SSL Certs: Which One is the Best Fit for You?

Reading Time: 5 minutes

Shopping online is pretty much a ubiquitous activity for people all over the world these days, and – not surprisingly – so much so that it’s now the preferred means of shopping for many people. Especially for certain goods, and not only do these people want selection, good prices, and the like, but they also want to be able to enter their credit card information and not have to worry about it being exposed.

Offering that peace of mind is absolutely essential if you’re in the e-commerce world, and nothing is more important in this regard as having your online transactions guarded by an SSL certificate. Even if you may not know exactly what these are, you’ve probably seen the ’##-Bit Encryption’ tag prominently on display once you get to the checkout when you’re shopping online.

Here at 4GoodHosting, not only do we offer very competitive prices on highest-quality SSL Certificates but like any good Canadian web hosting provider we have plenty of customers who are trusting our web hosting to ensure they’re ‘open’ for business 24/7 and all day, everyday.

Probably safe to say that there’s few if any of those folks who don’t already have their SSL Certs in place, but for those of you who are new to your business online then we thought we’d dedicate one post here to discussing SSL certificates and what you need to know to choose one for yourself.

Overview

There is a plethora of certificate types, and several categories and plenty of CAs. In advance of highlighting the different SSL certificates and how to choose the right one, we’ll first discuss why an SSL certificate is so important nowadays.

The reach and strength of cyber crimes has grown rapidly over recent years. So much so in fact that cybersecurity has become the #1 concern issue for both web users and website admins. The truth of it all is that cybercriminals can cost online businesses millions. The worldwide economy loses unimaginable amounts of money every year due to cybercriminal activity.

What SSL certificates do to protect agains this is that they enforce a secure connection between a server and its web users. They don’t only protect the sensitive information that is transmitted between a web user and a web server, but also boost ranking, improves brand credibility and go along way to boosting conversion rates.

Choosing the Best SSL Certificate

Knowing what SSL will be best for your online storefront can be a challenge. They’re generally categorized according to their validation level, warranty, technical support and domains support.

So what factors do you need to consider? These ones:

  1. Validation Level

Nearly all SSL certificates provide data encryption and session security services for websites. The validation level of each is where the primary differences between them are established. The validation level will determine how much information about a company will be shown in browsers or to the web users. The three main levels of validation are Low / Medium / High

Domain Validation (DV) SSL certificate – Low

These ones are also referred to as a low assurance, and are commonly used to protect standard websites, single domains, and blogs. The simplest form of validation is done where the website registration and administration approval are confirmed to issue the certificate. Processing time is anywhere from a few minutes to a few hours.

These certificates are suitable for low traffic websites or informative sites where financial transactions are not conducted. If you’re selling online, this type of cert will be insufficient for you.

Organization Validation (OV) SSL certificate – Medium

With medium certificate validation, an authorized agent verifies the domain ownership and company’s identity. This includes verifying the company name, city, state, and country. Web owners must submit some additional business-related documents for verification. As you’d expect, there’s more of a delay to all of this compared to a domain certificate.

Medium certificates provide appropriate security for medium-sized businesses that conduct standard (-$500 o/a) financial transactions and wants to provide assurances for customers that they can shop entirely safely within the site.

Extended Validation (EV) – High

These ones offer the highest level of security for websites, with a more rigorous validation process that verifies the ownership of the server and the legitimacy of its owner. Generally, the CA verifies the legal, physical and operational existence of the company, official government records, and databases, and confirms that only the genuine company is authorized to be in ownership of the extended-validation SSL certificate.

What you’ll see with these ones is the browser will show a green address bar with a verified name of the organization. The EV certificate is used by major players, like Amazon and Flipkart for example

Further, having an EV SSL really legitimizes the domain name.

  1. Domain Support

Next up you’ll want to determine how many domains you want covered with a single certificate. There’s three categories here:

Single Domain Certificates

Fine for protecting a single domain with its all subpages. Example:

www.mydomain.com/

www.mydomain.com/register

www.mydomain.com/about

www.mydomain.com/contactus

mydomain.com

Wildcard Certificates

The wildcard certificate allows its users to protect all the first level of sub-domains under an FQDN. It supports only DV or OV. The best instances are:

www.mydomain.com

info.mydomain.com

mail.mydomain.com

payment.mydomain.com

Multi-Domain Certificates

Also referred to as SAN or UCC certificates. They allow users to protect multiple FQDN domains along with multiple sub-domains. This choice will be ideal for you if you’re running multiple websites with single or multiple company names. All DV, OV, EV support this category.

www.mydomain.com

info.mydomain.co.uk

payment.mydomain.co.ru

  1. Warranty

The warranty attached to your SSL certificate should also be a consideration – it shows your customers how serious you are about protecting customer information. An EV Cert provides a a more extensive and better warranty, with coverage between $1,0000-$1,000,000 being possible within the warranty.

