• Web Design Blog
• Newsletter
• Sitemap

Newsletter Archive from January 26, 2007

Website Security Explained

I've gone on and on about personal computer security in my newsletters (anti-virus, firewall, backups), and now I'll go into website security.

Website security is important for any website that collects personal data. It inspires trust in your site's users and encourages them to contact you and/or make a purchase.

Obviously, if your site collects credit card information, then security is more of a concern than if all your site does is ask for people's names and favorite colors.

SSL Certificates

Many shoppers now look for the little lock symbol in the border of their browser as a way of determining whether the data they are submitting through a website form is secure.

This lock symbol denotes that "Secure Socket Layer" (SSL) encryption is active. Basically it implies that if a hacker were to intercept a person's internet connection when they were typing in their credit card number, it would be encrypted and so therefore look like gibberish to the hacker.

There are a number of different SSL providers out there, and they range in cost from free to over a thousand dollars a year. In general, the more well known the SSL provider, the more they charge.

SELF-SIGNED (FREE)

Your website's host server administrator can generate a "self-signed" SSL certificate for you for free. These will popup warnings in many browsers, however, so they are only useful for securing parts of your site that are not public, such as admin pages.

MEDIUM ASSURANCE ($20 - $400 PER YEAR)

These are what you typically get when you purchase a SSL certificate. When you buy one, the certificate provider will email you to confirm your identity. Not much assurance, is it?

Godaddy charges $20 per year and you get a goofy looking logo to slap on your website, while Verisign charges $400 a year for its much more businesslike and recognized logo. However, the underlying technology is exactly the same.

HIGH ASSURANCE ($80 - $1000 PER YEAR)

These are pretty much the same certificate as the medium assurance, but you go through a more rigorous vetting process when you apply for one. Instead of the SSL provider just emailing you, you also get a phone call.

As with the medium assurance certificate, you can pay Verisign a huge premium per year for their more recognized logo, or get one from Godaddy for $80 a year.

EXTENDED VALIDATION ($400 - $1300 PER YEAR)

With the release of Internet Explorer 7, there's a new SSL certificate in town. When you have an extended validation SSL certificate, not only will your browser (currently only IE7) display the lock symbol, it will also display a green bar. It's too early to tell if this green bar is influencing any additional sales for anyone, but it may well in the future, especially if other browser makers adopt the green bar as a standard.

Microsoft realized that the vetting process involved in self, medium, and "high" assurance SSL certificates wasn't very strict, so they created their browser to work with this new kind of SSL. Currently it's only available to corporations and government entities, and it requires a letter from an attorney or accountant.

Godaddy charges $400 a year and Verisign charges $1300 a year.

In summary, it's up to you to decide whether appearances are worth it. Note that these costs don't include any fees for having someone install the certificates for you. Also, you can usually get a better deal if you buy more than one year at a time.

Firewalls

Perhaps you have a personal firewall on your desktop/laptop computer? The idea is to keep all unauthorized internet traffic from interacting with your computer. The same applies to a web server (the computer that holds your website's files).

Some of the ways someone can try to 'talk' to a web server include HTTP (aka a web browser), FTP, SSH, SAMBA, Telnet, and many more. With a firewall, you can configure whether to allow and how easy it is for people to connect with your server using these different protocols.

For example, most web servers don't need SAMBA or Telnet, so these are commonly blocked by firewalls.

Firewalls come as software and/or hardware. The software is generally inexpensive or free, and the hardware consists of a whole new computer (which is generally not cheap). They both do basically the same thing. Hardware firewalls are generally used by large companies and/or sites with lots of traffic.

Hacker Vulnerability Scans

No doubt you've read in the news or otherwise heard about how hackers are constantly finding flaws in Microsoft products, which consequently require Microsoft to offer security updates (aka patches) for their software.

There are companies out there who specialize in finding security flaws in other people's software. The most enterprising of these will even charge you an arm and a leg for the privilege. Some of the better known ones include HackerSafe and Verisign.

They charge up to $2000 a year to continually try to break into your website, and if they succeed, they tell you how they did it so you can try to fix it.

In practice, "they" is usually just a computer program, not someone with an MS in computer science.

If you've got a big store, the HackerSafe logo can reassure potential buyers that your store isn't full of security holes through which their credit card numbers might slip through.

Change Your Passwords

The best thing you can do to help keep your website secure is change your administrative passwords on a regular basis (once a month is great, but try for at least once a year). It's simple and generally free.

Don't use English words, rather use confusing things such as xUL32eExaSS8, which could never be guessed. I read somewhere that the best passwords are strings of random letters and numbers that are at least 15 characters long.

In summary, web security is a multi-layered and continuous process.

 

Request a free estimate today, and work can start within a few days.