Displaying items by tag: SSL Security
Time doesn't bypass anything, or anybody! That includes our computers, our mobile phones, our TV's, our cars......even us! So why would websites be any different?
Yet it's been my experience in the past that when I notify some clients that their sites have become outdated and no longer have security support they seem surprised. It's as if they weren't aware that websites, like everything in life, are affected by the passage of time.
So how does a website age? Visually you can always tell an old website because of the way it looks, as it will appear somewhat dated compared to modern ones. But it's not the visual element that's the problem.....it's the code that's been used within it where the problem lies. Because as time goes on, security holes appear. And if they're not patched and updated then there are going to be security breaches!
Another critical element in the "safe" life expectation of a site is PHP. PHP is the scripting language on the server that runs all our clients' websites......in fact around 83% of the sites on the Web are powered by PHP.
Over the years, as with all technology, PHP has advanced considerably. It's much more secure, and now considerably faster in the time it takes to render web pages. This gives you peace of mind re security, and a much better experience to your users. But as it advances through the versions it becomes necessary to remove certain coding elements that older sites used. This is to ensure that any unsafe elements are no longer included, and to continue to advance the application in terms of performance and security.
Unlike some years ago, we now have the option to run multiple PHP versions on a server at the same time......so most web hosts are able to accommodate the needs of all users at any given time. At present we have PHP 5.6, 7.0, 7.1, and 7.2 available which can be assigned on a per site basis. And 7.3 is due to launch next month so that will be added as well.
But a big change also happens next month which will affect clients on older sites: PHP 5.6 and 7.0 will become unsupported and end of line! Here's the PHP version calendar:
After those two highlighted dates, any users on PHP 5.6 and 7.0 will no longer have security support and are potentially exposed to unpatched security vulnerabilities.
The key point you have to be aware of here is that if you still need to run on those old PHP versions, then there's elements within your site that are out of date as well. So there's two risks facing you: outdated site software and outdated server software.
In terms of our clients, we will continue to provide PHP 5.6 and 7.0 for them until the expiry of their current hosting period. At that point, if they don't intend to upgrade their sites, we will find an alternative Web Host for them who can still offer these outdated versions. But be aware, those Hosts won't be able to offer that facility indefinitely......there will come a point in time when they'll withdraw them too.
As always, my advice is this: Only use currently supported versions of site software and server software. If you don't, then you're putting yourself, and others on the server, at risk of potential security breaches.
As I mentioned earlier, some clients don't like to hear that they are potentially at risk. But we have a responsibility to keep clients informed, in the same way your mechanic would give you a safety advisory related to your car. I doubt that anybody wants to get a report saying their brakes are failing........but it's most definitely something they need to be told!
Another reaction I get is when clients say "Why would anybody want to hack my site? It doesn't get a lot of visitors so I'll just leave the site as it is".
Now just change that thought process to "Why would anybody want to burgle my house or steal my car? I'll just carry on leaving the doors unlocked".
Make no mistake, Point 1 and Point 2 express exactly the same point of view.....that somehow it won't happen to me. However, statistics suggest that it will happen to you if you don't take security seriously. There are more than 1.86 billion websites on the internet. Around 1% of these, something like 18,500,000, are infected with malware at a given time each week; while the average website is attacked 44 times every day. Official Industry Source HERE!
Just because you're not aware of this situation doesn't mean it's not happening. It just means it's not happening to you because of the proactive steps we have taken on an ongoing basis over many years.
If we are no longer able to take those measures because of the circumstances I've detailed in this article then we have a responsibility to our clients to make them aware of it. Of course, what they decide to do at that point is their decision......but nobody who's a client of ours can ever say "I didn't know".
Now here's 3 questions:
1. Did your web developer personally contact you prior to the day and explain these principles?
2. Did your web developer implement these changes prior to 25th May?
3. Did your web developer make all the necessary changes to your site to ensure you were compliant without billing you for their services?
If you answered "Yes" to all three then you're obviously a WebSpain client. As I've said in the past, not all web designers are created equal. This is just another example of how we always go further in the area of client support.
As far as GDPR will develop in the future, there are no guarantees that the stipulations, or even the interpretations, won't actually change. And at this point it remains to be seen how closely the regulations are actually going to be enforced.
No doubt there are millions of website owners out there that haven't got a clue about all this.......because their web developer never bothered to bring them up to speed about their responsibilities. You'll be able to spot them quite easily if they don't have a "specific consent" option in their forms. Potentially, organizations not in compliance could face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher - so this isn't something that you can leave to chance.
