Bob's Adventures in Wireless and Video Headline Animator

Tuesday, January 17, 2012

Securing Your Web Communications

I am sure we all have had it are surfing the web and you cruise to a site that looks like what you were looking for. All of a sudden it starts to happen: pop ups come from no where, new windows appear inviting you to click to "eliminate viruses" or "fix your pc". It happens to all of us. If you are unfortunately enough to accidentally click on a link, you enter web hell. Now your home page changes, java scripts start to run every time you open your browser, and you have to spend hours trying to remove all of the crap. Hopefully you did not get a virus.

Or we have all read about hackers intercepting WiFi data at coffee shops, stealing credit card numbers, social security numbers, etc.

Or what about privacy. Do you want Google, Akamai, Limelight, ATT, or other big corporations or government being able to intercept your personal data without your knowledge? It is very easy to do so. Most routers that carriers use have CALEA support (all HauteSpot routers support CALEA). This is a way to capture everything that passes through the router to a file that can later be read. Typically this is done with a warrant if you are the government, but sometimes without. Hackers can do the same thing.

As surveillance moves to VSaaS (video surveillance as a service), using appropriate measures to protect your communications is essential. Not only do you prevent a lot of headaches, but you may keep yourself from being sued for not taking adequate steps to safeguard your customers data and networks.

For what it is worth, here are a couple of suggestions that I have to implement good security practices while using the Web.

First a couple of definitions:
Authentication - (Skip this if you already know what authentication is) Authentication is the verification of the truth regarding a piece of information or an entity. In the Internet world this generally means either verifying the identity of a person or a computer (web server, data base server, email server, video server). There are a few ways to validate the identity of someone or something on the Internet. The most common way to authenticate is to exchange a complex key either directly (pre-shared key) or through a trusted third part (certificated).

In the pre-shared key model, two users basically create a long random key or pass phrase. This key or pass phrase is then sent to the other person. Then every message sent or connection made from that point forward requires the key to be exchanged and verified to what is already known. It is more complex than this, but in general this is how pre-shared keys work. The problem with this is that you have to know the person or machine first in order to get the key from them to start with. You can't know everyone.

The other method of Authentication is through a trusted third party. There are many commercial companies that provide these services which are known as certificate authorities (CA), but the biggies are VeriSign, GlobalSign, GeoTrust, and many others. These companies are well known and make it their business to verify the identity of many companies. The certificate authority will issue a CA Certificate, which is a complex key and identification data that can be stored on your computer. This certificate is used for you to verify the identity of the CA.

The certificate authority will also issue certificates to users. Basically the user creates a long key or certificate request on the server computer that he wants to authenticate. This is sent to the CA along with a whole bunch of verifying information like bank account information, business license data, D&B data etc. The CA then issues a certificate which is installed on the server computer by the user. Now every time someone wants to connect to that server computer, the client gets the certificate from the server, verifies the certificate from the CA, and then connects to the server knowing that is it really the server he wanted.

You can think of this as asking for an introduction from the CA to the server that you want to connect to. If you trust the CA, then you can trust the introduction. In a perfect world you would verify the identity of every server (link) that you connect to on the web. We are not there yet.

Encryption - (again, skip this if you know what encryption is). Encryption is basically scrambling your data using a key that is a reference to unscrambling. If you have the key, then you can open the message. The first thing that needs to happen for encryption is to authenticate who you are talking to. Then you send them a key to use for a short period of time to scramble and unscramble messages. Then you change keys regularly from there so it is harder to crack your key.

The level of complexity of encryption is generally measured in key length. A long key of 2048 bits is hard. A short key of 64 bits is not so hard. A key of 128 bits is enough for most generally needs. More is better. If encryption is available and relatively fast, why wouldn't you use it for everything?

Suggestion 1 - Use Firefox as your browser - Firefox is an open source browser that is not tied to any corporation, and therefore less likely to be used for sniffing of your personal data. You have to weigh this against performance and the potential risk that an open product represents. But Firefox has a very good track record. Also, it has lots of security plug ins available and an anonymous browsing mode.

Microsoft IE and Chrome are great browsers, but they were developed by companies who have a vested interest in intruding in your privacy. Can they be trusted? Not a great track record, in my opinion.

