Blog

Website Security

Viewing posts from the Website Security category

HTTP vs. HTTPS: What’s the Difference?

The internet can seem like an endless sea of data – an estimated 1,200 petabytes worth of data are stored on just Google, Amazon, Facebook and Microsoft servers.

With so much information shared between people, securing it is important for any business to stay afloat. Unsecured data can give hackers access to millions of users’ sensitive information. Leaks can sink even the best ship, so they must be prevented at all costs!

That means using HTTPS to communicate with customers and not regular HTTP. Hypertext Transfer Protocol, or HTTP, used to be what everyone used in the early days of the internet.

Now, after the technology industry standardized security protocols, HTTPS is the only way any business should interact with the online world. It can be difficult understanding the difference between the two, though. HTTPS is just the secure form of HTTP. And it didn’t earn the ‘S’ at the end of its acronym for no reason!

To learn about how HTTP and HTTPS are different, and why you should use HTTPS, keep reading!

Data Sent Over HTTP Is a Treasure Map to Personal Information

Imagine if pirates didn’t try to hide their treasure. They wouldn’t ever hide their treasure maps, and anyone would be able to steal their loot. In security terms, this unhidden treasure map would be written in something called plaintext.

The text you are reading right now is something called plaintext. This is exactly what it sounds like – text that hasn’t had anything done to it.

The data that is sent over HTTP is the same way. Anyone who can get their hands on it will be able to read it. This is why most financial transactions over the internet are not sent through HTTP.

So, if a hacker decided to set up a man-in-the-middle attack between your computer and Amazon’s server, they would be able to see your debit card numbers if you made a purchase.

HTTPS tries to make sure this can’t happen.

HTTPS Buries the Treasure and Hides the Map

Rather than hold the map up for everyone to see, pirates hid the path to their treasure. HTTPS does the same thing.

Data sent through HTTPS is encoded before your browser sends it off. It uses a type of security method called Secure Sockets Layer (SSL).

SSL takes the data you type in, and everything else that is sent off, and encrypts it. This means that if you tried to look at the data, you would just see gibberish.

So, if a hacker obtains your data as it is sent through HTTPS, they will not be able to read it or really do anything with it.

By encrypting data this way, HTTPS secures a person’s personal information as it navigates the internet. Even if that information doesn’t reach its destination and someone else opens that message in a bottle, they won’t be able to read it.

Computers Can’t Trust Each Other With an Ocean of Data Between Them

When you log into a website like Facebook or Amazon, you are actually just connecting to another computer. The servers websites use for their websites are really just big, expensive computers like the one you’re using to read this, with the only difference being many people can use them at once.

Think of them like ports, with many people coming and going all the time. Only sometimes, you may think you’re at one port when you’re really at another.

Hackers will sometimes make a website that looks a lot similar to a Facebook or Amazon login page. When people log in to these fake pages, they can be fooled into giving a random person their login details.

HTTP connections have no way of telling if the computer it is connecting to genuinely belongs to Amazon, Facebook, or anyone else. There is no way to tell if you’re at the right port.

Without a way to tell the difference between a true server and an imposter, users could hand over sensitive information without even knowing it.

Land-ho! HTTPS Will Make Sure You Get Where You’re Going

HTTPS is like having a navigator on board who knows the seas like the back of their hand. They will be able to tell if you end up in the right port.

Because HTTPS uses SSL, it can verify that the computer a user connects to is actually who they claim to be. The verification is done through a thing called an HTTPS certificate.

These certificates act like keys to decrypt the encrypted information sent over HTTPS. When data is sent from a user to a server, the information is turned to gibberish to protect it.

When it reaches the server a user intended to send it to, it needs to be decrypted. This is done through a private key.

SSL essentially puts a padlock over information by encrypting it, which can only be unlocked with the right key, which only a genuine server will have. These keys are actually long strings of random letters and numbers but are essential to proving that a server is real.

Basically, it’s like your navigator will only let you dock somewhere if they recognize the area.

Certificates are issued through third-parties responsible for making sure they are going to the right people. Operating systems come with a list of known third-party issuers and automatically trust them.

Getting an SSL certificate also does more than just secure information. With an SSL certificate, a company’s brand will be boosted as it develops customer trust and loyalty.

Without a certificate, customers will receive a warning message whenever they connect to a company’s website. This can make potential customers nervous, and cost the company valuable business.

There is More to it than Just HTTPS

Even though it is the standard for online communication, HTTPS is not entirely secure. Malicious users can obtain self-signed SSL certificates, which can be used to better impersonate trusted brands.

These certificates are generated through free software and enable HTTPS connections between a malicious server and users. They trick browsers into thinking a server is genuinely from a particular website when it can actually be malicious.

Everyone Needs a Crew to Navigate the Digital Seas

People are less likely to purchase from a business that is not secured in some way since it puts their personal information at risk. A truly secure business does more than just build an online presence and go where the customers are. It also develops security protocols that protect themselves and their customers.

This involves building a website with servers that have been tested against penetration or injection attacks. The servers for any reputable online business must reliably hold massive amounts of customer information, without any leaks.

Building such a network of servers can be impossible for the business itself. Instead, most businesses opt to use third-party developers. They usually understand the technical nuances of building an online business beyond just implementing HTTPS.

To recruit your next crew to help you on these treacherous digital waves, just contact us!

Could Your Home Router Really Be A Security Risk?

Earlier today, Wordfence released a blog highlighting a current trend amongst hackers; accessing home internet routers and turning them into weapons to target WordPress sites.

