Security certificates

It’s becoming more important for websites to have a security certificate – the padlock symbol shows when there’s a certificate – in order to help visitors confirm that you’re a genuine site.
In the past certificates were only required for sites that handled sales, but that situation has changed and most browsers will now advise website visitors that the site (they are visiting) is not secure, regardless of the site’s purpose or ownership, if no certificate is installed.
Time to put my own hand up here, I finally sorted out a certificate for this site https://paulturvey.co.uk this morning but that also (in my case) meant moving the website between suppliers.
For new sites that I manage adding a certificate is an option at setup time that adds a modest fee to the total charge for hosting. If you already have hosting it’s down to the hosting provider how much that will cost (which was one reason for my relocation 🙂)

Security

A part of my civil service career meant having a heightened sense of security, both physical and non-physical. It didn’t mean going around checking doors were locked (although I may have done that a few times) but I started looking at potential security pitfalls and how to help prevent them.

In my current position, I can apply that ethos to any project as a Value Added Service – some security advice comes with a price tag, much doesn’t.

On the internet it’s impossible to personally monitor social media accounts and web resources 24/365, even though the threat is ever present. I have assisted friends who have had accounts hijacked, normally only one person is severely inconvenienced. Corporate accounts are different, a reputation can be destroyed by a third party gaining unauthorised access or by a wayward employee/volunteer/

The usual single point of failure is a weak password, or re-used passwords, associated with one email address. The most common passwords on the planet right now are “Password”, “Password1” & “Password123”, if you use these anywhere CHANGE THEM!

Use of two-factor authentication (2FA) will help mitigate password weakness but shouldn’t be used to cover up poor password security. 2FA is now offered by many major platforms including Gmail and Ebay and can use your mobile phone to confirm you, and you alone, are connecting to the relevant web service. This can prevent rogue login attempts but it is often difficult to explain the benefit to an individual who only sees it an an incumberence.

How common are online attacks? I manage many websites but ensure a suitable security package is installed as part of the initial rollout. I built a site a week ago that has already attracted the attention of attackers; the security software pulls down the shutters and tells me, if possible, where on the planet the attacker is located. My home server has a preinstalled admin username of ‘root’ and this was being hit several thousand times a month. One website I manage suffered a Denial of Service attack following an onslaught over several days, users were seeing ‘site unavailable’ messages, I was seeing a hundred security advice emails per hour! And then there’s the huge data losses, including AOL, Linkedin and several hotel chains. There is an industry in stolen online credentials!

Having said that, the biggest single mitigation against online threats is common sense. Often a strong password is the ‘best’ solution.

Contact me if you’d like any advice.