Little sites still have needs. This small site for the staff of a much bigger organization was getting long in the tooth and they needed a new home for it.
Continue reading “OPSSU: fresh look, new home”OPSSU: fresh look, new home
APTPUO: new look, migrate CMS
A redesign and migration from Joomla to WordPress for this bilingual organization’s flagship website.
Continue reading “APTPUO: new look, migrate CMS”Google Chrome 56 trigger warnings?
For the past several years, Google has been on this crusade to have all web traffic (every visit to every web page) go through https://, rather than plain old
http://
. The difference is that traffic over https:// is encrypted before being sent.
http://
is not.
They argue that, given all the personal, sensitive information people send via their web browser these days, making it all secure by default is a no-brainer. But they’re not going to get the entire internet to shift to
https://
any time soon.
And so they’ve decided, in the face of significant resistance, to ramp it up by getting Chrome, their browser, to declare any website that still asks for usernames and passwords, or for financial information via
http://
to be insecure, with all the attendant scary warning dialog boxes etc.
So isn’t security good? Why all the resistance? Well.
Setting up a secure website (ie one that serves everything over
https://
) is a non-trivial task, both in terms of time and money.
You have to acquire and pay for a security certificate. It costs more per year than what a lot of people pay for hosting their entire website. And many companies will also want more per month to host sites that use
https://
. So on top of paying for the certificate, you have to pay more for hosting as well.
https will not keep your site or your users safe
And you have to re-jig your site so that all the old URLs that people have bookmarked, that are indexed in search engines etc etc still work. That’s still more money.
So if you’re going to invest, you have to want to know what you’ll actually be getting. And the answer is, not much, or to continue with the above case, not enough to justify doubling your hosting costs.
I think most web security experts would say that, despite the ubiquity of unencrypted website traffic all these years, most cases of unauthorized access to websites, or data theft happens because of social engineering, brute force password guessing attacks or exploits of poorly-coded web applications.
And
https://
won’t prevent any of these.
Packet sniffing — the sort of espionage/cyber attack that https:// does prevent — is already very resource-intense. Too much so for your garden variety hacker.
I expect people that require logins won’t have a choice — they’ll have to buy the certificates and pay for the hosting. Anything else will be too disruptive and they probably won’t want to lose the trust of their Chrome using audience.
But it’s a regrettable move on the part of a company whose growth in size and influence appears to be rapidly outstripping its smarts.
Website updates – you really must do them
Website updates don’t follow the logic a lot of us inherit from the era of software updates that arrived in the mail on a disc of some kind.
Before there ever was broad public access to the internet, going forever without updating your software was a point of pride for most people who did a lot of computer-driven communications work.
Or it was a mark of world weary wisdom because we’d arrived at the point where we knew that the X.0 release of anything was going to suck rocks. We’d wait. Until X.1 or .2.
The updates were expensive, disorienting, and if they did cause a problem, the solution could be months away.
So trying to get a personal best time and distance between updates made sense.
But you cannot transpose that logic onto your web application.
Because your web application — be it WordPress, Joomla, Drupal or any number of others out there — is not safe and sound in your office.
It’s on a computer on the internet which is, for all intents and purposes, the equivalent of leaving it on the counter in an all-night convenience store off a freeway where the counter clerk is asleep. Only worse. Because unlike the convenience store, your server gets all the traffic in the world coming through it.
And unlike your computer, which accepts input only from a keyboard, your website is on a server, which accepts input from anywhere. By definition.
But I don’t have anything important on my site
Maybe not credit card numbers, bank account information or medical histories, but you have your reputation and/or your brand. And if someone gains unauthorized access to your site and starts abusing it (which it almost goes without saying they will) these will suffer.
You will have to apologize to clients, prospects and anyone who was coming to your site for any reason about the fact that your site was hacked. You will have to insist that your inability to maintain a website has nothing to do with your competence generally.
And you will lose time. Possibly weeks. You will be restoring your site from backup or recreating it if you didn’t have a backup. You’ll be trying to track down the vulnerability and check the whole attack path to determine if the attacker left any other back doors or malware that might allow them back in. You will be visiting all the security websites to ask that your site be removed from whatever spam or phishing blacklist you’ve been put on.
Or you’ll be paying a security consultant or company at overtime rates to do all of the above.
But no one would want to hack my website — I’m not the CIA/Microsoft
You’re assuming that the hackers are actually human. And you’re mistaking media coverage of famous hacks for what happens in everyday life on the internet.
Most website break-ins are perpetrated by robots which scan the internet for sites that might be vulnerable. They find a site that has the vulnerable application, run the exploit against it, and, if they succeed, install the malware and get straight to work. At some point some human put this process into play and will be interested in the results, but they have no idea who you are, what you do or what a nice person you are.
They’re not interested in defacing your site to show how cool they are or to denounce you for being a tool of the capitalist class or whatever. They want your site as a platform to send spam, serve porn, collect passwords or phish other data from unsuspecting visitors. And for that, one site is as good as the next.
What if I don’t have time to do all this?
Self-hosted websites do indeed take time and expertise to run smoothly. The skill required to apply updates, do backups, and tweak performance can be acquired if you have a bit of time and some curiosity. But if you don’t you can get someone, like me for example, to do it for you. For a small site it’s generally about an hour a month. Plus you get my advice on improvements, best practices and life in general. A bargain at twice the price, really.
Or you can move your site to a software-as-service setup like WordPress.com or Wix, or Weebly where the service itself looks after security, updates and backups. The monthly hosting cost ends up a bit higher, and it may limit the sorts of things you can do with the site, but if you can fit within those constraints and aren’t bothered by an extra $10-20 per month, it might be your best bet. That will be cheaper than paying me or someone like me.