Translate:
Latest SEO Articles: Speaking At:
    Speaking at SMX London 2013
Follow Us:
Follow beanstalkseo on Twitter
Hear Us On:
Webmaster Radio
Blog Partner Of:
WebProNews Blog Partner
Helping Out:
Carbon balanced.
Archives
    • RSS

    XMLRSS

    Top Posts

    Beanstalk's SEO News Blog

    At Beanstalk Search Engine Optimization we know that knowledge is power. That's the reason we started this SEO blog. We know that the better informed our visitors are, the better the decisions they will make for their websites and their online businesses. We hope you enjoy your stay and find the SEO news contained within this blog useful.

    October 20, 2011

    Secure search service stirs SEOs slightly

    Every once in a while there’s an announcement that makes a huge kerfuffle online only to be yesterdays news the next week. Yesterday’s news is that Google made the move towards secure searches for Google account holders that are logged in while searching. It was actually announced on the 18th, and I didn’t see anything until Kyle mentioned it on the afternoon of the 19th, so it’s actually worse than yesterday’s news!

    Google secure search

    Anyone following search engine news would be perfectly normal to feel a bit of déjà vu since Google’s had secure search options way back in early 2010. The latest announcement that is stirring up responses is the fact that they are now dropping header info that would normally be passed along to the destination site which could then be tracked and analyzed for SEO purposes.

    Google has plenty of good reasons to make this move and only a few reasons against it. Here’s a quick breakdown of the pros/cons:

    • Most searchers are not logged in and won’t be effected
    • Estimates fall between %3-%7 of current search traffic is logged in
    • Tracking the “not provided” searches in Google Analytics will show the missing traffic
    • Mobile users connecting from public WiFi networks can search securely
    • Users of free internet services will have additional privacy
    • HTTPS Everywhere is crucial and backed by Google
    • Webmaster Central still provides search terms to registered owners

    Cons:

    • Mobile searchers tend to be logged in
    • Traffic projections for mobile search are growing
    • Google has to make the data accessible to it’s paid users
    • SSL is now becoming a much larger ranking factor

    Amy Chang over on the Google Analytics blog had the following point to make:

    “When a signed in user visits your site from an organic Google search, all web analytics services, including Google Analytics, will continue to recognize the visit as Google ‘organic’ search, but will no longer report the query terms that the user searched on to reach your site..”
    “Keep in mind that the change will affect only a minority of your traffic. You will continue to see aggregate query data with no change, including visits from users who aren’t signed in and visits from Google ‘cpc’.”

    Thom Craver, Web and Database specialist for the Saunders College at Rochester Institute of Technology (RIT) was quoted on Search Engine Watch as noting:

    “Analytics can already run over https if you tell it to in the JavaScript Code … There’s no reason why Google couldn’t make this work, if the site owners cooperated by offering their entire site via HTTPS.”

    Personally, as you can tell from my lead-in, I feel like this is much ado about nothing. Unless competing search engines are willing to risk user privacy/safety to cater to SEOs in a short term bid for popularity, this isn’t going to be repealed. I don’t like to see the trend of money = access, but in this case I don’t see much choice and I’ll stand behind Google’s move for now.

    SEO news blog post by @ 12:12 pm

    Categories: Analytics,Google,Google,internet security,Privacy,seo articles,SEO Tips
    Tags: , ,

     

    March 25, 2011

    Comodo SSL Cracker-gate

    On March 15th 2011, a Comodo affiliate RA was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains:

    • mail.google.com
    • www.google.com
    • login.live.com
    • addons.mozilla.org
    • login.skype.com
    • login.yahoo.com

    In the ongoing Comodo SSL Cert Scandal, Comodo claims they were infiltrated and that a computer cracker was able to bypass security with a valid username and password. This gave the unwanted user access to an affiliate of Comodo which issues SSL certificates through its UserTrust arm.

    Essentially SSL certificates are used to prove that a site is legitimate. Stolen certificates can be used by unscrupulous admins to fool end users into thinking that they are accessing a registered site when in reality they are not.

    Comodo has stated that their site was hacked from an Iranian IP address, which usually indicates that the source was anything but Iranian, however one of the bogus certs was used on an Iranian site for a short period of time.

    CEO of Comodo: Melih Abdulhayoglu, stated on his company’s blog:

    Why do we think these are state driven/funded?

    "Well, one of the origin of the attack that we experienced is from Iran, what is being obtained would enable the perpetrator to intercept web based email/communication and the only way this could be done is if the perpetrator had access to the Country’s DNS infrastructure (and we believe it might be the case here). Of course this is our interpretation of the situation.
    First time we are seeing a "state funded" attack against the "authentication" infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We will make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom."

    Comodo’s security blog went in to more detail regarding the Iranian connection and claimed that at least two Iranian IP addresses and one ISP were involved.

    The question I keep wondering is; how did someone get a username and password from Comodo with sufficient privileges to issue the SSL certificates in the first place and who is monitoring the issuance of certificates?

    How could Comodo issue an SSL certificates for google.com, live.com, yahoo.com, mozilla.org, and skype.com without somebody noticing or raising an alarm? Are there no watch lists in place to ensure that the issuance and distribution of SSL certificates to critical domain names is monitored? It seems to me that there is room for improvement withing the trusted certification system and it’s oversight.

    Because each and every browser treats SSL certification revocation differently, and because there is no standardized methodology between them all to do so, Comodo would have had to remove anywhere from 85,000 to 205,000 perfectly legitimate certificates.

    In a perfect internet, where all users have OCSP enabled, Google, Microsoft, Mozilla, and others, would be able to simply update their list of revoked certificates so that when each of their browsers checked to verify the certificate, an alarm would go off and the site would then be flagged for investigation or simply removed from the list of trusted sites.

    Why are browser updates necessary in order to revoke the SSL certificates? Because OCSP is not mandatory, browser manufacturers are pushing the updates to the browsers themselves creating a delay in the updating of trusted certificates.

    As increasingly more and more sites are moving towards using HTTPS, more efficiency and trust within the signing authority needs to be considered. Clearly we should also consider the need to monitor the issuance and distribution of trusted SSL certificates.
    Even though the certificates have now been revoked, users should be sure to update their browsers immediately, and make sure OCSP is enabled, in order to verify that they have the latest list of trusted sites.

    Peter Eckersley, from the Electronic Frontier Foundation, states the obvious by saying:

    "What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time."

    The press was quick to label the offending perpetrators as originating from Iran. It is simply far too easy to spoof your IP address to hide your tracks and make it seem that you are coming from a different part of the word or from a different IP address. Claims that the attackers IP originated from Iran, are still ambiguous at best.

    Comodo states:

    "It does not escape [our] notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the [Persian] Gulf region are facing popular protests."

    IMO, Comodo’s statement smacks of a conspiracy theory to me…or is it a convert attempt to divert us from seeing the truthfulness of the possibility of it being an inside job?

    I think the bigger issue is not who was able to hack in and issue the bogus SSL certificates, security is always going to be a concern in any business. The fact that we do not have a single distinct authority monitoring all and issuing SSL certificates needs to be strongly examined.

    SEO news blog post by @ 10:50 pm

    Categories: internet security,Uncategorized
    Tags: , ,

     

    Level Triple-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 Valid XHTML 1.0! Valid CSS!
    Copyright© 2004-2013
    Beanstalk Search Engine Optimization, Inc.
    All rights reserved.