Online security has always been important. But a number of recent stories have shown why it is becoming even more important all the time.
Website managers will soon have to get to grips with implementing HTTPS, which ensures users connect to your website over an encrypted connection.
Google in particular is pushing hard on this. Web managers who don’t heed those warnings risk seeing their pages penalised in Google search engine results pages.
In this blog post from last August, Google explained that they were beginning to use HTTPS as a ranking signal, meaning the absence of HTTPS could have a detrimental effect on your website’s search engine results.
For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
On Google’s stance, I have seen people ask if this is really the case even for websites such as personal blogs that do not handle sensitive user data.
The answer from Google is clear, and they have published this useful article and video explaining why.
One common misconception about HTTPS is the belief that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.
For owners of small personal websites, it looks like implementing HTTPS is something we will have to grapple with sooner rather than later.
Outdated and vulnerable WordPress and Drupal versions may have contributed to the Panama Papers breach — WordPress Tavern
Small website owners also need to be vigilant when it comes to keeping their software up to date. Although you would think mega-rich law firms would be a bit more on top of it.
Seemingly not in the case of Mossack Fonseca, the law firm at the centre of the Panama Papers leak.
It emerged that the firm did not encrypt its emails, and ran an outdated version of Outlook Web Access from 2009. On top of that, it ran an insecure version of WordPress from 2014, and a three year old version of Drupal with major vulnerabilities.
It beggars belief that such fundamental security holes were present at a law firm that was handling such sensitive information.
If these open source software vulnerabilities provided the access point for this massive leak, then this company’s global fiasco was entirely preventable. Although many people welcome the uncovering of corruption and dirty money transactions of famous people and world leaders, the reality is that these kinds of exploits can also be carried out on well-meaning organizations that exist to protect people’s health records, financial data, and other sensitive information.
The password is in peril. It is failing as a method of authentication.
The user experience of passwords is particularly appalling. As such it’s up to developers to focus on securing the backend and offering other methods of authentication, Joel Califa concludes.
Passwords are susceptible to brute force attacks, phishing scams, guessing, and the classic (and most dangerous) looking-over-someone’s-shoulder. Even if you force your users to use the most complex passwords imaginable, they might just write them down and stick them to their monitors. The harder you make passwords to remember, the more likely something like this will happen.
At the end of last year, the Economist made a bold prediction about cybersecurity.
Well-run organisations will stop using passwords and logins in 2016. Instead they will use identifiers that are harder to copy, fake, steal or guess, such as biometrics (fingerprints, retinas, posture, gait and even typing habits). Security questions will stop being asinine (“mother’s maiden name?”). Instead they will ask you to give numbers from codes continuously generated by an app on your phone. Identification that depends on a triple lock—something you have, something you know and something you are—is harder for an attacker to replicate.
The methods outlined here have been used for a while, but are still far from being as ubiquitous as the password. Sooner or later tech companies will have to concede that a password alone is no longer sufficient.