  1. Technical Support

The more expensive the Cert, the more technical support you will receive from an SSL provider. Free certificates generally never have technical support. However, with an EV or OV technical support is provided while installing and validating the certificate. Make sure the support is available via different sources like email, live chat, contact us page, phone, social media resources, etc.

  1. Price

It’s not uncommon for web admins to think they should invest big bucks even with the option to get a free certificate – the ‘you get what you pay for mentality’. That’s solid thinking most of the time. Free certificates are valid only for a few days, and then after that you must renew them. If not, the browser will show your users that the website is insecure. The price of paid SSL certificates start at $10 and can go up to $350, depending on the type of SSL certificate.

  1. Vendor

Different vendors provide different price ranges and security elements for each certificate. Before choosing any SSL vendor you should verify that they have a good reputation. Do that by watching their reviews and consumer’s feedback on their website.

Microsoft Bug Bounty Program: How Does 30K Sound to You?

Reading Time: 3 minutes

Most people have claimed a reward of some type at some point in their lives. Return someone’s smartphone to them, for example, and they’ll probably think your honesty in returning it is worth $50 at least. Or maybe you return someone’s precious pet to them and get a whole lot more than that for your effort or, more likely, good fortune in having it cross your path or end up in your backyard. But what if there was up 30K in reward money to be had?

Well, up to that amount is what software development mega-giant Microsoft is offering anyone who can find flaws in their newest Chromium-based Edge browser. Now the likelihood of most people – myself included – even having the ability to do that is pretty slim, but for those who are web development savvy it’s definitely something worth taking note of.

Now to be sure, just as it would be for any Canadian web hosting provider we’ve got some talented people on staff who do have the wherewithal required for something like this. They’re aware, and now you are too so let’s get into discussing what exactly all this is about and whether or not this would be not just easy money, but a LOT of easy money.

Beta Stage Bonuses

Microsoft recently released the beta version of its Chromium-based Edge and then introduced the Insider Bounty Program along with it. As mentioned, there’s apparently up to $30,000 to be had for those who find out unique vulnerabilities in this beta version of their new browser.

Yes, that’s what you can do when you have deep pockets to this extent. You’d have to find a thousand+ lost phones and pets to come even close!

To clarify though, 30K is only available if you find a flaw that is a vulnerability that leads to escape from the WDAG container. The majority of would-be rewards included in the Microsoft Edge Insider Bounty Program are in the range of $1,000 to $3,000, depending upon the bug’s severity and – take note – the quality of the submission (see thoroughness – less work for them = more $ for you).

Quality Control & Then Some

Microsoft has stated that the goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to dig up vulnerabilities that are unique to the next Microsoft Edge and have the potential for a direct and demonstrable impact on the security of their customers. Quite admirable, and not out of the ordinary for software developers in as far as the aim itself is concerned.

Attaching big money $ to that, however, is out of the ordinary.

It is true that Microsoft has a lot riding on the success and widespread adoption of it’s new Edge browser, particularly given the success of Google Chrome that the current Edge is very much playing second fiddle to.

It is reported to have features unique to Chromium Edge like Internet Explorer mode, PlayReady DRM, Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD), Application Guard and a few others.

Growth of the Bug-Finder Business

Turns out discovering unique bugs on the latest version of Edge can be a big business. As mentioned, Microsoft will issue rewards in various tiers, and these are the ones:

  • Spoofing and tampering related security impact – between $1,000 to $6,000, depending on the quality of the report
  • Information Disclosure and Remote Code Execution (RCE) can get you between $1,000 to $10,000 depending upon the severity of the report
  • Vulnerability resulting from Elevation of Privilege (EoP) will get you between $5,000 to $15,000
  • And again, the biggie – 30K for vulnerability resulting in escape from the WDAG container to the host

As you’d expect, there are Terms and Conditions for participating in the Microsoft Bug Bounty Program. The report submission must also include tangible proof, and have sufficiently demonstrated the vulnerability exploitation and the potential impact it might have on users.

Know your stuff? Scour over the Beta of Microsoft’s newest edge and see if you can earn the largest reward you’re likely to ever receive in your life!

Overcoming Issues with Most Recent Windows 10 Update

Reading Time: 3 minutes

A while back we had discussed some of the particulars with of the latest revisions available to people running desktop and notebook running Windows 10. Needless to say that encompasses a great many of them purring away at any given time all around the world, and it’s for that reason that some frequent undesirable occurrences seen with the most recent Windows 10 update are sufficiently noteworthy to the point that it makes sense for us to write about them in this week’s blog.

Here at 4GoodHosting, a part of what makes us a leading Canadian web hosting provider is the way in which we’re proactive in sharing information that’s easily identified as having value to our customer base. Given how ubiquitous the Windows OS is for personal computer users and the reality that’s unlikely to change, we’re going to discuss more than a few problematic issues that users are encountering quite frequently with the most recent Windows 10 update.

