Why SSL(TLS) is a must for all websites.

What is SSL/TLS?

They are the evolving encryption tools that are the difference between a web page (via HTTP) that can be clearly Intercepted and ALTERED, and a page (via HTTPS) that is both encrypted with a chain of trust that makes it extremely difficult to view and even more difficult to alter in any way.  If you want to know more, you can read more here. 

To answer the questions of:

 - Why are some browsers making so much noise about why your unSSLized site is so untrustworthy?

 - Why your unsecured site is so low on the search engines?

Reason #1, the big one.

If your website doesn't have a proper TLS/SSL encryption in place, then if someone can intercept a person's browsing, it is easy to inject whatever hostile code is desired. It could be to just change what is showing on the page (this site hacked!), to silently injecting the latest ransomware or worse. 

You want your readers to get the message you so carefully crafted, not something else. You don't want them to equate you with putting malware on their system.

Reason #2
There is a pile of constant malicious scanning going on all the time, and just forcing your site to HTTPS causes a good portion of it hitting your site, to just go away.  One of my sites was getting many dozens a month of links from very dubious sites before I forced a switch to SSL, then they just went away.

There is then the whole Cyberwar part it of, where you could be caught in the middle of the big boys playing, as what was clearly happening as a part of a real hot war with the Russian Invasion of Ukraine as written up at the Internet Storm Center   where an entire block of IP addresses are redirected to another set of servers away from Twitter for a portion of the world.  Just too many ways for Man-In-The-Middle attacks.

So assuming you:

 - Don't want your readers scared away by the browser warnings

 - Don't want your readers to get used to a bad security practice because you taught them to

 - Don't want your readers' devices to become part of a hostile bot-net and/or worse.  

 - Would like (love?) your content to be more readily found by having a higher position in the search engines.

To get there

 This is done on the web-server itself, where you either pay for a certificate or use a free certificate service such as Let's Encrypt.  First you want to make sure your site works with the certificate so that you can get that lock in front of your URL (aka address) in the browser, and then you want to set it so that all attempts to come in unencrypted (port 80) get flipped/redirected to encrypted (port 443)

If you built your server, it is time to go RTFM for this as it is well documented for all Web-servers, as well as many others have written about the process. Your favourite search engine can also point you to resources.

If you are using a more typical hosted service, there is a very good chance the ability is sitting there in your control panel, just waiting to be turned on. Automatic free encryption has been a part of CPanel for a couple of years now (my hosters turned it on automatically for me), and a quick search shows that many of the others have a similar feature.  So take a look at your control panel, use the knowledge base most hosters setup, or even contact your support to see how good they are. 

There will be attempts to up-sell you to a higher grade of certificate.  If you just have a basic, low volume static site, then there is no real value in the "enhanced protections".  If you are gathering anything beyond comments and email addresses, such as e-commerce orders, then an actual purchased certificate makes some sense.  If you do go with a purchased certificate, make sure your hoster manages it and the update/renewal process, that they should have, is automated as certificates only last a year or less.

Do you require any assistance in securing your systems? Perhaps we can help.

Where have we been?

You have probably noticed that we have been missing for the last while, and we can sum it up to this dementia journey, Covid-19 and now a possible a second dementia journey.

Covid-19 is something that we have all dealt with in the last 18 months and for us we added a dementia journey on top of it.  The dementia journey started in depth in January 2020 and for my dad it ended in January 2021.  Now we are thinking that we may be dealing with a similar journey with my mom. 

We have tried to be present as much as possible on social media but some of our blogs, etc., have suffered.  Hopefully now we can start this new path and get back to being present and create new content.

 

Firefox's DNS settings

Managing Firefox's DNS settings rather than them controlling you.

Firefox does a few things intending to make your browsing experience better, but this isn't without its own issues.  This article is about the things Firefox does with DNS, some of the issues with what they do, and how to manage some of it. Some basic understanding of DNS required.

Firefox for starters, adds its own level of DNS that it even exists makes life more challenging to troubleshoot problems:

• It has its own layer of cache that, by default, remembers a given DNS lookup for 60 seconds. Clearing your host's DNS cache does not clear this one, and I've seen it remember failures, which is the straw that pushed me to learn all of this.

• It looks up all the links on a page when you load the page. So if a page has many links like I have in my bookmark pages or my client site admin pages, then it actually slows things down in addition to effectively advertising what page you were on to whoever might be watching DNS traffic.  Never mind all the additional traffic/packets to sieve through when troubleshooting.

Recently, Mozilla has added a new feature that will tunnel the DNS traffic over HTTPS through to their own DNS servers, aka DoH.  While good to protect the otherwise easy to read DNS traffic from prying eyes, it does mean that Mozilla/Cloudflare gets to see all your browsing DNS traffic.  Cloudflare is the current provider of this service for Firefox, and it is a changeable setting.  This makes it a question of which do you trust more, your local DNS path or Mozilla/Cloudflare?  Mozilla's stated intention is to have DoH be the default in the future, and they are 'just testing,' and now they are giving unsure messages of it given the push-back. ZDNet article on the downsides of DoH.  A way of blocking Firefox DoH

To see and possibly edit the settings for these, we need to get under the hood where we can do damage if we fumble finger anything.  So the first thing you want to do is backup your Firefox profile.  You can (and should periodically do) backup the entire profile as per Mozilla Support.