Suggestion 2 - Use SSL as much as possible in your web browser. SSL (Secure Sockets Layer) is a network communication protocol developed by Netscape for authentication and encryption of web traffic. SSL authenticates a servers identity using a certificate and then encrypts all of the data exchanged with that server.

By using SSL you assure that you know that the server that you are communicating with is whom you think it is. And you also encrypt your communications to that server so that hackers and others cannot see what you are sending.

If you use Firefox, then the Electronic Freedom Foundation offers a tool that makes your browser first check to see if SSL is available before reverting to unsecure mode. HTTPS Everywhere makes it easy to at least try to secure your connections. This is a zero effort step to improve your safety.

Suggestion 3 - Enable SSL in your email client to connect to your mail server. This is a complex topic and I won't provide details on configuring your client. But if you use Outlook, Thunderbird, or other similar clients, you should make sure that your SMTP server and your IMAP or POP3 server connections use SSL. Many ISPs still use unencrypted connections for email. Definitely not good.

Just because you send and receive through your server using SSL, that does not mean that your mail goes out or comes into the server using SSL. Without certificated, authenticated and encrypted email, there is no way to know what happens once your email leaves your server or where it has been before reaching you.

Suggestion 4 - Use certificates in your email. This step sometimes can create problems. Not everyone has a mail client that can read encrypted and authenticated mail. Some mail servers will bounce your mail. But in general, it works pretty well. You can get a free certificate to install in your mail client from a number of sources: Comodo, StartCom, Secorio, TCTrustCenter and others.

Suggestion 5 - Use private browsing where possible. Firefox has a mode called Private Browsing which can be reached under the tools menu. Chrome has a mode called Incognito which can be reached under the toolbar. IE has InPrivate browsing which can be found under safety. All of these modes do basically the same thing, they hide all cookies, temp files, cache, and other identifying information during the time that you have them turned on. When you exit the mode, all your regular information is returned.

If you are going to be surfing the Internet with no particular destination in mind private browsing is a good idea. Then when you go to your bank or check your stocks, flip back to normal mode. You will lose all of your cookies at the end of session along with form data, etc, so if you planning on going back to a site later, maybe you want to use normal mode with SSL.

Suggestion 6 - Use a VPN. A virtual private network encrypts your network connection from end to end. There are lots of VPN solutions out in the market. I would suggest either setting up your own gateway at your office using something like a HauteSpot WRAPNXi router. Then you can run PPTP, L2TP or OpenVPN to dial in. There are also many different service providers that give you a cloud to VPN over. This is a more complex topic, but basically a VPN will secure your connections when connecting to remote sites or from your laptop or PDA to your office.

Suggestion 7 - Use TOR. (From their web site) "Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. 
Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers.

Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints.

Tor makes it very difficult to sniff your data over the network.

Suggestion 7 - Use NoScript to selectively enable/disable javascript in your browser. This plugin for Firefox is a a mixed blessing. Javascript, Flash and Java are the programming languages used to manipulate web browser behavior. Without NoScript these programs are free to run on your browser. With NoScript you have to allow them. This is a great tool for preventing these programs from taking over your browser. The downside is that you have to explicitly enable each site. I think it is worth the hassle.

Suggestion 8 - Use an external password vault. Up until recently I used the saved password feature of my web browser to save my web site passwords. I should know better. I am sure that soon, if not already, someone will have figured out how to hack this. So I started using LastPass, which is a secure password vault. You have to make the leap of faith that LastPass can be trusted, but the reviews seem pretty good.

LastPass moves all of your passwords off site. You create an account and then secure it with a really good, long password. A plug in for your browser then grabs passwords from your vault when you visit sites.

Why do this? Well with a password vault you can then type in really long, random passwords that are difficult to break for all of your web sites. Save these really hard passwords in your vault. Then rely on your one password to protect all the others. Also, the passwords are available on other systems like your smartphone. Again, takes a leap of faith, but I think it is better than the alternatives of short, easy passwords stored in your web browser.

Suggestion 9 - Do the obvious. Have a good virus scanner, use a firewall, don't visit hacker sites and don't install pirate software.

Hope this helps protect you and your customers.


  1. Yes, Bob we all have fall victim to a phishing site. And considering the number of ways we now have to protect ourselves, you have to agree with some corporations policy of no surfing or using Social media sites.

  2. Does this need any software to use?

    safety Technology