Reason enough to have less faith in the OS? That’s for you to decide.

The Issues

Where there’s smoke there is fire. While there had been rumblings about shortcomings with the latest Windows 10 update for a while, the way it is in the biz is that you don’t really take heed of these sorts of things until these sort of expressions of dissatisfaction become a little more numerous than just a few people here and there.

That’s the case now, and the consensus is that the latest update for Windows 10 is causing a string of issues for users. The update comes with patches against two critical vulnerabilities, but it seems they’re leading to problems. Among them are random reboots and inexplainable installation failures.

The update was made available on Tuesday of last week, and was created as a defense against a pair of remote code execution vulnerabilities which were deemed ‘wormable,’ – which means they are able to jump from one infected computer to another. Microsoft owned up to these vulnerabilities and informed users about the patches in a blog post, with users being encouraged to update their operating systems without delay.

Primary Problem 1, with Fix

Some users, however, have encountered difficulties when trying to apply the latest update,. To their credit, Microsoft has acknowledged that there ‘known issues’ with the update do exist.

Most notable among them:

A small number of devices may deliver a black screen on start up during the first logon after installing updates, and that this would be disconcerting for users.

The good news is there is a very simple fix for this;

  • Using Ctrl + Alt + Delete on the black screen and then using the Power button in the bottom right of the screen to select Restart. This should prompt the PC to boot normally.

Primary Problem 2, and NO Fix (Yet?)

The other significant problem with the update is the way it seems to be able to break some Visual Basic applications. More than a few users have reported that after installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) are seemingly no longer responding to basic requests and coming with them is a ‘invalid procedure call error.’ As the header there suggests, at this point at least there is no fix for this problem.

Similar feedback shared via a number of online discussion spots have also talked about repeated instances where the update causes random reboots to their systems. Others still are having problems downloading and installing the update itself. Microsoft reports that it is working on a solution for these issues, and those solutions should be rolled out in a future update.

What You Can Do

If you’ve gone with this recent Windows 10 update and are encountering one or all of these issues then the advice from the source is to update your operating system, and do so even if you’re worried about update issues with the security vulnerability being patched in the way it has been. It’s good advice, but be forewarned that you might see some issues with the update process.

If avoiding the update issues altogether is preferable for you – and you haven’t taken the update yet -, plus you’re okay with some risk, then there’s also this option; pause Windows updates until Microsoft announces a fix to this one.

40+ Different Device Drivers Found to Have Malware Security Flaw

Reading Time: 3 minutes

The scope and extensiveness of malware risks for computing devices is more pronounced than ever before, and that’s pretty much the story from one month to the next these days. At a recent security conference in Las Vegas, the Eclypsium security research team announced they had dug up some serious security flaws in at least 40 device drivers from 20 different vendors. These vulnerabilities could increase the likelihood of devices being infected by malware.

While this type of development in itself is nothing out of the ordinary, what makes it noteworthy is the sheer number of different drivers that may be affected. Here at 4GoodHosting, we’re like any other reputable Canadian web hosting provider in that we strive to make our customers aware of risks to their digital security when they arise. When one is as potentially far reaching as this one, we’re almost always going to make some sort of announcement regarding it.

The Latest

The research team’s report is stating that this malware targets system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component. By doing so what the attackers have done is take the same tools used to manage a system and then turn them into powerful threats that can escalate quickly on the host.

Once the driver is infected it then provides the attacker with optimized access for means of launching malicious actions within all versions of Windows, and Windows Kernel most notably.

Do note that all these affected drivers are ones certified by Microsoft:

  • American Megatrends International (AMI)
  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

The Why

All of this is related to a specific design flaw in Windows device drivers. They have a functionality that can be taken advantage of to perform a read/write of sensitive resources without being restricted by Microsoft. Some are suggesting that bad coding practices are to blame for this, and while that can’t be substantiated it is true that there is a more pressing need for better ones these days and older work can be suspect.

At present, the understanding is that Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to create a blacklist of drivers that are reported to them. The only problem there is that the HVCI feature is only available with 7th gen Intel CPUs along with newer processors only. The situation for older operating systems would be the need for manual installation, and this would also be true for newer ones where HVCI can’t be enabled.

Microsoft is now recommending that its users work with Windows Defender Application Control or turn on memory integrity for supported devices in Windows Security. This should block malware in software and drivers.

The Motivation for Developing Malware

Many people ask what exactly is in it for these malware developers to spend as much time as they do creating this infections and releasing them onto the world. Not sure there’s a clear answer to that, but it’s a good question. After all, people will assume that there’s nothing really to be gained by creating malware other than perhaps an individual sense of deranged satisfaction in messing with people and businesses.

