posted in web on 19 June 2013
We all know that Johnny can't encrypt. And we know that since the end of the last century, since 1999 precisely.
Why is it that Johnny still can't encrypt in the year 2013?
Is it, because Johnny doesn't have enough money to buy good encryption software? Is it, because nobody did explain how email encryption works in terms Johnny can comprehend? Does Johnny lack the ability to use a computer or is it his ignorance? When using the internet, does he not wish to protect his privacy?
Well, there must be some very different reason that keeps Johnny from not using encryption, because open source, high quality encryption software is available for free for decades. Numerous experts have scrutinized this software extensively by now. The fear to use the wrong software, something with a nasty backdoor in it, is (provably) unfounded.
For decades people have explained the basics of encryption. Numerous times users like Johnny have been told that encrypting an email is not like locking your door. Surely, the matter is complex, but Johnny does not lack the ability to make informed decisions in other areas like his financial and tax affairs, his health and lifestyle, the education of his kids and similar complex parts of life.
And if Johnny happens to run a business he is taking responsibility for a huge pile of complex matters. Why is privacy so different for him?
Why is it that the moment he uses his computer, he turns into a helpless, uniformed and disorientated digital user, that is so utterly dependent on what other people do for him? Of course, Google, Apple, Microsoft, they all tell him that he is an unimportant digital native that has to dance to the tune they decide to choose.
But why does Johnny follow suit?
posted in web on 5 May 2013
Not every server is secure. If you provide a meaningful service for your customers online you'll need a reliable server environment. No business can afford to host their online services on a server that can easily be hacked or is insecure in some way.
The problem is, though, you cannot buy a secure server. There is no such thing on the market. What makes a server secure, is not a single property, but a process of constant, vigilant monitoring and proactive minimizing of possible risks. Something that cannot come with the cheapest option.
Some businesses tend to believe they can operate on shared hosting. For a brochure-like website, this option may be adequate, but once you offer any service that requires - or is meant to build - trust, you'll run into problems. Today, it's a common misconception that people think they may use encryption and miraculously everything is going to get secure.
posted in web on 18 April 2013
ownCloud has been around for a while, offering a file-sharing solution to users who insist on regaining control over their data in the cloud. As an enterprise-controlled web application the user's files are stored inside the organisation and not "somewhere in the cloud". But the most important benefit for users is the ability to sync these files to all kinds of devices, from smartphones to laptops and home computers. Files are easy to access and stored securely, that's the promise.
Now with the new version of the Web Encryption Extension you can take a great step forward by locking files in the cloud using the standard encryption tool GPG with the push of a button.
posted in web on 2 March 2012
Using the internet we all surrender our information (both sensitive and unimportant) to online applications that eventually dump them in a database.
If you think your information is safe in the database, think again.
Obviously there is a general problem with access to these databases that can render information resting there insecure. The problem arising with most online applications is that most of them use passwords to access the database that are stored unencrypted on the server.
Even for commercial online applications it is quite common to store the crucial password that grants access to all data resting in a database in a simple configuration file, in clear text. For example, Magento, the well known online shop software, stores the database password in the file "app/etc/local.xml" where it shines in all its glaring plain text glory.
Of course you can start to secure these files. It's the most natural thing to do. And you have to do it, fast. Because under normal circumstances, these config files are readable for everyone on the server when the default installation has finished. Most online applications seem to rely on the fact that the administrator knows that there is work left to be done. Following the principle of least privilege is a good guide to make those sensitive files as secure as possible on the server. But let's be honest, relying on the assumption that no unauthorized person will ever see the content of such a file may not be prudent.
It's a little bit like putting the key under the doormat.
posted in web on 30 Jan. 2012
Contact forms are omnipresent. They often substitute an email message and as such it's hard to imagine a business website without it.
Being nothing more than unprotected emails, contact forms lose one important quality that would make them even more useful on a website, confidentiality. For customers there is no way to convey a message to a business owner securely by using the contact form, because eventually it'll end up as an ordinary email, unprotected.
With the Web Encryption Extension there is an alternative available now.
posted in web on 15 June 2011
Certainly not, if you store credit card information or passwords in clear text on the servers. Recent data theft disasters have shown, that it is not enough to operate a "secure server" and leave all customer's information unencrypted on this server.
Because if you think your secure server is invincible, all your customer's data is at risk, the moment it turns out that the secure server is not as secure as you thought.
What's even worse, your customers have entrusted you with their data believing that operating a secure data center will be sufficient to protect their personal data from falling into the wrong hands. It's time to destroy this false belief.