•  I make a point of clearing my Firefox cache beforehand to keep the backup size manageable.
• The file that gets touched in the following is the prefs.js, so making multiple copies of this as you edit your settings is a good thing.

Steps to see/edit Firefox DNS configuration:

• Type "about:config" in Firefox's address bar and press the Enter key.  
• Accept the warning/risk and be very careful here.
• On older Firefox (or newer after clicking on "Show All") : Scroll down to the network.dns....  selections about 3/4 the way down,  where a capital 'I' is ahead of the lowercase 'd' (ASCII sort rather than alphabetic sort)
• On Firefox starting with version 71 you get a prompt where you enter 'dns' for one set of below and then replace with 'trr' for the rest.

The settings of note are:
network.dns.disablePrefetch
   I set this to true as it doesn't make much sense for my use having FF go and look up all the things on the pages when I only go to one of them at a time.

network.dnsCacheExpiration
network.dnsCacheEntries
network.dnsCacheExpirationGracePeriod
   Setting either expiration or entries to '0' (zero) stops Firefox from caching DNS entries, leaving that up to your OS and upstream DNS server(s). Setting all three to '0' (zero) makes sure Firefox's cache is not being used.

network.trr.mode 0
network.trr.uri https://mozilla.cloudflare-dns.com/dns-query
   This is for the DNS over HTTPS, where the mode is a 0 or 5 has it disabled, and the URI is where it goes for content.     For more about this setting or the easier/safer way to set them


Any changes appear to be immediate, so just close you're about:config tab and proceed as per normal. Some browsing may be faster; some may be slower, but either way, you are that much more in control of your surfing.

Update 2019-12-15  After first writing this, Firefox made some nice changes with version 71 on how the about:config page works and this is now included.   Further reading on the (Anti-)Competitive and Network Neutrality aspects of DoH that shows how for most of us DoH is more pain than gain with out much of the touted benefit.

iTech

iTech is an IT conference that is held twice a year in Toronto. The spring show is held up near the airport, and the fall show is help in downtown Toronto. There are benefits of both of the show, and there are different vendors at both of the shows. This year there was a change, and we feel it didn’t go as well as it could have.

The spring show this year decided to charge for people to attend which is something they hadn’t done in the past. An initial email was sent out to past attendee, and you didn’t have to pay if you signed up by a given date which didn’t look too bad. After that time the cost was $20 and that included lunch, prize draws, and a reception at the end of the event. After a certain time, the price would then go up to $40 with the final price being $50 at the door.

We didn’t think the $20 would be a bad price and even $40 or $50 weren’t too bad considering the show and what you could get out of the overall show. What started to get frustrating was the number of discount offers that offered after the $40 time was reached. Most of the time if you were receiving emails from iTech you’d get a discount code taking the price back down to $20. What got me was even the day of the show there was a discount coupon so that even if you decided last minute to go to the show, it was still $20 at the door. If you were going to give the discount why not just keep the price at $20 and not do the roller coaster of the pricing. For someone that might have paid the higher price, it would have been extremely frustrating to know that someone walking up could have got a lower price just by simply being on a mailing list.  What would have made more sense was for iTech to not send the discounts rather have that as an option for the vendors/sponsors to send to their lists.

There are still so many people that think being able to get into a show for free is a given. There are times when getting into some shows for free is nice but also knowing that there might be some cost is something being in business involves. A cost for a lot of business owners and employees is the time that they are losing away from the office, but there is the benefit learning what products and services they could use to solve business problems in addition to maybe making some other connections and getting other business out of the conference as well learning. Each conference will have its cost, and you will need to weigh the benefits of them to ensure you are getting what you want out of the event.

For iTech, the biggest benefit for us is to see what is new in the industry and to meet up with some of the vendors that we have seen in the past to hear what is new. There are sessions offered, and they vary in level from the very basic to more technical, and you have to read the descriptions to ensure that the session is what you want.

iTech can be a good day of networking, and it is something that you need to understand when you go to it. Just thinking that you will have a lot of taking a-ways isn’t something that you are going to have. We have found some years we get a couple of good ideas and other years we may not get a lot of details, but we have seen what is new in the industry as well as reconnect with people that we know to maintain those connections.

Our overall review of iTech this spring is the price roller coaster was a bit frustrating and may have impacted how people registered for the event. The number of vendors/sponsors were lower this year as well, and that might have also impacted attendance. There were a few people that said they wouldn’t pay $20 to attend the show even if they got lunch after going to the event for years and not having to pay at all.

Why we are here

Konecny Consulting's purpose is to help bring out the best in our customers.

This blog is to explore and share some of our observations, findings and views about the industry.  We hope to be able to show some of what we see at the various events and the industry as a whole.

Our posting will be as things happen rather than to a fixed schedule, so please subscribe to the available options so you will be notified when there are new posts.