidence. It’s quite amazing how many biometric opportunities there are.
  5. Not necessarily to be used only in a 2-factor authentication scenario, but this use of NFC technology looks very interesting: the NFC Ring. For example, imagine that the only person who can use your mobile phone is the person (hopefully you!) who is wearing the NFC ring that has been ‘paired’ with your phone. Just don’t hold your phone in the wrong hand!

RSA SecurID Dongle

You can expect to see more and more systems adopting some form of 2-factor authentication in the near future. It’s no wonder because all the signs are that, overall, cybercrime is on the rise, with no suggestion that it will ease off any time soon.  The systems that adopt it first are typically ones that contain the most sensitive information and/or provide the most ‘power’ (such as funds transfer) to the authenticated user. But increasingly you’ll see less obviously confidential systems employ it – such as social media websites, CRM systems, etc. – simply because no-one likes having their data abused or stolen. Indeed, if you use a system that you consider to be confidential in nature that DOESN’T yet offer 2-factor authentication, we suggest you should demand it! For example, these increasingly disgruntled and shocked users of the very popular online accounting software Xero have been demanding it for over a year: Two Factor Authentication on Xero login.

No system is 100% secure in perpetuity. And 2-factor authentication is by no means the be-all and end-all of system security. But at time of writing it’s certainly one of the most potent, accessible, and relatively easy-to-use security methods out there.

How to find out if a system you use makes 2-factor authentication available? Google is your friend, e.g. here’s a search for Linkedin 2-factor authentication

Itomic’s recommendation: use 2-factor authentication at every available opportunity. The costs are hugely outweighed by the benefits.


April 9, 2014

OpenSSL ‘heartbleed’ security issue – Itomic taking action

By Ross Gerring

A major, global security issue has just come to light in relation to the popular OpenSSL software that is used on Itomic’s website hosting servers and millions of other servers.

You can read all about it here: http://www.bbc.com/news/technology-26935905

It’s not possible to detect whether or not any particular server or site has been exploited or not therefore, as a precaution:

  1. We’ve already updated the OpenSSL software on all our servers to the latest recommended version (i.e. the version where the vulnerability has been closed).
  2. We’re working to re-generate, re-issue, and re-install all SSL certificates used on all our servers. We’ll work as fast as we can, but we estimate this might take up to 24-48 hours.

We understand that actions 1+2 will guarantee the total closure of the vulnerability, and is the correct course of action, even though statistically the chances of our servers being exploited is extremely low.

If you have any questions or concerns, please email support@itomic.com.au.

Thank you.