But there's one area where the GDPR isn't clear at the moment.....and that's HTTPS/SSL encryption on websites. The GDPR regulations specifically state that all user information received must be stored securely, and all reasonable precautions must be taken in terms of it's security at point of contact and thereafter.
To me, that would infer it's necessary to have all connections encrypted rather than unsecured......despite the fact SSL Security isn't directly referenced. So my personal recommendation (as I've been saying for 3 years) is to ensure that you have an encrypted connection to your site.
Google has been saying this throughout this period, and now with the introduction of GDPR the onus is on you personally to ensure that you are seen to be complying with the legal responsibilities that you now have. Also, from July onwards, Google Chrome browsers will begin to flag every website that does not use HTTPS encryption with the warnings 'Not secure' prominently highlighted in the address bar. That's a business-killer if ever there was one.
Failure to secure peoples' data in the past was just seen to be unprofessional......now it breaks European law. There's a big difference. Seriously.......just don't take any chances on this because the stakes just got a lot higher.
For over 3 years we've been advising website owners to get HTTPS/SSL encryption in place because the internet has been moving towards a totally encrypted medium. A major development is now taking effect from July 2018 onwards.....and from thereon it's going to get much more difficult to present yourself online as a professional business unless you have this system in place.
Because from then on, Google will be placing a "Not Secure" warning in the browser for all sites (and all pages on all sites) that are not encrypted. The official announcement from Google can be seen HERE!
There are many benefits of having HTTPS/SSL encryption in place:
1. A 2048 bit encrypted connection between the user and the site gives a higher level of security for data transmission.
2. An SSL certificate also provides authentication. This means that users can be sure that they are sending information to YOU, and not to a criminal’s server.
3. Protection from Phishing, where a criminal tries to impersonate you or your website.
4. You can use a Dedicated IP address that gives you protection from any IP blacklisting of your site and e-mail caused by other users on the shared server IP address.
5. Enhanced professionalism giving clients confidence in doing business with you.
6. Trust! Browsers give visual cues, such as the lock icon in the address bar, which tells visitors that their connection is secure.
7. SSL is a criteria for search engine ranking, so potentially higher placement in searches.
8. You'll get a "Secure" message displayed on your site rather than "Not Secure".
If that all sounds a bit technical.....then here's a short video that will explain it.
So if you haven't got SSL in place then now is the time to make a move before you end up losing business! Simply because the words "Not Secure" on every page of your site are not going to inspire or reassure any potential client!
When clients come to us for a website they generally have a list of expectations or requirements. Of course, that helps us to identify exactly what needs to be implemented in order to meet their requirements......but one important thing is always missing in their estimation at that point! And that factor is User expectations!
People tend to focus solely on what they want or what they like, with no regard to what potential users actually expect when they visit a website. That's where we come in.....because we make it absolutely clear what aspects need to be prioritised! However, some people don't want to listen and will take no advice whatsoever. All that matters to them is what they want, to the point of total exclusion of their potential users' requirements.
If you take this course of action then your website is unlikely to succeed......irrespective of how attractive it looks. Because if people can't figure out how to use it, or can't find anything on it, they'll leave and never return. Simply because you prioritised what you wanted over what they wanted.....thereby making it difficult, irritating, and time consuming for visitors!
So what is it that users expect?
1. Site Speed! Don't overload pages with giant images or introduce additional elements where data is retrieved from outside sources. Things like Live Chat boxes, Facebook and Twitter streams, Weather forecasts etc are an example of this!
Be aware that if you insist on bogging it down with resource intensive elements, slow page loads are going to be the end result. You'll then get a high bounce rate (which Google tracks) so your site rankings will drop as a result! Keep it as lean as possible, and avoid irrelevant, superfluous, and self indulgent elements that deliver no value to the user whatsoever.
2. Intuitive Navigation! Ensure that you have clearly visible and intuitive menu and sub-menu structures, along with categorisation of the elements contained within. Basically, don't throw everything into one place and then expect users to be able to hunt for what they want. Make life easy for them.......then they're more likely to bookmark the site and return in the future.
3. An Organised Site! No enormous paragraphs of text that go on forever! Short, sharp, straight to the point, introduce benefits, and accompany it with a great quality image to get their intial attention.
4. Aesthetics! When a visitor gets to your site you've got less than 10 seconds to make a positive impression. If your site looks a hideous and cluttered mess while resplendent in a myriad of migraine-inducing dayglo colours then you probably haven't got off to a good start! Your site must attract visitors straight away......first impressions count! But be aware that this is the point where you now need to actually validate yourself professionally, which brings us to the next point.....Value!
