Category Archives: Security Tips

Migrating To HTTPS: FAQ and Common Concerns

My site uses HTTP, and everything is fine. Why do I need HTTPS?

Search engines are paying particular attention to data transmission security. More than 50% of top 10 sites use HTTPS (even more than 60% for high frequency sites). In a year or two, this proportion will be close to 100%. In order not to lose an advantage over competitors, you need to hurry up and migrate to HTTPS.

I understand that HTTPS is crucial for online shops and services that use personal data. But I have an ordinary online business card – what data do I need to encrypt?

The browser history is also confidential information that can be used by intruders. Furthermore, browsers mark HTTP results as unsafe. This will surely affect your position in search results, even if it’s just a business card.

Does migration to HTTPS lead to traffic drop?

Yes, it can happen. But if everything is done according to the instructions, then the traffic drawdown is minimal. As a rule, traffic grows a little after migration. It is recommended to move to HTTPS in off season – then you can fully restore the positions by the time demand increases.

Can I transfer to HTTPS just some part of the site (e.g. personal account and payment pages)?

Yes, you can, and webmaster often did so several years ago. But to ensure full protection of connections and gain higher positions in search results, it is recommended to move the whole site to HTTPS.

Does HTTPS protect the site from hacking?

HTTPS only provides the security of data transmission. There are other ways to protect the database and site files from hacking.

SSL Types: What Certificate to Choose?

HTTPS makes the Internet safer. Among other things, HTTPS support increases the chances of taking higher positions in search results. To add HTTPS to your site you should generate validated SSL certificate. But before you start moving, you must select a type of certificate that suits you best. Depending on the level of verification, certificates can be of three types: More →

EFAIL: Main Things to Know About Critical Vulnerability

The Computer Security Expert Group found a critical vulnerability in popular e-mail public key encryption systems – PGP (and its free alternative GPG) and S/MIME. The EFAIL vulnerability can be used to fully decrypt messages, including those sent earlier. Professor Münster University of Applied Sciences Sebastian Schinzel reported on the problem.

EFAIL allows attackers to decrypt messages without owning a private key. Researchers and More →

What Is HTTPoxy And How to Fix It?

On July 18, 2016, the vulnerability called HTTPoxy was disclosed. The bug allows an attacker to exploit HTTP request redirection. An attacker can pass the Proxy HTTP header with their request, and thus change the URL by which the application accesses backend services.  In that way, a trespasser can steal credentials, change the responses the server sends to the application, gain access to confidential data, etc. More →

How to Secure LAMP Stack

LAMP stack is a widespread group of software that consists of Linux OS, Apache web server, MySQL or MariaDB database management system, and PHP server side scripting language. Of course, server side protection is a rather vast topic that cannot be fully investigated within a single article. This article just covers the basics of LAMP components protection.

To protect Linux:

  • Use key authentication instead of password authentication whenever possible.
  • Change the port sshd is listening to; it is recommended that a port higher than 1024 is used.
  • You should consider using iptables or fail2ban firewall. More →

How to Prevent DoS/DDoS Attacks

In simple terms, DoS attack is a type of malicious activity aimed to crash the computer system so it cannot serve users or properly perform its functions. Usually Denial-of-Service state is caused by software errors and excessive network or system load. As a result, software or the entire operating system is damaged, what threatens to cause downtime and loss of visitors. Remote DoS-attacks are divided into two types:

  1. Remote exploitation of software bugs to make a program inoperable.
  2. Flood (the victim receives a huge amount of meaningless packages which allows an attacker to get a communication channel or resources of the machine).

As a result of such attacks, the server spends all the resources to process attacker requests and the rest of users have to wait. More →