Website SSL (Security)

Just a quick update regarding the security of this site.

A few of you took the time to let me know that the site was misbehaving today. Thank you very much for doing so.

My SSL certificate had expired, so what was happening is that your web browsers were trying to connect to a website with an invalid (expired) SSL, which most web browsers identify as a potential threat.

Problem solved

I have now purchased and installed a new SSL and the site is secure once again ūüôā

Green lock = https = secured by SSL = no intermediary can see your login details.

Moreover I finally installed a plugin on the site which will auto redirect people visiting the http: version of the site to the https: version.

In other words, the site is even more secure now than it has been for the past twelve months. This is because if somebody attempts to visit the non-secure version of the site (http) they will be auto-redirected to the secure version (https). This means there should be no accidental use of the insecure version of the site.

SSL and HTTPS

For those of you who may be wondering, ‘what the hell is he talking about?’ it basically works like this:

The ‘s’ in https stands for ‘secure’, and it indicates that a website has an SSL certificate installed. The main benefit of SSL certification is that it encrypts the information being sent between your computer and the website you are using. This means that intermediaries (such as the router of the wifi connection you are using) cannot see/understand what info you are sending back and forth between the websites you use.

In other words, if you were to log in to http ://johnlebon.com at a cafe (for argument’s sake) then whoever operates the wifi at the cafe could access your username and password for this site. If they had even a basic knowledge of computer networking it would be a piece of cake for them to see your username and password in plain text.

They could NOT access your paypal details, because these are handled by PayPal i.e. offsite. I have no access to this information and neither does my website.

What they COULD access is your username and password for this website, which this website obviously does have access to (these details are used by the site to verify your login).

By using an SSL, your username and login are effectively scrambled between your computer and the server this site is hosted on. The router would only see a string of random numbers and letters.

Therefore if you tried to log in to this website during the few hours the SSL was expired, I recommend you change your password.

In fact if you have not done so for a while, it is probably worth updating your password anyway.

Contrast with insecure sites

I also recommend that you avoid using (or at least exercise caution with) websites which do not utilise SSL.

One pertinent example is Fakeologist.com

If you visit Ab’s site you will notice that there is no green lock in the address bar. That green lock (which you WILL see on my site and every other site with SSL) is a simple but effective indicator that any info you send between your computer and the website in question is encrypted i.e. scrambled i.e. secure.

This does not mean that Ab is up to anything nefarious and it does not mean that if you use his site you are in any danger of being ‘hacked’. What it does mean is that when you log in to his site, your username and password are available to any intermediaries (eg cafe wifi routers).

If you ever accessed his site while at your local cafe, for example, then whoever has access to the router at that cafe also has access to your username and password for fakeologist.com

I’m not trying to pick on Ab or his website. I’m just using Fakeologist.com as an example of an insecure website to illustrate the difference between those with SSL security and those without.

Thank you Lucas

I knew practically nothing about any of this until precisely one year ago, when I arrived at Lucas’ house in preparation for the first attempt at getting to Winton for the Dinoskeptic trip.

Lucas knows a thing or two about infotech and he asked me why I didn’t have SSL on my site. I told him honestly that I thought/think encryption was/is a load of crap and that TPWRTS could access any info they want from the internet since it is their creation (as is SHA-256 encryption technology).

He then explained that even if this were true, by not having an SSL on my site it meant that anybody could see my username and password if they could access intermediary routers. He then showed me my own username and password for this very website, which I had accessed via his home wifi. I still remember being taken aback by that. I had no idea that without SSL all of the information we access/share with a site was available to whoever controlled the router/network in plain text.

Right there on his laptop screen. My username and password. Which meant that every single home/cafe wifi I had used to log in to my site also had access to the administrator account of the website I had spent so much time building.

Lucas had instantly convinced me of the utility of SSL and helped me install a certificate within minutes. That SSL expired some time in the last few hours, which is what led to the problems some of you experienced accessing the site, which is why I have just installed a new SSL, and what led to this post in the first place.

In other words, the benefit of SSL (in my eyes) is not about avoiding TPWRTS accessing my info. I still believe they probably can access anything they want (even if Lucas thinks otherwise). SSL for me is about avoiding the admins of home/cafe wifi networks having access to my login details (and the login details of the users of this website).

Amazing to think that it has been a full year since I rocked up to Lucas’ place with a view to heading out to Winton. How time flies.

TL;DR

i) This website had usability issues earlier today due to an expired SSL certificate.

-> Thank you to those of you who took the time to let me know.

ii) I have since purchased and installed a new SSL so the website is secure once again.

-> This is evidenced by the green lock you should see on my homepage (and most importantly on the log-in page).

iii) Even if (as I suspect) nothing is really ‘secure’ on the internet, SSL does indeed at least scramble login details so intermediaries (i.e. house/cafe routers) cannot see them.

-> This means that the network admin of your local cafe cannot access your account on this website simply by viewing the data passed by the router.

iv) Even if this website did not have an SSL, your banking details are always safe because they are handled offsite by PayPal i.e. they never actually pass through this site.

-> All PayPal does is send my website a notification that [insert username] has signed up/cancelled. No banking details ever pass through my site/server.

v) If you were not previously aware of https vs http and the green lock next to the web address, I recommend you look into it and avoid (or at least practice caution when using) sites without SSL.

-> This 100% includes my own site, and if you ever fail to see the green lock next to johnlebon.com, I advise you to NOT log in.

–> You can troubleshoot by typing https://johnlebon.com into the address bar yourself (i.e. attempt to reach the secure site manually by using https rather than http), and if this fails, please notify me and I will address the problem ASAP.


Thanks again to those of you who were so quick to let me know. I would have figured it out pretty quickly myself — I’m at the cafe today, working on the operation, just like usual —¬† but the fact that you took a few moments out of your day to let me know just in case means a lot to me. Cheers.

 

Leave a Reply