Other posts related to security

Protected Posts

 | May 28, 2009 7:13 AM

You are most likely viewing this page because you tried to access a post that is protected.  To view that post you must be registered and logged in.  After doing this please try accessing the post again.

Restricted Content

Previously I was concerned about privacy, i.e. my blog posts showing up in unexpected places and being read by unintended guests.  I tried to address it by having everyone log in to view my blog but that proved to be a problem because RSS feeds no longer worked.  Recently I opened my blog to search engines and noticed a spike in traffic but I think that was mostly from Google.

I have searched for a solution for awhile and I finally found a good compromise, the User Permissions Plugin.  By using this plugin I can restrict certain posts to only be available to readers who are registered and logged in.  Also these restricted posts will not show up in RSS feeds.  I modified the plugin to redirect to this post instead of “/“.

The downside is that my regular readers will have to be logged in to read these restricted posts.

Regular readers please register if you have not already and always log in if you want to read all the posts, especially posts about my kids.

Share

Gmail and SSL

 | January 27, 2009 9:05 PM

Gmail

Previously I had reported on the Gmail Account Hacking Tool and how I thought the threat was overblown.  I said that I would not use SSL with Gmail as recommended because I thought it would affect the performance.

Well soon after that article my security friend sent me an email and convinced me to always use SSL with Gmail.  I have been using SSL with Gmail for several months and have not noticed a performance difference.  I would recommend you do the same.

Packet sniffing is a real problem.  Email harvesters are constantly searching and sniffed packets for email addresses, Session ID’s, and other personal identifiable information (PII) for spamming purposes.

Even if you have secure wifi, that’s only secure the connection between your laptop, and our home router.  From the house to google, it’s unencrypted.  So, an SSL connection would carry from your laptop to a server regardless of the communication medium.

So, what about SSL performance slowing down my network connection, it’s negligible.  There’s only MAYBE a noticeable performance hit the first time you make an HTTPS connection between your browser and a webserver.  This is noticeable, because there’s key generation, certificate exchange, certificate verification, key exchange, etc.  This only happens the first time. Every time your browser goes back, it just uses the same SSL encryption key every time.  You don’t have to do this initial SSL handshake unless your close your browser, or go back a day later.

What about encryption algorithms eating up CPU cycles.  Encrypting a packet of data is not the bottle neck.  Current algorithms on 2 year old CPU’s can encrypt close 7-10MB/second.  Far far faster than any DSL or Cable modem connection.

What about encryption algorithms eating up CPU cycles on the webserver.  With advance networking equipment, hardware based SSL acceleration and load balancing keeps server response times low, and is common practice.

How big a deal is packet sniffing?  All proxy servers/fire walls, and network address translators (NATs) can look at network packets passing through them.  There are probably 3 to 6 of them between you and gmail.  If the connection between you and a webserver is over SSL, these network junctions can not view or tamper with your packets. They simply act as pass-through points.  There is logging capability built into these servers from some vendors.  For an attacker who is trying to sniff data, these are likely targets for hacking.

Share

Gmail Account Hacking Tool

 | August 29, 2008 9:06 PM

Mike Perry is going to release a Gmail Account Hacking Tool which will allow hackers to get into anyone’s Gmail account.

After reading the article and another article I think the threat is overblown.  If you check your email in private on a wired or secure wireless network you are fine.  In public if you use https://gmail.com you will be fine.  Always using SSL for Gmail seems to be overdoing it and could slow the performance of Gmail.

I have one security friend who will probably disagree with me.  And maybe he can convince me because this article about someone who lost his domain because his Gmail account was hacked is quite sobering.

Share