This would be an incorrect assumption, however. The truth is that these people go to the effort to make malware because there’s money in it. For example, a botnet; a network of thousands – or even hundreds of thousands – of computers belonging to everyday people that have been infected with software that usually work to send out LOTS of spam.

Once a botnet network is established then it can be rented by individuals and organizations who want to send out spam promoting whatever it is they want promoted. Botnet owners make money, and same goes for keyloggers – they capture usernames and passwords and sell this information to whoever would like it and for whatever purpose.

These are just 2 examples of many. Long story short, the reason there’s people working to make malware is because – strangely enough – it’s profitable in one way or another.

Understanding Smart Contracts, and Their Relation to Blockchain & Bitcoin

Reading Time: 4 minutes

It seems Bitcoin and all the hubbub about cryptocurrency is ‘back on’ now, and there’s a renewed general interest in mining for digital currency. The one takeaway anyone who’s developing an interest in this should take is that this is not a way to get rich quick, and that bitcoin mining is much more labour-intensive than you think. Blockchain technology is integrally important to managing cryptocurrencies, so f you’re still not dissuaded and you’d like to start amassing cryptocurrency for yourself then you’re encouraged to read on.

Here at 4GoodHosting, we join every other Canadian web hosting provider in understanding the way many of our customers have real interest in taking advantage of everything that’s there for discovery in the digital world. It’s likely more than a few are taking more than a passing interest in cryptocurrency mining, so today we’ll share some information these folks are going to find valuable.

Smart contracts have the potential to be one of the most useful tools associated with blockchain, and it’s almost certain that they’re going to take off right along the cryptocurrencies they’re designed to manage. So what exactly are smart contracts then?

No Administration Required

Smart contracts are self-executing, business automation applications that run on a decentralized network, such as blockchain. The appeal of them is specifically in the way they’re able to remove administrative overhead. Indeed, smart contracts are one of most attractive features associated with blockchain technology. Blockchain functions as a database, and confirms that transactions have taken place, while smart contracts execute pre-determined conditions at the same time. They’re not unlike a when a computer executes on “if/then,” or conditional, in programming.

The way all of this works is once certain conditions of a smart contract are met – and related to our discussion here that’ll be two parties agreeing to an exchange in cryptocurrency – they can automate the transfer of bitcoin, fiat money, or the receipt of a shipment of goods that makes it possible for them to continue on their journey.

The workings of that will reveal a blockchain ledger that stores the state of the smart contract.

Tokens and Smart Contracts

The different applications for smart contracts are pretty much endless. Let’s take the insurance industry; an insurance company could use smart contracts to automate the release of claim money paid out for events like large-scale floods, hurricanes or droughts. Another example would be when a cargo shipment enters a port and IoT sensors inside the container relay a confirmation that the contents have been unopened and stored properly along the entirety of the journey.

This means a bill of lading can then be issued without any manual – and time consuming – inspection of the goods being required.

As mentioned, smart contracts are also now creating the basis for the transferring of cryptocurrency and digital tokens. Which function as a representation of a physical asset or utility. The best-known example these days is Ethereum blockchain’s ERC-20 and ERC-721 tokens. Both are smart contracts.

However, don’t think all smart contracts are tokens. It’s possible to have smart contracts running on Ethereum that trigger an action based on a condition without an ERC-20 or ERC-721 being involved.

How Smart Contracts Mimic Business Rules

For all intents and purposes, smart contracts are business rules translated into software. If you compare them to business rules automation software or stored procedures, smart contracts can support automating processes stretching across corporate boundaries and involving multiple organizations in ways the automation software can’t.

The major functional difference is that rules can be applied not only within the corporation that coded the smart contract, but to other business partners approved to be on the blockchain.

Importance of Good Data, and ‘Oracles’ in Smart Contracts

Smart contracts are great, but each one is only as good as the rules that dictate its automating processes. Quality programming is crucial, as is the accuracy of the data fed into a smart contract. The nature of smart contract rules make it so that once they’re in place, they can’t be altered in any way. After a contract is written, no on – not even the programmer – can change it.

If it tuns out that the data isn’t true – and being on a blockchain doesn’t necessarily make it so that it is – the smart contract will be unable to work properly.

Why is this? Well, data fed into blockchains and used for smart contract execution is sourced externally, and from data feeds and APIs most notably – a blockchain is not able to ‘fetch’ data directly. Real-time data feeds for blockchains are referred to as oracles.

Little Disputability with Smart Contract Data

Oracles have traditionally transmitted data from a single source, and as such there is no data that’s entirely trustworthy. It can be benignly or maliciously corrupted due to faulty web sites, cheating service providers, or even by unintentional mistakes.

The way regular contracts function today can be problematic. This is because one party may perform a task, but after that the other party may decide not to pay, or there may be assumptions made by one of the parties about complexities of the contract that may not even be true.