5. Value! In this context I'm referring to delivering on what you initially promised when you presented them with an attractive looking site!
On the intial front page intro you should be clearly defining what you deliver! But it's no good just saying it.....you need to actually deliver it in terms of quality written content that informs, educates, and advises.
Examples of poor value would be spurious unsubstantiated claims, ludicrous cliches, and sales pitches....all accompanied by a couple of generic paragraphs and a blurry image that you copied from Wikipedia! If you go down this route then site visitors (and Google) won't take you seriously.
6. Mobile Compatibility! Over half of the searches on Google now come from mobile devices.....so if you don't have a mobile site by now then you're not even in the game! Every site we've built since 2012 has been mobile compatible as standard and at no additional cost. Mobile must be at the core of everything you do!
7. Safety and Security! Visitors want to know that their identity, information, and even their computer is not at risk from malware, browser hijacks, viruses, trojans, hacking, or phishing attempts. Google is very interested in this factor as well........and everytime they visit they're running checks on your site to ensure that it's safe for visitors.
They're very clear on this.......all sites should now have SSL encryption in place to protect visitors. If you don't, then realistically it'll only be a matter of time until you drop off the radar on the search results. After all, do you think Google are going to send it's users to websites that they consider to be unsafe? And without SSL in place to provide an encrypted connection for visitors then your site status with Google is unsafe!
As you've seen, all those points were categorised as User expectations! Are User expectations important to you?
Maybe not.....but what if I changed the title to Google expectations? Would that now get your attention?
Because the fact is that what Users expect and what Google expects in terms of front end viewing is exactly the same thing!
So stop thinking about what You want.......and think about what Users want! Because your Users, and Google, will take you a lot more seriously if you do!
Google have now released a State of Website Security in 2016 review......based on it's statistics from last year. And it's an eye-opener! Because in 2016 the number of hacked sites has increased by 32% compared to 2015, and that percentage is likely to keep on rising!
61% of those hacked were not notified of it because they never registered their sites in Google Search Console. The only way they'd know is when their site was destroyed or defaced, or when their web host closes their account due to them sending out spam, or being used as a phishing site to perpetrate criminal activities.
Google have pinpointed the reasons that so many websites were hacked:
1. Outdated software and missing security updates!
Really, this one goes without saying! If you run software that is outdated then you're playing Russian Roulette......and one day you will get the loaded chamber. It's just a matter of time!
2. Compromised Passwords!
Use strong and difficult passwords......and change them often! And this applies to all online accounts that you have, including Social Media!
3. Phishing and Social Engineering!
Google have been emphasising for over 2 years that every site should be accessed by a secure connection using HTTPS/SSL encryption. And it's now reached the stage where they're putting warnings in browsers to all site visitors if this system is not in place.
So if your site gets hacked.....what can you expect? Well Google have listed the most widely used defacement processes so you know what's coming your way.
1. Gibberish Hack!
This will create pages of nonsense that will ultimately divert to a porn site! You'd better prepare your story for when users contact you demanding to know why you sent them to something like that....and infected their computer with a virus or trojan at the same time.
2.Japanese Keywords Hack!
Your site will get blitzed with Japanese words directing viewers to sites that are selling fake merchandise. If you ever wanted to feature in search engines for terms like "Rolex Watches" then this is your chance!
3. Cloaked Keywords Hack!
With this attack, hackers usually use cloaking techniques to hide the malicious content. They can make the injected page appear as if it's a part of the original site.....including a fake 404 error page. They'll then sell the links on your site to a third party who will use them for whatever purposes they want. But be aware that these purposes are not going to be legal or family friendly.
All this info comes directly from Google's analysis of internet activity in 2016. It's not speculation or assumption.....it's the facts!
So what action can you take to protect your website and your business?
Strong passwords, use current software both on the site and server (and keep updating it), only use professional web designers and web hosts, implement HTTPS/SSL encryption, and ensure that your site is protected by it's own firewall built into the application.
How many of those can you answer "Yes" to?
The way things are headed now, these are not options, they're essentials! If you're not prepared to ensure these are in place then you may as well shut your site down and just use a FaceBook business page. Because if you leave it too long, a third party with bad intentions is going to make that decision for you.
I'll leave you with this thought! Those of us of a certain age can remember hearing news reports of bank robberies, post office robberies.....and even mail train robberies. Ever wondered why it's gone pretty quiet on that front in recent years?
It's simply because the gelignite, firearms, masks, and getaway cars have now been replaced by computers!
Not convinced? Did you know that the UK Chancellor has announced a new five-year £1.9 billion scheme to counteract cyber-crime in the UK? Would he do that if there wasn't a serious problem that affects everybody?
