HTTPS Changes in Firefox and Chrome

For as far back as I can remember, browsers have always denoted HTTPS pages with a padlock icon, a tiny warning to let you know that anything you submit on the specific page will be securely encrypted. As with all never-changing warnings though, I imagine you’ve stopped noticing it as much as you used to years ago, and that effect combined with HTTPS usage reaching over half of all web pages and the popularity of extensions like HTTPS Everywhere, has spurred some changes in how Firefox and Chrome approach this.

Launched this week, Firefox 51 and Chrome 56 have reversed that age-old warning. Login forms over HTTP now display a “Not Secure” warning. This new warning should be enough to catch the attention of those of us who have begun to ignore the time-honored padlock, but I imagine site owners might be caught a bit off guard.

If you own a site with a login form over HTTP, don’t worry (sort of), your login form isn’t suddenly not secure … it has never been secure. If you’re the only person who uses that login form, and you never use it over a public internet connection, you generally have nothing to worry about.

If other people are expected to log in to your site over HTTP, or you often log in over a public internet connection, it’s time to start moving your site over to HTTPS. You’ll need to acquire an SSL/TLS certificate from a certificate authority to being with, and in the past those have been ridiculously expensive, but all of that changed when Let’s Encrypt premiered, offering free SSL/TLS certificates for everyone. Today, you’ll most likely find that your hosting provider either offers free or incredibly inexpensive certificates, like all of WordPress’s recommended hosting providers do (as does my hosting provider, Pressable). If your hosting provider still wants to charge you a ridiculous rate for a certificate, you might as well take this opportunity to check out the rapidly growing list of hosting providers who offer free Let’s Encrypt certificates.

Once you have your certificate, setting it up is generally just a matter of consulting the documentation from your hosting provider (though this is typically automated if you acquire the certificate from them) and your website’s software. If you use WordPress, the process is very simple.

As site owners, let’s do what we can to proliferate HTTPS and thus provide a more safe and secure web for everyone.

Basic Privacy Tools

A few years ago, I wrote about security, privacy, and resetting the net. We’re still in very interesting times as far as that subject goes, and if you haven’t taken steps to protect your privacy, now might be a good time to reconsider that.

One of the easiest changes you can make is to use DuckDuckGo instead of a major search engine. DuckDuckGo doesn’t store your personal information and doesn’t track you, so using it instead of a major search engine is a great way to start cutting down on your digital footprint. Also, if you’re making the switch to DuckDuckGo, but still using Chrome (which is made by Google), now might be a great time to try Firefox instead.

While we’re talking about search engine tracking, you might as well put a stop to all of the other trackers too. If you’re already using Firefox, you can switch on already built-in tracking protection with their Test Pilot program (this can also be enabled manually by toggling privacy.trackingprotection.enabled to true under about:config). Try uBlock Origin for most other browsers, or for more control in Firefox, and try Firefox Focus for iOS devices.

For the communication end of things, consider switching to Signal for your messaging needs. Signal is fully encrypted end-to-end, so the only two people who can read the messages are the sender and recipient. For email, consider switching to ProtonMail, which is also fully encrypted, and hosted in privacy-friendly Switzerland.

Additionally, you’ll probably want a VPN to keep you safe, at least when you’re on public Wi-Fi. This is where things get a bit tricky. You’ll want to choose a VPN that either doesn’t log your activity, like TunnelBear, or one that’s not based in The Fourteen Eyes, like these. You’ll also want to make sure that your chosen VPN supports both your desktop and mobile devices. For added security in extreme situations, keep a copy of Tor Browser around (use Onion Browser for iOS devices and Orfox for Android devices).

These are just some basic steps to protect your privacy online. They’ll provide some layer of protection, but if you want to lock things down even further, visit Privacy Tools and PRISM Break.

If you want to do even more, please consider supporting an organization that will fight for your privacy, like the Electron Frontier Foundation and the American Civil Liberties Union.

WordPress Security and Auto-Updates

autoupdatesWordPress 4.3.1 was released six days ago and included three security fixes. If you haven’t done anything silly to disable auto-updates, you would have been automatically updated within an hour of the announcement (and in some cases even before the announcement). If you have disabled auto-updates, your site was publicly at risk until you manually updated, and if you still haven’t updated, you had better do so now.

Auto-updates are not only crucial, they are almost quite literally the least you can do to protect your site. When a security update is announced, along with the vulnerabilities being made public, you could trust your site to update itself quickly and efficiently with no effort on your part, or you could disable all of that and keep your site vulnerable until you got around to doing it yourself. Sure, there is a very slim possibility that a feature of a plugin on your site may momentarily break until its developer fixes it, but such a thing is insignificant compared to recovering a hacked site, or losing an unrecoverable hacked site, just because you decided to let it live with publicly known vulnerabilities.