According to Wordfence:

“These IPS switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What we have found is a botnet that is distributed across thousands if IPs. Each IP is only performing a few attacks, those attacks are spread across many websites, and the attacks only last a few minutes or hours.

The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low-frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.”

At this moment in time, the hackers in question are targeting countries such as Algeria, India and the Philippines, but you never know where they’ll strike next. If a hacker manages to infiltrate your home router, they can access everything on your home network: your workstation, mobile devices that use WiFi, and other internet controlled devices like climate control systems and home security systems. Once they’re in, anything connected to the compromised router could  That’s not even touching on the damage they can do to the web globally, through your router and IP.

The botnet that Wordfence uncovered was built to take WordPress sites (which make up 25% of the internet) offline by flooding them with traffic from thousands of compromised routers. The routers themselves might slow down for a short time during the attack, but otherwise, their owners will never know that they’ve been compromised. The owner of a targeted WordPress, however, will lose their website, email and any files being kept on the same server for as long as the attack lasts. Unscrupulous companies can take their competitors offline using so-called ‘Testing’ services for as little as $40 per hour.

 

What can you do?

Wordfence found that the attackers were able to access Algerian routers through a known vulnerability in the router’s firewall software. Your home or business router probably has some security software like a firewall installed so make sure that it’s turned on and do a quick google search to see if there are any known vulnerabilities- there’s a quick guide to setting up your router for maximum security here. Hackers are going to be particularly interested in penetrating the routers that ISPs give away free- they know that millions of people will all be using the same router, so break one and you’ve broken them all. Consider buying a new router– it’ll probably speed up your browsing and extend your wireless range in addition to making you safer.

We always recommend backing up your files and keeping them on an external hard-drive, or you can kick it old school and keep paper copies within a filing system. Google Photos is a handy app that will automatically sync your photos to the app from your mobile device and store them on a private, password-protected site for you to access from anywhere through your Google account. That way, if your mobile device is compromised, you won’t lose all your photos! Make sure that you have Two-step verification enabled on your Google account to make it harder

Here at Octopus Creative, we keep your online brand safe, and security is never an add-on option– we consider it a necessity.

 

Website Security Tips To Keep Your Website & Brand Safe

Your website is typically the first connection you’ll make with potential customers. With 2.6 billion smart phone users around the world, and 81% of shoppers conducting online research prior to making a purchase, a good website is ideal for generating sales. You’ll want to ensure that it’s easy to navigate and not confusing, and that any information a person could want to know about your business, is relatively straightforward.  This includes your store and/or office address, contact information, links to social media accounts, and ultimately, what sets you above the rest. The design should be interesting enough to keep their attention, and the content should be written in a way that highlights your unique brand.

When it comes to websites, design is usually the first thing you think about, and it makes sense. But ultimately, in the grand scheme of the internet, ensuring that your website is secure should be a top priority.

Many small businesses assume that hacking won’t happen to them because they’re too small to be noticed. However, hackers don’t discriminate when it comes to breaching websites and they’ll even use automated tools to find vulnerable sites. Your website embodies your brand, and as the first contact with customers, ensuring it’s security will save you from potential disaster in the future.

Hacking threats can come in many forms – infecting a website with malware in order to spread that malware to site visitors, stealing customer information (such as names, email address, and even credit card information), and even hijacking or crashing your site. As a small business owner, a single security breach could destroy customer trust.

In the past week, over 1.5 million websites have been hacked after a vulnerability was utilized in the release  of WordPress 4.7.1. Quietly, and then very publicly, WordPress released version 4.7.2 to rectify the situation. But for those nearly 2 million websites, it was already too late. While it’s not yet clear how the WordPress sites are getting infected in the first place, it’s possible that login credentials that allow the site content to be changed aren’t being locked down, or there’s an unknown vulnerability in the CMS, or operating system they run on. What we do know, is that once a system is infected, the malware installs a variety of backdoors on the webserver – a feature that’s causing many hacked sites to repeatedly be infected.

There are many ways that you can protect yourself, including running premium security plug ins and having daily back ups with a proper security plan in place with your provider. Most managed hosting providers will be able to show you how they keep your website secure if you ask. If you’re running a business, security should never be a support option – it should be included with your hosting plan!

 

A Few DIY Tips For Your Website Security

With the goal of keeping it simple, here are a few options that you can implement now to to help maintain the security of your website.

  1. Keep Your Website Updated. Hackers are always thinking deviously when it comes to gaining access to websites, and developers move just as quickly to block them. Ensuring that your website is always up-to-date on a weekly, or even daily basis, will address those security fixes as they happen, in turn, lowering your risk!
  2. Use Stronger Passwords. Remembering a complicated password can be difficult, but as many as 8% of websites that have been hacked, were because people didn’t utilize a strong password. Try creating a password that is a minimum of 6 characters and a combination of letters, numbers and symbols! Don’t forget, passwords are case sensitive so you also utilize both uppercase and lower case letters!
  3. Select Your Website Host Carefully. Nearly 41% of the websites that were hacked were because the hosting service didn’t put the necessary importance on security! Before choosing a hosting service, make sure you ask about their security protocols and find out if they have the necessary firewalls and malware scanning.

Here at Octopus Creative we keep your online brand safe, and security is never an add-on option, it’s an absolute necessity. Get in touch with us if you have questions about your online security or if your web provider recently told you that YOU have to pay for a new site because of their security vulnerabilities!