2 Weeks To HTTPS Becoming a Necessity for Websites

4GHadmin | 10 July 2019
Reading Time: 3 minutes

It’s July 9th and two weeks from today the web is officially going with full HTTPS as requisite, and that’s a development that’s been a long time in the making. Securing traffic on the internet is an obvious priority, but of course there are people who are strongly opposed to having a secure web.

Two weeks today Google will be uniformly labeling any site loaded in Chrome without HTTPS to be not secure. Most webmasters will be on top of this and accordingly usage of HTTPS is exploding right now. In the 6 months up to a recent report, 32% growth in the use of HTTPS was seen in the top 1 million sites. Mozilla tracks anonymous telemetry via Firefox browser and recorded big growth (75% page loads) in the rate of pages being loaded over HTTPS. Chrome too, at around the same 75 percent.

We’re a Canadian web hosting provider who’s always got our thumb on the pulse of the industry, so it’s important to relate that quite a few popular sites on the web still don’t support HTTPS (or fail to redirect insecure requests) and will soon be flagged by Google. Plus, let’s clear up a few emerging myths about HTTPS:

  • It’s a Hassle
  • I Don’t Need It
  • It’s Gonna be Slow

  1. It’s A Hassle

No, it’s pretty darn simple. You can protect your site with HTTPS in a matter of seconds for FREE. Sign up for Cloudflare or using a CA such as Let’s Encrypt. We can assist you with any other web security and accessibility concerns you may have beyond https encryption of your website.

  1. I Don’t Need It

Well it turns out, you do – particularly as it relates to the safety and privacy of those visiting your site. Without HTTPS, anyone in the path between your visitor’s browser and your site or API can peer in on (or make modifications to) your content without you needing to be made aware of it. Governments, employers, and even especially internet service providers can and have been overseeing content without user consent.

If having your users receiving content unmodified and safe from maliciously injected advertisements or malware is a priority for you, you are advised to move your website to HTTPS.

Add the fact that the major browsers like Apple, Google, Mozilla, and Microsoft, are restricting functionality to only work over HTTPS. Google will soon block unencrypted mobile app connections automatically in their upcoming Android version. Apple has announced that apps must use HTTPS, but there has been no official announcement of this yet.

  1. It’s Gonna be Slow

The last common myth about HTTPS is that it’s not speedy enough. This belief is a holdover from an era when SSL/TLS might have had a negative performance impact on a site, but that’s not the way it is today at all or ever. HTTPS is also now required to enable and enjoy the performance benefits of HTTP/2.

Here’s two untruths to consider:

1) It takes incrementally more CPU power to encrypt and decrypt data; and

2) establishing a TLS session involves nothing more than 2 network round trips between the browser and the server.

HTTPS content from the edge – 10-20 milliseconds away from your users in the case of Cloudflare – SSL/TLS enabled sites are superior. And even when they are not served from an edge provider they still function at a high level. Advanced users should also consider using HSTS to instruct the browser to always load your content over HTTPS, saving it a round trip (plus page load time) on following requests.

0

Site Isolation from Google Promises to Repel More Malware Attacks

4GHadmin | 16 July 2018
Against malware
Reading Time: 2 minutes

Against malware

Security in the digital business world is really a challenge these days, and the world wide web is becoming as full of nefarious characters at the town of Machine, the ‘End of the Line’ as it were in the cool monochrome Western Dead Man with Johnny Depp from the ‘90s. A few months back we had detailed the big bad Spectre virus that had come onto the scene and posed major threats as regarded the insecurity of data for any type of website handling sensitive personal information.

It continues to be a ‘thing’, and in response to it Google recently enabled a new security feature in Chrome that secures users from malicious attacks like Spectre. It’s called Site Isolation, and is a new feature available with Chrome 67 on Windows, Mac, Linux, and Chrome OS. Here at 4GoodHosting, we’re a Canadian web hosting provider that puts an emphasis on this for obvious reasons, always seeking to be as on top of our clients’ web hosting needs as effectively as possible.

Google’s experimentation with Site Isolation has been going on since Chrome 63, and they’ve patched a lot of issues before enabling it by default for all Chrome users on desktop.

Chrome’s multi-process architecture allows different tabs to employ different renderer processes. Site Isolation functions by limiting each renderer process to documents from a single site. Chrome then relies on the operating system, and mitigates attacks between processes and any site.

Google has stated that in Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS, according to a recent post on their company blog, stating further that ‘even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.’

Additional known issues in Chrome for Android have been identified and are being worked on. Site Isolation for Chrome for Android should be ready with Chrome 68.

Need for Speed

Quick mention as well to Speed Update for Google Search on mobile. With this new feature the speed of pages will be a ranking factor for mobile searches. Of course, page speed has already been factoring into search engine rankings for some time now, but it was primarily based on desktop searches.

