Wednesday, April 18, 2018

Russian router hacks could even target home and small business users


Dan Goodin, of Ars Technica, has a somewhat detailed account of the recent reports from DHS and FBI and the UK’s National Cyber Security Center, that the reports of Russian hacking of corporate routers may well include small business and even some home officer routers, link.
  
The story was released April 16 and was reported on WJLA (a Sinclair station) local news early Tuesday.
  
The Ars Technica story emphasizes homeowners having older firmware and not always maintaining routers properly.  Some security experts say that cable company routers should be restarted once a month to reinstall any firmware, but I find that cable companies usually force maintenance in the early AM hours (leading to brief outages).
  
  
But some observers see this report as sinister.  Compromised routers could facilitate “man in the middle” attacks, and could provide some of the push for all websites (even those without requiring login to sell anything) to use https.  They could provide ways for hackers to steal financial data or trade secrets or to stage novel new kinds of terror-like attacks targeting ordinary people, although this doesn’t seem to have happened.  But the North Korea attack on Sony in 2014 might be a paradigm to follow.

Tuesday, April 17, 2018

More on fixing legacy webpages for https everywhere



Here is some more information on the progress to enabling https, at least on my domains.

On Blogger, the three custom domains automatically convert to https if you enter http.  The thirteen other blogs as “blogspot” simply accept https.  I suspect that Google will force these to redirect before July for the Chrome68 implementation.

My four wordpress custom domains through Wordpress all accept https.  They can be accessed with http, but will work with “Let’s encrypt”.  Bluehost offers pingbacks when you make hyperlink referenes among these domains.  Pingbacks generated after the https certificates were implemented and propagated (as positive SSL) become https.  Older pingbacks right now are still http.  If you want to review the pinged site you have to enter https yourself in the browser, then you can see it under SSL (I just tested it).  This is not ideologically perfect, but I suspect this will be OK in July.

I haven’t gone through the Wordpress blogs and converted all the internals to https, although there really aren’t that many, fortunately.  Right now the user can insert the https on older links.
   
Google’s link (mentioned April 1) recommends that users deploy an Open Source tool called Lighthouse  to “clean up” their web pages.  This might take a long time for bloggers with a huge inventory of legacy pages, as I have.  Ramsay Tamplin (“Blogtyrant”) made similar recommendations with a different technique that I linked to here on November 13.

I have purchased a positive SSL certificate for my verio legacy doaskdotell.com domain.  So far it has not been propagated.  There is a massive number of hardcocded links within this very old site.  They could be changed by gang edits to relative links (as here).  I don’t think I will get to this right away, however.  I’ll keep everyone posted.

It is also worthy of note that Google Blogger no longer will publish posts with video embeds that include http (as opposed to https) code. 

Friday, April 13, 2018

All my blog custom domains (Wordpress and Blogger) now have https enabled



I have updated all four (the three remaining) Wordpress blog domains and the three Google custom domains.
  
The Google domains were easy. You just check a box in settings for each corresponding Blog, wait about an hour for propagation, and then check a second box to autoconvert all accesses to https.
   
For Bluehost Wordpress hosting, now you can do multiple domains within one cPanel.
  
One of the domains had minimal SiteLock protection, and that one took the free SSL certificate. Two others, that are newer, have SiteLock CDN (similar to Cloudflare). For these, you have pay for Positive SSL (about $5 a month) and assign a new IP address for the domain (or remember to ask the support technician to do so – not everyone knows this yet).  You then wait for the new IP to propagage. You can check the progress of the propagation on “whatsmydns.net”.  It helps to reload it a few times;  that seems to prompt progress.  The site will go to your BlueHost panel as a redirect or give database errors on https until the entire propagation all over the world is done.  During the propagation, it is possible for foreign servers, especially, to reject your IP address, but this will not prevent the rest of the locations from working.  There seems to be at least one server for every telecom company around the world.  There are many server sites in non-democratic countries.

I hope later that SiteLock will cause the automatic conversion to https to happen.  I am told it is supposed to.   
  
 China blocked one of my domains (the movie reviews).  Maybe that’s retaliation for Trump’s tariffs, or maybe that’s because I had reviewed some films about dissidents (Weiwei).  I don’t think I threaten Xi Jingping’s being god-king for life. 

I've noticed that Trend Micro, at least, does not automatically mark https versions of green http sites as green; it seems to view them as new domains.  This seems illogical. 

Sunday, April 01, 2018

Google Chrome orders publishers to get SSL on all their sites by July 2018, "or else"



Google is now advising web publishers that its browser Chrome will start marking sites as “unsafe” (so to speak) if they so not have security certificates accessed with https, in July 2018, as in this story.   Google's own link is here
  
The Search Engine Journal offers analysis on Chrome use compared to other browsers.  But it would sound reasonable to wonder if other browsers intend to do the same.

The story (with a sublink) offers a guide for migrating a Wordpress site.  This looks like a time consuming process, but many blog sites probably don’t use a lot of the features of concern. 
  
Google says that the conversion is important even for sites that don’t do ecommerce or require user login.  This seems debatable.  But one problem is that sometimes unencrypted sites allow actors to insert ads (or even scareware) or possibly illegal content into the stream sent by a user, and this may not be picked up by an antivirus product.  It would be a good question whether Microsoft Windows 10, for example, could come up with other ways to disallow man-in-the-middle attacks.
Google first started talking about this in 2014, but the concern has really picked up since about the end of 2016.
  

There is a product called the Unified Communications Certificate (UCC) which Godaddy, for example, explains here, for multiple domain names.  But Comodo systems explains other concepts such as Multi-Domain SSL and Wildcard SSL here.  It appears as of this writing that such a product on BlueHost would still require separate cPanel’s for each domain, but I will check further into this.
I usually announce my own plans on a secured Wordpress “doaskdotellnotes” blog (it has https).  I would anticipate trying to have my other three wordpress domains secured by the end of June, 2018. 

There is a lingering question on Blogger why Google custom domains (when equated to Blogspot blogs) cannot have these certificates.  Will Google change this before its new Chrome policy goes into effect?
  
See the notes at the end of the Jan. 8, 2018 post here