SSL is one of the most important technologies in use on the modern web. It enables all kinds of business, collaboration, commerce, activism and communication to happen securely, and the Internet couldn't thrive without it. Yet for the average person, alongside domain name registration and management, obtaining and renewing SSL certificates has always been one of the least accessible and convenient parts of having a website.
So I was particularly proud when a year ago my employer Automattic became a sponsor of the Let's Encrypt initiative and even more proud earlier this month when we rolled out free SSL for all domains hosted on WordPress.com, using Let's Encrypt certificates. All of the sudden a huge portion of the world's websites were using SSL to make sure communications between site owners and users are encrypted and secure - amazing!
Let's Encrypt is itself pretty amazing. A bunch of industry experts got together and decided it was time to make the process of obtaining SSL certificates free, automatic, secure, transparent, open and cooperative. This is a long way from what it looked like in the late 1990s, when just a few "certificate authority" options existed, you could expect to pay $100 or more for a certificate, and the application process was painfully slow and analog (think faxing your corporate articles of organization and a photocopy of your driver's license to a call center somewhere), and that's all before you had to mess around with recompiling or reconfiguring Apache to use SSL on your site(s). Even with Let's Encrypt and other modern options some of the concepts and steps remain too technical for many site owners to tackle, but it's getting better all the time.
I'm used to paying around $10/year for SSL certificates on a few of my personal sites, and I actually haven't minded that price point given that the rest of the process has been pretty easy for me to manage. But I recently decided to try using a Let's Encrypt SSL certificate on a site that didn't have one yet, and I'm sharing the steps involved here.
Continue reading Let's Encrypt SSL certificates on cPanel hosted sites
You need to be using two-factor authentication (2FA) for your online accounts that matter.
In the past 2FA was a kind of geeky thing that only the most security-conscious would bother with. Today, it's essential that anyone storing sensitive information online or using online services for anything remotely important employs the use of 2FA.
It's an imperfect security mechanism and there things about it that are inconvenient, but for now it's the best intermediate option for protecting against unauthorized access to your accounts and your information. Using it is much less inconvenient than trying to recover from having someone take your money, abuse your identity, or access your private data.
Continue reading Two-factor authentication
After ranting recently about the choices we make to give "big data" companies access to our private information in ways that might be abused or exploited by government eavesdroppers, I thought it would be worth sharing some of the options I've found for using "the cloud" while also retaining a reasonable level of control over access to the data stored there.
This post has information about tools and software you can deploy yourself to approximate some of the functionality that third party services might provide, but that might also make you vulnerable to privacy and security vulnerabilities. It's based on my experiences designing and implementing solutions for my own company, so it's mostly applicable to the interests of businesses and organizations, but may also be useful for personal projects.
A few important disclaimers: any time you make your personal or corporate data available on Internet-connected devices, you're creating a potential privacy and security vulnerability; if you need to keep something truly protected from unauthorized access, think hard first about whether it belongs online at all. Also, the tools and services I'm listing here are harder to setup and configure than just signing up for one of the more well-known third party services, and may require ongoing maintenance and updates that take time and specialized knowledge. In some cases, it requires advanced technical skills to deploy these tools at all, which is the reason most people don't or can't go this route. Hosting and maintaining your own tools can often have a higher initial and/or ongoing cost, depending on what financial value you assign to data privacy. Sometimes the privacy and security tradeoffs that come with using a third-party service are well worth it.
Still interested in options for using the cloud without giving up control over your data? Read on.
Email and Calendar Sharing
Need a powerful, free email account? Need robust calendar management and sharing capabilities? Everybody uses Gmail and Google Calendar, so just sign up for an account there, right? Unless you don't want Google having access to all of your email communications and usage patterns, and potentially sharing that information with advertisers, government agencies or other entities.
Continue reading Use the cloud, keep control of your data
As revelations continue about the US Government capturing and monitoring online activities and communications, I'm glad (and, ok, only a little bit smug) to see that more conversations are happening about just what privacy expectations we should give up by using modern Internet tools and services.
Most of the mainstream conversation has been focused on what information "big data" companies like Google, Twitter, Facebook and Apple do or don't hand over to the government and under what circumstances, and debating where those lines should be.
A certain amount of naiveté about the security and privacy implications of the tools we use is understandable here. When I've given presentations on email privacy and security issues, some attendees are legitimately gasping at the new understanding that their e-mail messages are traversing the open internet as plain text messages that can potentially be read by any number of parties involved in the management of those servers and networks. The average user probably assumes that the Internet was designed from the ground up to be a robust and secure way of conducting financial transactions and sending suggestive photos of themselves to amorous contacts.
Continue reading I have read and agree to the terms of service
I come to you today a recovering password management hypocrite.
I have over 190 accounts and logins for which a password or PIN is a part of my access: website tools, online banking, social media, email, internal company tools at Summersault, and so on. I used to pretend that I was maintaining the security of these accounts by having a reasonably strong set of passwords that I re-used across multiple sites, sometimes with variations that I thought made them less likely to be broken into if someone did happen to compromise one of my accounts.
But as I prepared to give a talk in December about email privacy and security issues, and really stepped back to look at my own password management scheme, I realized just how much pretending I'd been doing, and just how vulnerable I was making myself to the increasingly well-equipped and highly-automated attempts at compromising accounts, stealing identities and stealing funds that are being launched every day. I went and tested some of my passwords at the Password Strength Checker, and I was ashamed. The potential impact of this really hit home as I read Mat Honan's personal tale of woe and his follow-up piece Kill the Password in Wired magazine. Add in Passwords Under Assault from ArsTechnica and you'll be shaking in your boots.
So I decided that I was not going to be that guy who goes around telling people about how vulnerable they are with their simplistic password schemes while quietly living a lie in my own password management scheme. I might still be hacked some day, but I would not be found giving some teary-eyed interview to Oprah where I whined about how the pressure of the 190 accounts to manage just got to be too much and how I knew using a simple dictionary word plus a series of sequential numbers was wrong but I still didn't do the right thing.
That's when I found 1Password from AgileBits, a password management tool that alleviates the horrors of password management.
Continue reading 1Password alleviates the horrors of password management
A number of mainstream magazines and newspapers have recently published reports on the increasing threat of "cyberwarfare," the significant resources being devoted to fighting that "war" and what we're doing to protect the critical national asset that is our digital infrastructure.
Unfortunately, most of the responses (and the ones favored by the Obama administration) are focused on paying insanely large amounts of money to private contractors to create and deploy complex technological solutions in hopes of addressing the threat.
What advocates of this approach fail to appreciate is that (A) most of the actual threat comes from uneducated human operators of the technology in question, and (B) deploying homogeneous, technologically complex solutions often makes us more vulnerable, not less.
Continue reading Unhelpful responses to cyberwarfare
As an employer, my company Summersault is required to withhold and then turn in federal taxes from our employee paychecks. In the past we've turned in those withheld funds by printing out a check, walking it a block down the street to the bank, and getting a receipt.
I recently took the IRS's advice and inquired into enrolling in "EFTPS" - Electronic Federal Tax Payment System. (It's too bad they didn't call it something really cool like "Maximum Velocity Pay" or "Blue Tiger," but I guess EFTPS is at least accurate.) The idea behind EFTPS is that it will save you time and simplify payment and filing of federal taxes. So far, here's what the process has involved: Continue reading Super ultra mega-secure EFTPS enrollment