Tuesday, December 26, 2017

Mapping out a tentative plan to make all my sites https (if realistic)

In early January 2018, I will look into the possibility of making my remaining sites https.
Bluehost now has a link on the issue.  What I don’t know yet is whether this can be applied to more than one domain on one account (with addons).  In the past only one account could be https.   Here is a clue to how it might work that I found.  It sounds like this would have to be planned carefully (dealing with possible internal server errors), and would take time and labor. 

Electronic Frontier Foundation has a link on this issue, but I have not yet looked into how it would apply in my situation. 
Electronic Frontier Foundation has a product with a trade name “https-everywhere” which you can install in some browsers, link. But I don’t know how this affects access to all sites.

Google would need to weigh in on the issue of https for “Blogger” blogs linked to domain names. 

Google however has weighed in on the desirability of making all sites (not just those requiring log-in or doing transactions and passing or storing PII) https.   So I would expect to see progress on this question soon. 
Search engines are starting to prefer https. I can tell that now by noticing results on searches I do often. 

I’ve had some issues on my old legacy flat-html site doaskdotell.com with IIS permissions leading to 503 errors.  I don’t see a direct connection to https but the errors could come as an automated way for IIS to shut down a DDOS attack within an application pool in a shared hosting provider (story). I will look into whether to get SSL for this in January.    
Furthermore, in an era without net neutrality, we could face a day when telecom providers will screen out domains that don’t have https.  That would at least make economic sense, to me at least. 
One interesting issue for me is that my two providers (BlueHost and Verio) now belong to Esurance, the same owner (check Wikipedia).  Maybe there could be some savings by consolidating onto one of them. But again, could mean a lot of work. 

Monday, December 18, 2017

Be careful about the mechanics of how Twitter private messages work on your iPhone

I had an occasion tonight where someone sent me a direct message on Twitter.  I was in a MacDonalds and tried to reply on the iPhone.  Twitter converted it into a public tweet and chopped it at 140 characters.   I had to delete the tweet and send the message again when I could get to a regular laptop.
If you leave your normal tweets public, be wary of how it works on an iPhone (6 in my case) if you want to respond to a private message.  It may not remain private.  The Twitter direct message is supposed to be more like email than a public post (not quite like Snapchat).

At least my account survived the supposed “Twitter Purge” today.

Wednesday, December 13, 2017

Travelers need to beware leaks in RFID security

IBM has an article warning travelers to beware of their security on hotels with magnetic key locks, with RFID technology (radio frequency ID). 

There are a number of dark web tools which can break them or hack components on mobile phones.
High-profile people are more likely to be targeted.

I sometimes simply put laptop computers away and out of sight in hotel rooms when traveling.  If I have a rent car for the day, I tend to take them with me.  I may want them to blog anyway.

The article mentions Faraday cage technology to protect access cards and credit cards (a microcosm of the EMP threat). 

Recently, my own car access key triggered the alarm of the next car in a garage.  While I’m at it, I’ll note how easy it is to get in the wrong car that looks like yours on the road.  One time I did this by accident in a sudden summer thunderstorm. The unlocked car had the same newspapers, road atlas, and clutter on the front seat, amazing coincidence.  I didn’t notice the apartment tag for a whole minute. 

You play on the road, you can't get a walk-off win.  You need your bullpen. 

Saturday, December 09, 2017

Will telecom providers (without net neutrality) buy their own anti-virus companies and enforce their own standards for sites that can connect?

I wanted to notice that I’ve noticed that occasionally Trend Micro ratings of websites slip back from green to untested.  This has happened to one of my Wordpress sites, and to other reputable sites belonging to individuals whom I know.

Sometimes this may happen after sites undergo major restructuring, with elimination of old links and adding many new ones.

I also wanted to mention that I’ve been keeping an eye on the “https everywhere” issue.  On Nov. 13 I discussed Blogtyant’s long-winded advice on this issue, which appeared rather suddenly (I had prodded Ramsay on this matter several times).

In the short run, I don’t think that sites that don’t take personal information, do financial transactions, or require login present a risk without SSL.  But remember Ramsay encourages webmasters to seek out customers and offer email signon, which is going to require more confidence from subscribers.  

Other observers encourage SSL because in many parts of the world people cannot visit the web without being spied upon by governments.  That is one reason why Electronic Frontier Foundation has pushed “https everywhere”.

I bring this up again today a bit speculatively in conjunction with the ending of “net neutrality as we know it” after a Dec. 14 vote.  Actually, the issue will probably be litigated for a long time (as far as the most doomsday predictions of how telecom companies would milk small business, which I don't see a genuine economic incentive for them to do).  But one development that looks pretty likely (economically, even) to me is that telecom providers will buy their own web security companies and offer their own anti-virus, and courts will almost certainly say that this is OK.  They already offer their own home security (I use Cox) which probably sounds like a good thing for consumers, but requires a lighter touch from regulators to be available.

This sounds important to web publishers because telecom companies would then probably offer to block sites that don’t have green ratings from their own anti-virus providers.  As I noted before, these ratings are often fickle  The companies might have to be more transparent on how they assign ratings (which in turn could invite subversion or compromise by overseas criminals).  They might have to be review new sites sooner, but this could open up the idea of standards that a site needs to be viewed as “legitimate”, a potential problem for small business.

The other requirement, of course, is that a telecom company could refuse connection (or offer to refuse it) to any site not “professional” enough to offer https.  (Although until relatively recently many newspapers didn’t offer https on ordinary stories:  it was paywalls that got them into doing this.)

That’s a problem for someone with multiple domains, if the hosting provider allows only one addon (per account) to do https.  This has been the case for BlueHost, but I see now that BlueHost has a link for activating it (even “free”).  I will check in to whether this works for multiple addons (which Bluehost has an internal A-record structure for that links them to a master domain) and report soon (by early 2018 at the latest).

Sunday, December 03, 2017

Phishing emails now threaten Apple account suspension

I continue to get a lot of phishing emails claiming to be Apple claiming I purchased services and games in third world countries, never showing up on a credit card statement.  I don’t know if it hurts me if somebody impersonates me in Indonesia or Kazakhstan.

But today I got one claiming my Apple account was about to be suspended.   The domain had a .nl TLD.  Many of the emails come from “my.com”. 

I forwarded these to reportphishing@apple.com.

I do note that Apple now enforces two-step verification to sign on to iCloud on a laptop or desktop,  For some reason, my photos haven’t backed up since Oct. 1, even though I have separate WiFi from Cox on my phone when at home.