The issue here is that those contracts are not rigorously enforceable, but smart contracts are. A smart contract is deterministic, and can absolutely be enforced as long as the events related to its contractual clauses happen.

Edge Computing, IoT and future of Smart Contracts

Within the next 5 to 7 years we should see a massive growth in IoT connected devices spurring greater use of smart contracts. It’s projected that the majority of the estimated 46 billion industrial and enterprise devices connected in 2023 will be dependent on edge computing. Addressing standardization and deployment issues will be crucial.

How smart contracts will benefit here is by offering a standardized method for accelerating data exchange and enabling processes between IoT devices. Essentially they’ll be removing the middleman – the server or cloud service that acts as the central communication spoke for requests and other traffic among IoT devices on a network.

Add this to blockchain ledgers decreasing the time required to complete IoT device information exchange and processing time, and the collective promise between both technologies becoming prominent is something to definitely keep an eye on. With the focus on process efficiency, supply chain and logistics opportunities smart contracts will almost certainly become more ubiquitous in the years ahead.

Chrome Users Encouraged to ‘Rat Out’ Deceptive Sites with New Add-On

Reading Time: 3 minutes

Rats have always had a bad rap, and among all the many negative things associated with the rodents is the fact that ‘rat’ is no longer only a noun in the English language. It’s now also a verb. To ‘rat’ out someone or something is to make someone in position of power or authority aware of what that thing or person is doing when they shouldn’t be doing it. An example could be when you were kids and telling the school principal the names of the students you saw scratching their names into the side of the gymnasium.

They’re sure to be punished for it, but only you and the principal will ever know who exactly ‘ratted them out.’

Here at 4GoodHosting, we’re like any quality Canadian web hosting provider in that we don’t need to be prompted to stay on top of interesting developments in the digital world. We do it quite naturally, and we also have an at-least somewhat vested interest in maintaining a functional integrity for the World Wide Web.

All of which makes this recent news entirely newsworthy for our blog here.

Introducing the Suspicious Site Reporter

Google this week started requesting help in identifying suspicious websites, and to that end is making an add-on that lets them ‘rat out’ suspicious URLs through their Chrome browser. They can add the Suspicious Site Reporter, and what they’ll then see is a new flag-style icon on the top bar of the browser. When they come across a URL that’s fishy looking, all they have to do is click on the icon to report unsafe sites to Safe Browsing for further evaluation by the overlords at Google.

Safe Browsing is a ubiquitous term between Chrome, Mozilla’s Firefox, Apple’s Safari, and Android when users are steered away from sites that contain malicious or deceptive content. Google uses robots to scan the web and compile lists of websites that host malware, harmful downloads or deceptive ads and pages. Software developers then have the option of plugging into an API to integrate this list into their own applications.

In honesty, rival browser makers have done this for years, but it’s a fact none have the prestige or visibility that Chrome currently does.

What this ‘see, identify, and click’ results in is a warning that then tells user following in the footsteps of others that the intended destination is shady and proceeding further towards it is inadvisable. With Chrome, you can expect to see an alert reading ‘Deceptive site ahead’ and some explanatory text about why it’s being regarded that way.

So here it is that you don’t need to feel any discomfort about being ‘a rat.’

Different Designations

Some industry experts have stated they find some of the information in the pop-up box deployed after clicking the Suspicious Site Reporter to actually be suspicious on its own. One of them gave the example of visiting a national news organization’s site, and seeing the reason it was flagged as being ‘Haven’t visited site in the last 3 months.’

There’s another good and valuable warning that is issued when the browser is being steered toward a site with a deceptive URL, which is a common trick of hackers and phishers. There’s more than a few people who wouldn’t catch ‘go0gle.com’ instead of ‘google.com’, to use one example. For all these individuals, there will be a warning that helps you get back to safety.

This new feature was launched with Chrome 75, the current version that debuted June 4. As has been the case for a while though, Google commonly rolls out new Chrome features in stages in response to quality control interests.

If for some reason you Chrome 75 doesn’t have it, the Suspicious Site Reporter add-on can be downloaded from the Chrome e-store.

2 Weeks To HTTPS Becoming a Necessity for Websites

Reading Time: 3 minutes

It’s July 9th and two weeks from today the web is officially going with full HTTPS as requisite, and that’s a development that’s been a long time in the making. Securing traffic on the internet is an obvious priority, but of course there are people who are strongly opposed to having a secure web.

Two weeks today Google will be uniformly labeling any site loaded in Chrome without HTTPS to be not secure. Most webmasters will be on top of this and accordingly usage of HTTPS is exploding right now. In the 6 months up to a recent report, 32% growth in the use of HTTPS was seen in the top 1 million sites. Mozilla tracks anonymous telemetry via Firefox browser and recorded big growth (75% page loads) in the rate of pages being loaded over HTTPS. Chrome too, at around the same 75 percent.

