Categories
Technology

HTTPS Changes in Firefox and Chrome

For as far back as I can remember, browsers have always denoted HTTPS pages with a padlock icon, a tiny warning to let you know that anything you submit on the specific page will be securely encrypted. As with all never-changing warnings though, I imagine you’ve stopped noticing it as much as you used to years ago, and that effect combined with HTTPS usage reaching over half of all web pages and the popularity of extensions like HTTPS Everywhere, has spurred some changes in how Firefox and Chrome approach this.

Launched this week, Firefox 51 and Chrome 56 have reversed that age-old warning. Login forms over HTTP now display a “Not Secure” warning. This new warning should be enough to catch the attention of those of us who have begun to ignore the time-honored padlock, but I imagine site owners might be caught a bit off guard.

If you own a site with a login form over HTTP, don’t worry (sort of), your login form isn’t suddenly not secure … it has never been secure. If you’re the only person who uses that login form, and you never use it over a public internet connection, you generally have nothing to worry about.

If other people are expected to log in to your site over HTTP, or you often log in over a public internet connection, it’s time to start moving your site over to HTTPS. You’ll need to acquire an SSL/TLS certificate from a certificate authority to being with, and in the past those have been ridiculously expensive, but all of that changed when Let’s Encrypt premiered, offering free SSL/TLS certificates for everyone. Today, you’ll most likely find that your hosting provider either offers free or incredibly inexpensive certificates, like all of WordPress’s recommended hosting providers do. If your hosting provider still wants to charge you a ridiculous rate for a certificate, you might as well take this opportunity to check out the rapidly growing list of hosting providers who offer free Let’s Encrypt certificates.

Once you have your certificate, setting it up is generally just a matter of consulting the documentation from your hosting provider (though this is typically automated if you acquire the certificate from them) and your website’s software. If you use WordPress, the process is very simple.

As site owners, let’s do what we can to proliferate HTTPS and thus provide a more safe and secure web for everyone.

Categories
Technology World

Basic Privacy Tools

A few years ago, I wrote about security, privacy, and resetting the net. We’re still in very interesting times as far as that subject goes, and if you haven’t taken steps to protect your privacy, now might be a good time to reconsider that.

One of the easiest changes you can make is to use DuckDuckGo instead of a major search engine. DuckDuckGo doesn’t store your personal information and doesn’t track you, so using it instead of a major search engine is a great way to start cutting down on your digital footprint. Also, if you’re making the switch to DuckDuckGo, but still using Chrome (which is made by Google), now might be a great time to try Firefox instead.

While we’re talking about search engine tracking, you might as well put a stop to all of the other trackers too. If you’re already using Firefox, you can switch on already built-in tracking protection. Try uBlock Origin for most other browsers, or for more control in Firefox, and try Firefox Focus for iOS devices.

For the communication end of things, consider switching to Signal for your messaging needs. Signal is fully encrypted end-to-end, so the only two people who can read the messages are the sender and recipient. For email, consider switching to ProtonMail, which is also fully encrypted, and hosted in privacy-friendly Switzerland.

Additionally, you’ll probably want a VPN to keep you safe, at least when you’re on public Wi-Fi. This is where things get a bit tricky. You’ll want to choose a VPN that’s not based in The Fourteen Eyes, like these. You’ll also want to make sure that your chosen VPN supports both your desktop and mobile devices. For added security in extreme situations, keep a copy of Tor Browser around (use Onion Browser for iOS devices and Orfox for Android devices).

These are just some basic steps to protect your privacy online. They’ll provide some layer of protection, but if you want to lock things down even further, visit Privacy Tools and PRISM Break.

If you want to do even more, please consider supporting an organization that will fight for your privacy, like the Electron Frontier Foundation and the American Civil Liberties Union.

Categories
Technology

WordPress Security and Auto-Updates

autoupdatesWordPress 4.3.1 was released six days ago and included three security fixes. If you haven’t done anything silly to disable auto-updates, you would have been automatically updated within an hour of the announcement (and in some cases even before the announcement). If you have disabled auto-updates, your site was publicly at risk until you manually updated, and if you still haven’t updated, you had better do so now.

Auto-updates are not only crucial, they are almost quite literally the least you can do to protect your site. When a security update is announced, along with the vulnerabilities being made public, you could trust your site to update itself quickly and efficiently with no effort on your part, or you could disable all of that and keep your site vulnerable until you got around to doing it yourself. Sure, there is a very slim possibility that a feature of a plugin on your site may momentarily break until its developer fixes it, but such a thing is insignificant compared to recovering a hacked site, or losing an unrecoverable hacked site, just because you decided to let it live with publicly known vulnerabilities.

This doesn’t just extend to WordPress core. Plugins and themes get occasional security updates too. While WordPress doesn’t automatically update those by default, you can make it do so by modifying wp-config.php, using a plugin, or a service like Jetpack Manage. Just like with WordPress core, the updates will be applied within an hour of the release. And, if you’re worried about losing theme modifications, make sure that you’re using a child theme or a plugin like Jetpack Custom CSS so that you can modify your theme in a way that still allows you to safely update the parent theme.

When it comes to securing WordPress, there’s a lot you can do, but allowing auto-updates to function is by far the best way to keep your site secure, and almost quite literally the least you can do. Enjoy the freedom and security that auto-updates afford to you and your site.

Categories
Technology

WordPress 4.2.4 Released

wordpress600WordPress 4.2.4 has been released. This is a critical security release, addressing 6 security vulnerabilities, as well as 4 bugs (including a few you may have run into during the last security fix).

A huge thanks to the folks who kept us all safe by responsibly disclosing the security vulnerabilities.

If you have not done anything silly to disable automatic updates, you were already updated hours ago. If you did do something silly to disable automatic updates, then your site has been vulnerable to 6 now publicly known security vulnerabilities for at least the past 10 hours, so you should really update manually right now, and then turn your automatic updates back on.

As always, if you run into any trouble, please let us know!

Categories
Technology World

Security, Privacy, and Resetting the Net

Accusations of online surveillance by government entities are rampant. By now, you have all seen or heard of at least one clandestine government program, like PRISM, designed to spy on citizens by circumventing what was once considered to be fundamental security.

The validity of these accusations and programs are in question, as would be expected. Is there really a threat? If so, is it really as bad as described? Are those spreading the accusations seeking only to undermine the stability of their governments? Are those defending their governments simply working for their governments or living in fear of them? I doubt we’ll ever know the truth, but why should we let that stop us from protecting ourselves regardless?

Today, over 12 thousand people joined together to reach over 12 million followers to Reset the Net by promoting security and privacy. Companies like WordPress.com are already promising better security by the end of the year, and you can protect yourself now by adopting the use of many security-focused apps and privacy-focused alternatives to popular web services, like using DuckDuckGo instead of Google. By making ourselves more secure users, we promote a more secure and private internet. Whether online surveillance by government entities truly exists or not, how could you say that a more secure and private internet is a bad thing?

Now, get out there and promote a more secure and private internet! Don’t underestimate the power of your voice online. Be the change you want to see in the world.