All of this is based on unsurprising finding showing people want to find answer to their searches as fast as possible, and page loading speed is an issue. Keeping that in mind, Google’s new feature for mobile users will only affect the pages that are painfully slow, and that has to be considered a good thing. Average pages should remain unaffected by and large.

We’re always happy to discuss in more detail how our web hosting service comes with the best in security and protective measures for your website when it’s hosted with us, and we also offer very competitively priced SSL certificates for Canadian websites that go a long way in securing your site reliably. Talk to us on the phone or email our support team.

0

IT Security Insiders: Expect an Escalation in DDoS Attacks for Duration of 2017

4GHadmin | 31 July 2017
Reading Time: 4 minutes

The long and short of it is that Internet security will always be a forefront topic in this industry. That’s a reflection of both the never-ending importance of keeping data secure given the predominance of e-commerce in the world today and the fact that cyber hackers will never slow in their efforts to get ‘in’ and do harm in the interest of making ill-gotten financial gains for themselves.

So with the understanding that the issue of security / attacks / preventative measures is never going to be moving to the back burner, let’s move forward to discuss what the consensus among web security experts is – namely, that DDoS Attacks are likely to occur at an even higher rate than previously for the remainder of 2017.

Here at 4GoodHosting, in addition to being one of the best web hosting providers in Canada we’re very active in keeping on top of trends in the Web-based business and design worlds. as they tend to have great relevance to our customers. As such, we think this particularly piece of news is worthy of some discussion.

Let’s have at it – why can we expect to see more DDoS attacks this year?

Data ‘Nappers and Ransom Demands

As stated, IT security professionals predict that DDoS attacks will be more numerous and more pronounced in the year ahead, and many have started preparing for attacks that could cause outages worldwide in worst-case scenarios.

One such scenario could be – brace yourselves – a worldwide Internet outage. Before you become overly concerned, however, it would seem that the vast majority of security teams are already taking steps to stay ahead of these threats, with ‘business continuity’ measures increasingly in place to allow continued operation should any worst-case scenario come to fruition.

Further, these same insiders say that the next DDoS attack will be financially motivated. While there are continued discussions about attackers taking aim at nation states, security professionals conversely believe that criminal extortionists are the most likely group to successfully undertake a large-scale DDoS attack against one or more specific organizations.

As an example of this, look no further than the recent developments regarding Apple and their being threatened with widespread wiping of devices by an organization calling itself the ‘Turkish Crime Family’ if the computing mega-company doesn’t cough up $75,000 in cryptocurrency or $100,000 worth of iTunes gift cards.

A recent survey of select e-commerce businesses found that 46% of them expect to be targeted by a DDoS attack over the next 12 months. Should that attack come with a ransom demand like the one above, it may be particularly troublesome for any management group (given the fact that nearly ALL of them will not have the deep pockets that Apple has)

Further, the same study found that a concerning number of security professionals believe their leadership teams would struggle to come up with any other solution than to give in to any ransom demands. As such, having effective protection against ransomware and other dark software threats is as important as it’s ever been.

Undercover Attacks

We need to mention as well that these same security professionals are also worried about the smaller, low-volume DDoS attacks that will less 30 minutes or less. These have come to be classified as ‘Trojan Horse’ DDoS attack, and the problem is that they typically will not be mitigated by most legacy DDoS mitigation solutions. One common ploy used by hackers is to employ a Trojan horse as a distraction mechanism that diverts guard to open up the gates for a separate, larger DDoS attack.

Citing the same survey yet again, fewer than 30% of IT security teams have enough visibility worked into their networks to mitigate attacks that do not exceed 30 minutes in length. Further, there is the possibility of hidden effects of these attacks on their networks, like undetected data theft.

Undetected data theft is almost certainly more of a problem than many are aware – and particularly with the fast-approaching GDPR deadline which will make it so that organizations could be fined up to 4% of global turnover in the event of a major data breach deemed to be ‘sensitive’ by any number of set criteria.

Turning Tide against ISPs

Many expect regulatory pressure to be applied against ISPs that are perceived to be insufficient in protecting their customers against DDoS threats. Of course, there is the question as to whether an ISP is to blame for not mitigating a DDoS attack when it occurs, but again it seems the consensus is that it is, more often that not. This seems to suggest that the majority would find their own security teams to be responsible.

The trend seems to be to blame upstream providers for not being more proactive when it comes to DDoS defense. Many believe the best approach to countering these increasing attacks is to have ISPs that are equipped to defend against DDoS attacks, by both protecting their own networks and offering more comprehensive solutions to their customers via paid-for, managed services that are proven to be effective.

We are definitely sympathetic to anyone who has concerns regarding the possibility of these attacks and how they could lead to serious losses should they be able to wreak havoc and essentially remove the site from the web for extended periods of time. With the news alluded to earlier that there could even be a worldwide Internet outage before long via the new depth and complexity of DDoS attacks, however, it would seem that anyone with an interest in being online for whatever purpose should be concerned as well.

0