The reality is that official government statistics have shown that there were 3.8 million instances of cyber-crime in the 12 months up to June 2016 in the UK alone! And it's rising!
Ignoring the recommendations above means you're actually contributing to the problem! And looking at it another way, it's the equivalent of hearing there's a spate of burglaries in your area and then leaving all your doors unlocked! Ask yourself.....would you really do that?
Google has now started sending out warnings to users that are running outdated and vulnerable software installations. Which is what we have been doing for years in order to ensure our clients are not at risk.
This action from them has probably been initiated due to the continual problems caused by webmasters who just don't take security seriously. There was recently a mass defacement involving hundreds of thousands of websites using the Wordpress content management system (which we don't use) called the REST API Vulnerability. And no doubt this has now driven Google to take this action.
The message users are receiving (depending on what software they're using) is this:
"Google has detected that your site is currently running Joomla 2.5, an older version of Joomla. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible".
So let's just recap on the warnings Google are now issuing:
1. Sites should be mobile compatible.
2. Sites should have HTTPS/SSL security.
3. Sites should be running up to date and secure software.
I'd also add that every site should have it's own security firewall installed......which could well be the next step Google will take.
Let me emphasise that Google are not saying that you have to have a site of the technical complexity of Kyero or eBay etc.....they're just making it clear that it should reach a basic level of professionalism and responsibility.
Saying that......I've actually had people who are knowingly in the position above actually ask me how they can improve their Google positioning. Just let that sink in! They fail all of the basic criteria that Google requires, they've received multiple warnings to that effect.....yet they want to be recommended by them.
Bottom line is if you can't demonstrate professionalism in your online presence then Google (and users) will just not take you seriously. Think of it this way: Most of you at one time or another will have experienced the damage caused by viruses, trojans, ransomware etc when your computer gets infected by malware. Where do they come from? From infected websites on the internet!
Google want to get this under control, and they will now penalise sites who refuse to accept their responsibilities regarding security. They're certainly not going to be recommending sites they class as dangerous to their users.
I'd go so far as to say that they will eventually take the view that if you're not part of the solution then you're part of the problem......and you'll end up becoming invisible. Others are following too.....because I've had warnings flash up from Facebook that I may be leaving there to visit a site that is classed as dangerous. So all the big players are getting behind these security initiatives.....it's not something you can ignore.
If you're a client, then we've already notified you of your status in each of the criteria. If you're not a client, then your current web developer should have kept you up to date on all these developments to ensure you were protected. If they haven't, then get in touch and we can run some checks for you.
Many site owners are going to be getting an e-mail warning from Google very soon! Simply because they have not put HTTPS/SSL security in place on their sites.
From this month on "Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields".
We've been advising our clients that this has been coming for some considerable time.....most recently two months ago in HTTPS Websites so many are now prepared. Are you?
The background to this is that we register every site that we build with Google in their Search Console. This tells them exactly where your site is located, and we also give them an XML sitemap along with multiple page URL's so they can index you more efficiently. So they know all about you!
This has benefits besides quicker indexing because it also flags up warnings if there are technical irregularities on the site. We then analyse these and rectify them immediately before it causes any issues. But with this situation regarding HTTPS they're taking it a stage further because they're sending me an e-mail to be passed on to the owner of the site.
The correspondence is quite clear....."The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as Not Secure".
If you look in the browser address bar of this site you'll see the green padlock and the word "Secure". If you don't have an SSL in place you'll bee seeing a warning icon with the words "Not Secure" which doesn't exactly inspire confidence in visitors. After all, if you had the choice of vising a Secure or Non-Secure site where would you go?
It's not clear yet whether these warnings will show up in the Google search listings.....but if they do then your traffic is likely to drop considerably. We already know that Google are prioritising Secure sites in the listings, now it's a question of if, or when, they plan to start dropping the Non-Secure sites. Whatever happens, it's not good news if you don't have SSL security in place.
I know that some of you won't like this latest update. But you have to understand that Google wants to make the web a safer place.....and directing users to sites where they could be put at risk of phishing or identity theft doesn't help their cause. And it certainly doesn't help the users much either.
If you have a website, think of it as a shop in real life. Then ask yourself whether you would want to enter any premises that had been deemed unfit or dangerous? We all have a collective responsibility here, so I would strongly suggest you get HTTPS/SSL encryption in place immediately. With Business comes Responsibility!
As I pointed out a few months ago in Is Your Business Worth a Coffee the cost is not going to break the bank! But running without it is guaranteed to have a detrimental effect on your bank balance through lost business.