Home > SEO News Blog > Forget Your Password…it’s ok.

Translate:

Latest SEO Articles:

Speaking At:

Follow Us:

Hear Us On:

Blog Partner Of:

Helping Out:

Archives

RSS

Top Posts

Beanstalk's SEO News Blog

At Beanstalk Search Engine Optimization we know that knowledge is power. That's the reason we started this SEO blog. We know that the better informed our visitors are, the better the decisions they will make for their websites and their online businesses. We hope you enjoy your stay and find the SEO news contained within this blog useful.

January 23, 2013

Forget Your Password…it’s ok.

The days of trying to remember passwords and worrying about hacked accounts may be limited. Passwords have been somewhat effective in the past and are an easy way to authenticate web users, but they fall tragically short in security in today’s internet; and they always will.

USB token

According to a research paper from Google regarding the future of authentication on the web, the password problem could be solved with the aid of a USB -based Yubico log-on device. Google envisions a future where you only need to authenticate one device (with your smartphone, Yubico key, or perhaps wirelessly) and then use that similar to a car key to open up your webmail and other online accounts.

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” state Google’s Eric Grosse and Mayank Upadhyay.

This small cryptographic device will automatically log in a user to Google using a new protocol (patent pending) for device-based authentication that will be independent of Google and will also prevent web sites from tracking users.

Other than requiring a browser that supports the technology, there is no additional software required and it could be as easy to use as tapping or swiping your card or key device the device you want to authenticate. In order for this new security standard to take hold, Google will need many other websites to get on board.

Two years ago, Google launched a two-step authentication option as part of their attempt to increase security for its users. The story of Mat Honan’s encounter with hackers, helped to inspire a quarter-million people to adopt the two step process. Google has not given any idea as to when we may see the new technology released.

SEO news blog post by guestpost @ 11:30 am

Categories: Apple Safari,Browsers,Cyber-Security,Google Chrome,Internet Explorer,internet security,Mozilla Firefox,Opera
Tags: online security, password authentication, yubico —

March 22, 2011

One Does Not Simply HTTPS into Mordor!

Every time you go to a web site that requires you to log in, you are displaying your username and password for the world to see.

HTTPS was introduced very early on in the development of the internet, but it was initially intended to make financial transactions more secure, such as your bank’s website. Most of the sites that currently use the HTTPS protocol are only using it on select portions of their site that do require extra security such as shopping cars or account pages do.

Last year the Firesheep network sniffing tool made it easy to capture a person’s current session cookie on an insecure network; such as when you are at a local public Wi-Fi hotspot like the library or coffee shop. As a result, many sites began to take the threat seriously and began implementing the added security of HTTPS.

More recently, social sites such as Twitter, which are almost entirely run with public data, have begun to add the extra security to their connections. While the end user may be okay with someone intercepting their messages to Twitter in midstream and reading them, they probably don’t want others gaining access to their username and password for their account.

Google has recently announced it will adding HTTPS standard to many of the company’s APIs. Firefox users can force HTTPS connections to several dozen websites that all offer HTTPS, but don’t use it by default by using the HTTPS Everywhere add-on.

There are some practical reasons as to why HTTPS has not been widely implemented besides the high cost of secure certificates. A large problem is that HTTPS does not allow you to cache sites locally which is an issue when servers and clients are not in the same region (such as in Australia, New Zealand and Mordor).

The initial SSL key exchange adds to the latency. Although servers are faster and implementations of SSL more optimized, it still costs more than doing plain HTTP. While this is less of a concern for smaller sites with little traffic, HTTPS can add up if your site suddenly becomes very popular.

Another bigger problem is that it doesn’t work with virtual servers. Most ISPs use virtual hosts as a way to serve many (sometimes hundreds) of websites from a single IP address which does not work with HTTPS. However, virtual hosting and HTTPS can be merged by using the TLS Extensions protocol. Unfortunately it has only been partially implemented.

For those sites that do not have a reason to encrypt data or have a need to protect your username and password, adopting HTTPS is not practical. However, like all technologies, once the standard is widely implemented by major players like Facebook, Google Apps and Twitter, and the infrastructure is in place, it will become more cost effective to adopt HTTPS en masse.

There are several practical reasons why the HTTPS protocol cannot work in the current internet environment, but as available broadband speeds increase for the average user, more and more users will begin demanding its implementation. Many sites are now implementing HTTPS whcih shows that the desire for extra secutiy is there. Most users are okay with the slight reduction in speed if it gives them peace of mind while online.

SEO news blog post by guestpost @ 7:05 pm

Categories: internet security
Tags: http, https, online security —

February 17, 2011

Blacklisting for National Security?

Blacklists sound like a racial slur, but they are simply a list of known bad offenders. Email spam is effectively kept in check to some degree by maintaining blacklists of known bad offenders. If your mail server isn’t accepting mail from a domain because the security is notably ‘not acceptable’ and ‘likely compromised’ why would you let that same domain access your login systems?

China Blacklist

I’ll keep my rant short and to the point, but the details of the attack are a bit like a drunken man explaining how his cat ‘escaped’ after he left the door open and his music playing really loud for hours.

Today there was news of another major hack on the Canadian Federal government in top level systems. Part of the news revealed that “Defence Research and Development Canada”, a civilian agency of the DND, was compromised. I personally read that as “hackers will be enjoying the fruits of our federal research money/time before we are”.

This hack also took major segments of the federal government offline, likely as a necessity to facilitate cleanup and containment of the situation. So this wasn’t a ‘scare’ or an ‘annoyance’, it’s clearly costing us money, tax payer money.

The source of the attacks came from China, as they always seem to be. Admittedly, if one wanted to hide their identity, the best place to start would be an insecure network in China, and then work out from there. If this is a no-brainer for myself, a tech-savvy SEO, what’s going on with the professional security services we’re paying for?

Do we really have a lot of Canadian federal employees in China making it far too difficult to block logins to sensitive networks from that entire country save a few exceptions?

SEO news blog post by Ryan Morben @ 7:50 pm

Categories: Internet Law,internet security,Privacy,web hosting
Tags: blacklists, national defence, online security —