We’re a Canadian web hosting provider who’s always got our thumb on the pulse of the industry, so it’s important to relate that quite a few popular sites on the web still don’t support HTTPS (or fail to redirect insecure requests) and will soon be flagged by Google. Plus, let’s clear up a few emerging myths about HTTPS:

  • It’s a Hassle
  • I Don’t Need It
  • It’s Gonna be Slow
  1. It’s A Hassle

No, it’s pretty darn simple. You can protect your site with HTTPS in a matter of seconds for FREE. Sign up for Cloudflare or using a CA such as Let’s Encrypt. We can assist you with any other web security and accessibility concerns you may have beyond https encryption of your website.

  1. I Don’t Need It

Well it turns out, you do – particularly as it relates to the safety and privacy of those visiting your site. Without HTTPS, anyone in the path between your visitor’s browser and your site or API can peer in on (or make modifications to) your content without you needing to be made aware of it. Governments, employers, and even especially internet service providers can and have been overseeing content without user consent.

If having your users receiving content unmodified and safe from maliciously injected advertisements or malware is a priority for you, you are advised to move your website to HTTPS.

Add the fact that the major browsers like Apple, Google, Mozilla, and Microsoft, are restricting functionality to only work over HTTPS. Google will soon block unencrypted mobile app connections automatically in their upcoming Android version. Apple has announced that apps must use HTTPS, but there has been no official announcement of this yet.

  1. It’s Gonna be Slow

The last common myth about HTTPS is that it’s not speedy enough. This belief is a holdover from an era when SSL/TLS might have had a negative performance impact on a site, but that’s not the way it is today at all or ever. HTTPS is also now required to enable and enjoy the performance benefits of HTTP/2.

Here’s two untruths to consider:

1) It takes incrementally more CPU power to encrypt and decrypt data; and

2) establishing a TLS session involves nothing more than 2 network round trips between the browser and the server.

HTTPS content from the edge – 10-20 milliseconds away from your users in the case of Cloudflare – SSL/TLS enabled sites are superior. And even when they are not served from an edge provider they still function at a high level. Advanced users should also consider using HSTS to instruct the browser to always load your content over HTTPS, saving it a round trip (plus page load time) on following requests.

Apple’s iPhone as a Crypto Wallet? Maybe So

Reading Time: 4 minutes

Even the most tuned-out of us will be aware of how Bitcoin seemingly went out with a whimper after arriving on the digital cryptocurrency scene with a bang a few years back. The same could be said for the hype about cryptocurrency as a whole, but of course now it’s made something of resurgence. Now it seems the acceptance of a global currency that’s not bound by the constraints of the world bank and international currency norms is an actual large-scale possibility, and no doubt we’re going to see a rush on bitcoin mining flare up again too.

Whether or not you believe in the validity of cryptocurrencies and if they’ll ever gain a foothold in the world of e-commerce and beyond is one thing, but it would seem that Apple is forecasting it’s going to do that to at least some extent. To cut right to it, it seems that they’re preparing to let iPhone users turn their devices into hardware wallets that will allow them to store and use bitcoin and other cryptocurrencies for mobile purchases of pretty much everything.

The bulk of us here at 4GoodHosting are like the staff you’d find at any leading Canadian web hosting provider in that we take a keen interest in any major shift in the web world landscape, and if cryptocurrency is now to gain traction like it was predicted to then that definitely qualifies. That and the fact that iPhone users likely make a good half of the majority of those of you, and so let’s look at what can we read into the possibility of iPhones becoming crypto wallets.

iOS 13 – WITH CryptoKit

At the recent Worldwide Developers Conference (WWDC) a few weeks back, Apple’s new CryptoKit for iOS 13 was on display. What it will do is allow developers to easily create hashes for digital signatures and public and private keys that can be stored and managed by Apple’s Secure Enclave. The keys will represent cryptocurrencies, which iPhone owners can then exchange as a form of payment through an app.

This doesn’t necessarily mean that Apple is going down the cryptocurrency path, but if it is it would be following HTC and Samsung. Both these competitors have already announced their intention to create native cold storage wallets available with their smartphones. HTC’s Exodus 1 smartphone is supposedly going to be able to natively store bitcoin or Ether cryptocurrencies, and Samsung’s Galaxy 10 – expected in February – is likely going to do the same.

Demand Will be There

Seems the number of people using digital wallets for all types of currencies is expected to jump from 2.3 billion this year to nearly 4 billion next year, and it’s estimated that half of the world’s population will be paying with cryptocurrencies at least some of the time by the year 2024. Along with this wallet transaction values should go up by more than 80% to more than $9 trillion a year.

Needless to say, that’s a significant chunk of change.

The real issue here is the challenge that already-existing NFC-based contactless wallets, like Apple Pay and Samsung Pay, will face when wallets based on QR codes become more of the norm. QR codes are already being used by merchants to access cryptocurrency wallets for payment.