This doesn’t just extend to WordPress core. Plugins and themes get occasional security updates too. While WordPress doesn’t automatically update those by default, you can make it do so by modifying wp-config.php, using a plugin, or a service like Jetpack Manage. Just like with WordPress core, the updates will be applied within an hour of the release. And, if you’re worried about losing theme modifications, make sure that you’re using a child theme or a plugin like Jetpack Custom CSS so that you can modify your theme in a way that still allows you to safely update the parent theme.

When it comes to securing WordPress, there’s a lot you can do, but allowing auto-updates to function is by far the best way to keep your site secure, and almost quite literally the least you can do. Enjoy the freedom and security that auto-updates afford to you and your site.

WordPress 4.2.4 Released

wordpress600WordPress 4.2.4 has been released. This is a critical security release, addressing 6 security vulnerabilities, as well as 4 bugs (including a few you may have run into during the last security fix).

A huge thanks to the folks who kept us all safe by responsibly disclosing the security vulnerabilities.

If you have not done anything silly to disable automatic updates, you were already updated hours ago. If you did do something silly to disable automatic updates, then your site has been vulnerable to 6 now publicly known security vulnerabilities for at least the past 10 hours, so you should really update manually right now, and then turn your automatic updates back on.

As always, if you run into any trouble, please let us know!

Security, Privacy, and Resetting the Net

Accusations of online surveillance by government entities are rampant. By now, you have all seen or heard of at least one clandestine government program, like PRISM, designed to spy on citizens by circumventing what was once considered to be fundamental security.

The validity of these accusations and programs are in question, as would be expected. Is there really a threat? If so, is it really as bad as described? Are those spreading the accusations seeking only to undermine the stability of their governments? Are those defending their governments simply working for their governments or living in fear of them? I doubt we’ll ever know the truth, but why should we let that stop us from protecting ourselves regardless?

Today, over 12 thousand people joined together to reach over 12 million followers to Reset the Net by promoting security and privacy. Companies like WordPress.com are already promising better security by the end of the year, and you can protect yourself now by adopting the use of many security-focused apps and privacy-focused alternatives to popular web services, like using DuckDuckGo instead of Google. By making ourselves more secure users, we promote a more secure and private internet. Whether online surveillance by government entities truly exists or not, how could you say that a more secure and private internet is a bad thing?

Now, get out there and promote a more secure and private internet! Don’t underestimate the power of your voice online. Be the change you want to see in the world.

Disclosing a Security Vulnerability

Some of you are coming here from a site where this blog was apparently featured as an example of how to exploit a security vulnerability. I won’t link to it, because what that individual did was irresponsible, but it gives me the opportunity to hopefully educate some people.

There are many ways to disclose a security vulnerability, but the only right way and the only responsible way is to do it privately. If you publicly disclose a security vulnerability, you have made the world aware of both its existence and how to exploit it, endangering thousands (perhaps millions) of unsuspecting users. You are not the hero when you publicly disclose a security vulnerability, you’re the villain.

Many developers and companies have multiple ways to contact them privately. If you have found a security vulnerability, contact the developer or company privately via their official security report system or any private contact method you can find. If you can’t find one, contact them publicly and ask them to get in touch with you because you have found a security vulnerability. Any good developer or company will reply immediately via a private channel. Once you have privately disclosed the vulnerability, give them a few days to resolve the issue while it’s still known only to you, and feel free to publicly disclose it once the security vulnerability has been removed.

Be responsible by disclosing security vulnerabilities privately, not publicly.

Two Step Authentication on WordPress.com

If you have a WordPress.com blog, now is the perfect time to make your account more secure with our new two step authentication! Two step authentication (also referred to as two-factor authentication) requires you to enter a one-time secret code from your mobile device whenever you log in, after entering your password of course, which is hopefully a strong password (and you should consider changing that if it isn’t). This means that, with two step authentication enabled, an attacker would need to both know your password and have physical possession of your mobile device to gain access to your account.

All you need to use two step authentication at WordPress.com is an iOS, Android, or Blackberry mobile device (it doesn’t have to be a cellphone, but you do need to connect to the internet once to set it up). If you don’t have either, you can also use a cellphone capable of receiving text messages.

We’re looking into ways to bring our two step authentication system to self-hosted WordPress.org blogs soon, and you’ll see an announcement on the Jetpack blog when we’re ready. Until then, try the Google Authenticator plugin with your self-hosted blog.