By staff blogger Andrew Blyth
Many people claim that computer and online security is unnecessary and is geeky. In fact, these same people have locks on the doors of their house, locks on their windows, their garages, their mailbox, their car, and they have security features on their bank accounts. They even have curtains on their windows, fences around their property, and have an expectation that their home privacy is respected. They will even call the police if some creep is seen peering through their windows at night. Online privacy requires the same needs: curtains to obscure your activities, locks on personal information, locks on email access, and management of information.
There are a number of things everyone needs to do. In this series of articles that will be published over the next twelve months or more, we will explore this topic and present some practical advice. This article will introduce SSL certificates. Future articles will explore secure passwords, VPNs, anti virus & anti spyware software, online behaviour (including issues of social engineering attacks), trusted and public wifi, website security, trusted and unprotected web services, and more.
Secure Socket Layer (SSL) certificates are a system to protect secure information. Let’s say you are sitting in your favourite classroom, using wifi with your favourite laptop or tablet in hand, and you sign on. It could be any website, your own, your email, a social networking site, a cloud storage site, whatever. Without SSL, a hacker with very minimal skills (let’s say, a student of yours) can easily see your password. Let’s say your password is “fluffykittens001”; that student will first giggle, but then keep his/her mouth shut.
Later that night, you get a phone call from a friend saying that they saw “those photos” on FaceBook, how disgusting! Then you check your phone messages, and see similar responses. You turn on your computer at home and find a bunch of emails from friends and family expressing a range of shock, disgust, and perhaps unusual delight. You finally sign-in to FaceBook and see a whole bunch of offensive photos plastered across your wall. “How could this happen?!”
There are perhaps two issues here. Firstly, you use one password for everything. The student probably guessed that your FaceBook and other websites use the same password. Secondly, the password sent to the website you signed on during class was not encrypted, and so it was in plain sight. Nowadays, web browsers like Mozila Firefox and Google Chrome highlight if the website uses an SSL certificate or not. If the website has an SSL certificate, even a basic one, it will show this with a a green lock in the address bar (see the image above). Look at the top left of this window, HelloSpace.Me relies on SSL, and so should your own website. If a website doesn’t have a green lock, change the address prefix from http:// to https:// and see if the green lock appears. Adding ‘s’ is changing the traffic movement through the secure port of the site.
There are many other simple explanation videos like this on YouTube.
SSL certificates encrypt not all the traffic, but it should include important secure information like username, passwords, credit card numbers, and even the contents of the website, so that eavesdroppers cannot see what it is you’re reading. Also, SSL certificates are a confirmation that you are connected directly to the website, and not to some intermediary posing as that website monitoring its traffic. That way, when you buy a poster at FluffyKittens.Com, you are really connected to only that website, and not ScamArtist.Com/FluffyImposter.
The Wikileaks Vault7 release was important and interesting (see here). It showed that not all SSL systems are the same. Firstly, the world’s most popular SSL system, Verisign, turned out to be the most hackable. Recently, it was revealed that Symantec employees even sold copies of Verisign SSL certificates to criminals so they can pose as intermediaries to legitimate websites. This means that you might thought you were updating your subscription to The Fluffy Kitten Magazine, when in fact you were signed onto an imposter website, and they got your credit card information. Secondly, the CIA described Comodo as a “pain in the posterior”, in other words, the most secure. Consequently, we do not sell Verisign any more, and we prefer and promote even the cheapest and simplest Comodo SSL.
We don’t have our own video yet, but we will soon. This link shows you a variety of ways to install a Comodo Certificate in cPanel, so you can protect your own website and sign in credentials. Soon, we hope to install an auto installation feature to make things easier for you.