Further, as of now, Apple’s CryptoKit doesn’t include all of the cryptography algorithms needed to complete Bitcoin transactions. That’s likely to change, and sooner rather than later.

Unique Hardware Opportunity

Apple’s CryptoKit means users are just a few steps away from turning their iPhones into a hardware wallet, and what it also does is put Apple’s developers in the driver’s seat when it comes to blockchain or crypto-based apps and the hardware required for them. The belief is that they’ll be able to provide a more secure crypto wallet than anything else out there right now from a mobile phone standpoint, and that’s because they’re able to build on the existing biometrics capabilities of iPhones and iPads.

Which is good, as big-time outlets like Starbucks and Whole Foods have all already announced programs to accept bitcoin other cryptocurrency for payments. You’ll be able to wave a QR code on your smartphone in front of a register scanner to pay. That QR code, enabled by an app, will represent how much currency you have at your disposal in your crypto wallet.

Further, because CryptoKit enables a second layer of security through encryption for iOS applications with private and public keys, it can repel other issues related to hardware hacking like SIM jacking , which is a malicious attack where the hackers assume control of a person’s digital finances.

It’s certainly an interesting time to be following these developments in the world of cryptocurrencies, but one has to wonder if it’s for real this time and not a whole lot of flash and little substance as was the case a few years ago when Bitcoin was ‘the next big thing.’ In fairness though, this is bigger than one type of cryptocurrency in particular, and it’s more about having the systems and hardware in place to enable its proliferation should it become a viable payment method.

Google is Blocking Ad Blockers in Chrome: Paid Web Browsers the Future

Reading Time: 3 minutes

Many people lament the fact that the Internet can’t be an unimpeded digital information source and not have commercial interests to the extent it does. It would be nice if it was a fountain of knowledge that exists for everyone’s own information gathering exclusively, but living in the world we do when there’s a buck to be made somewhere the opportunity will be taken. It’s especially frustrating for people who aren’t big consumers and have never clicked on a link or purchased very little online.

Google has recently moved to limit Chrome’s ad-blocking capabilities, and no doubt many of you using an ad-blocker will have already noticed this. Google also announced that this feature will not apply for Google’s paid G Suite Enterprise subscribers. Here at 4GoodHosting, we’re a Canadian web hosting provider who keeps our thumbs on the pulse of the digital world and the prospect of ad-free internet browsing only via paid web browsers would be a pretty big deal for nearly all of us who source information online.

According to a recent study, as many as 40% of people browsing the web from laptops use an ad blocker. That’s a big group of people that aren’t viewing Google’s ads. So why’s this happening, and what’s the underlying current here?

Beyond Blocked Blockers

It’s been reported in the news how Chrome users – and developers of Chrome-friendly, ad-blocker extensions – are none too pleased with Google’s proposed changes to the Chrome Extensions platform. We have to go back to when Google announced Manifest V3, which constituted a set of proposed changes to Google Chrome’s Extensions platform.

In it, specific changes to Chrome’s webRequest API were proposed with an eye to limiting the blocking version of it and this potentially would remove blocking options from most events and creating them as observational only. Content blockers would now use a different API instead, known as a ‘declarativeNetRequest.’ The Manifest concluded that this new API is “more performant and offers better privacy guarantees to users.”

The reality is though that Google’s Manifest V3 changes will prevent Chrome’s ad-blocker extensions from using the webRequest API as it normally, but it will also force them to use a new API (declarativeNetRequest). One that isn’t compatible with how existing popular adblocker extensions function and making them ineffective.

It’s fairly clear to see that Google is being receptive to the concerns of paying advertisers in ensuring the delivery of their ads to site visitors, and they’re not going to be supportive of ad blockers from now own.

A recent industry publishing had a statement from a spokesperson at Google regarding these changes in Chrome – “Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties.”

They then added further, “for managed environments like businesses, we offer administration features at no charge.”

For now, Google is still intending to block ad blockers in Chrome, while people who are subscribed to their G Suite Enterprise-level of services will enjoy ad-free viewing.

Pay to Play Soon?

In the past it was that Chrome could be an ad-free browsing experience at no additional cost. Now it seems you’ll have to subscribe to premium G Suite services, and the highest, most expensive version of it. How much? It’s $25 per user, per month, and that’s no small change for any type of online monthly service.

It’s not difficult to figure out what’s Google’s interest in doing this. They can increase the amount of revenue generated from users viewing ads if non-Enterprise subscribing users, based in large part because most people won’t pay for G Suite and more of them will see ads they’ll click through.

Keep in mind that Google’s competitors like Microsoft Edge and Firefox are still fine with supporting ad blockers, so it’s fair to assume they’ll be people who’ll abandon Chrome for another browser. Even if they think Chrome is superior, as there are many people who simply can’t stand ads and particularly if they’re researching for work or academic purposes and time is of the issue.

Google’s G Suite’s low and mid-tier subscribers will still be seeing ads too, it’s only the 25-a-month subscribers who’ll be enjoying ad-free browsing. G Suite Basic is $6 dollars per user per month and G Suite Business is $12 per user month.

Any of you planning to jump ship if your ad blocker is rendered useless?

3 Million Malwares Across Android Last Year in N. America

Reading Time: 4 minutes

Just a few weeks back we were sharing with you how WhatsApp was recommending users reinstall their app because of it being hacked. Hopefully those of you that use it have already done so, and if you have then you’re probably good to go with instant messaging for the foreseeable future. It turns out however that the problem of hacks, infection, malware and more is a lot more extensive than just one app and one operating system.

A quality Canadian web hosting provider is going to be one that appreciates the full extent of just how much digital connectiveness is important to people, and here at 4GoodHosting we have a front row seat to see the way mobile web browsing has pulled away from desktop in as far as being the means of choice for people. It all points to one well-understood reality; we’re turning to our mobile devices for more and more of everything that we do during the day.

A good many of us (myself included) have Android phones, and that’s why recent news from Quick Heal Security Labs is really undeniable when it comes to highlighting the extent of the cyber-attack problem for Android users in nor. And that is that apparently over 3 million malware were detected on Android OS in 2018.

Big Number, Big Problem

We can paint a picture of the severity of this best by sharing some numbers:

  • 3,059 malware infections per day, working out to 2 every minute across the country for Android devices
  • 1,786 adware infections per day, equally 1 per minute
  • 4,670 PUAs per day, and that’s 3 per minute

Yes, there’s an awful lot of smartphones out there, and a good many of them are going to have an Android OS. Those numbers are still fairly staggering though, and it really does put the problem in some perspective. And what’s interesting is that despite the rapid rise in cyberattacks on mobile devices, cyber security experts say device owners aren’t taking this as seriously as they should be.

Serious Business

Experts state that there will be a significant rise in mobile-focused malware and banking trojans, and another major mobile-based threat expected to be coming more to the forefront involves malicious code being introduced into clean-owned applications post update. Further, it would seem that this is more likely to take place once the download count reaches a certain landmark with the Google Play Store, according to the same report from Quick Heal.

Earlier this year a test was performed to check the efficiency of Android antivirus apps from Google Play. 250 apps were tested, and the results weren’t agreeable – more than two thirds failed to come back with a malware-block rate of 30% or better. Also turned out to be true that less than 1 in 10 of the apps tested were not able to defend against all the 2,000 malicious apps.

Not All Antiviruses the Same

There is no shortage of cheap and free antivirus apps accessible for consumers these days, but the reality is that only a few of those provide sufficiently powerful shielding against cyber threats. It’s important to validate the effectiveness of any you might be considering. There’s plenty of information on the web about them and quality reviews from knowledgeable people, so we’ll stay away from that topic here today and look at the most prevalent of these Android malwares being seen.

Top Android Malware for 2018

It seems the most common infection was with one called Android.Agent.GEN14722, which made its way into some 100,000 smartphones around the world last year. That’s just for the year though, overall and looking at it long-term, another two called Android.Agent.A1a92 and Android.Gmobi.A are the most prevalent malware found on mobile devices worldwide.

Other notables:

  • Umpay.GEN14924 at 25% of the total amount
  • MobileTrack.Gen7151 at 10%
  • Smreg.DA at 8%
  • Agent.DC6fb8 at 8%
  • Airpush.J at 7%

There were also function predispositions and focuses seen with these malware. Many aim to attack social media accounts for malicious purposes (like the Spyware bug that WhatsApp had recently), while others are geared to be invisible after installation and then display full-screen ads to users and earn revenue.

There’s also the FakeApp trick, which increases the number of sponsored app download counts and reviews. That’s clearly not as evil, but still something that people won’t be welcoming of in the slightest. Lastly, some activate by means of PDF attachments sent via phishing emails to launch malware on the device.

Be Proactive in Protecting Yourself

As mentioned, the right anti-malware for Android mobile devices is becoming more and more of a necessity, and especially so as it’s unlikely we’re going to see a decrease in the number of these malware threats that are emerging. This is especially true as each Android phone has a camera, speaker and a location tracker that quickly collects data from every place the consumer goes. When users are not aware about having this malware, the way they go about their day-to-day just the same as always puts their online privacy and sensitive data at risk.

AV apps that come from genuine security vendors are your best choice, as they regularly release updated versions to protect the users from the latest threats. These may come at a cost, but if you’ve got an understanding of just how pervasive this problem is then you should be okay with paying a little something for the security of your phone.

And yes, iOS is not immune to these problems either, although it may be true that the numbers attached to it might not be so massive as they seem to be for Android.