Jul 20, 2020

Wait... Is Microsoft Azure Using VMWare?

My company made the move to Microsoft Azure a couple of years ago. For the most part, we really like it. We've had the occasional hiccup, and their support is trash, but at least their platform is easy to learn and is relatively stable.

Well, an interesting thing happened today. I was in the process of upgrading some Ubuntu servers to 18.04, and during the upgrade process I noticed this:


It appears that their Linux VMs have VMWare Tools installed. Which begs the question, is Azure using VMWare on the back end? One would think they were using Hyper-V.

Anyway, I thought that was interesting and should share it with you guys. If you know more about it, let me know in the comments!

Jun 30, 2020

Get Ready For An Epic SSL Certificate Maintenance Shitstorm


According to ZDNet, Apple made the executive decision back in February of this year to limit the default lifespan of SSL/TLS certificates to 398 days.
A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Google has opted in to join Apple as well according to The SSL Store:
It’s no secret, Google has been championing shorter certificate validity within the CA/Browser Forum (CA/B Forum) for years. At the end of last week, a well-known voice within the forum posted on Twitter that the tech giant will be making the switch to a one year validity period of 398 days for SSL/TLS certificates starting Sept. 1. This might sound like a big move, but it doesn’t actually change anything because it was already happening.
Mozilla will be jumping on the bandwagon on August 31st according to a Git Hub post.

What will this mean? Well, for one, if you host a website that has a two year SSL certificate, all major browser are going to start displaying an error warning users that your certificate is valid for too long.

I actually agree, this will probably make things more secure. The more frequently you swap your encryption keys, the better the security. I'm already doing it with LetsEncrypt on my personal email server because LetsEncrypt makes you renew every 3 months! LetsEncrypt makes renewal easy at least with the help of automation scripts.

Swapping out certificates every year in other places can be a pain if you are using other 3rd party CA's, and manually renew your certificates. It's even more of a pain when you have clients that use Java applications and manually trust their 3rd party keys for additional stringent security. That means we have to swap our keys out probably every 200 days now at my day job so we can send the keys to clients ahead of time for testing and validation...

Basically an SSL Certificate Maintenance Shitstorm!

Do you manage SSL certificates in your environment? How are you handling it? Let us know in the comments!

Jun 12, 2020

An SSL Certificate is An SSL Certificate is An SSL Certificate

You are probably looking at the title of this post and scratching your head right about now. Allow me to try to explain my thought process here. Many moons ago I worked as a Systems Engineer for a SharePoint consulting company. It was the first place I started messing with SSL certificates for encryption. Granted, I didn't know as much about them as I do now, but I had the basics down.

One thing we did there was purchase GoDaddy SSL certificates because at the time, they were probably the cheapest 3rd party certificates out there. Shortly after I started buying them, I found the now defunct StartSSL which issued free 3rd party SSL certificates that were trusted by browsers.

It was around this time I realized that as long as a browser trusted a certificate, it really didn't matter which 3rd party certificate company you went with. I mean, the technology is the same. A certificate really is just a text file with random characters in it that is matched by another key file that is also just a text file with random characters in it. There is really nothing inherently special about a Verisign certificate vs a DigiCert certificate vs a Sectigo certificate... Basically an SSL certificate is an SSL certificate is an SSL certificate. Do you follow me?

One might have argued back then that an EV, or Extended Validation certificate is a little more special, but even then all certificate authorities offer those. Some cheaper than others, and again my point is proven.

Well I just stumbled on an article that backs my original thought on this, and goes a little bit further by arguing that even EV certificates are kind of unnecessary now, and you might as well just go with a free 3rd party certificate authority like Lets Encrypt!


...as of Autumn 2018 browsers are increasingly hiding the only information that distinguishes between these two types of certificates. It is fully possible some users will never know a site has an EV certificate in use. Google and Apple have already shown that they can and will stop showing the added benefits of higher cost security certificates, and most others will surely follow. Moreover, most users do not care or know the difference between a DV or EV certificate. To most people a site either has the padlock, or it does not, and if an EV certificate is visible, they often find the additional information confusing.

So then, why pay for these fancy certificates? Some certificate providers will offer a “warranty” on a certificate purchase. Cutting to the chase, it is not clear what value these warranties provide. There is no record of anyone using a certificate warranty, and there may not ever be. As the benefits of the higher end certificates continue to dwindle into irrelevance, all that remains is the normal, trusted, DV certificates that throw up the padlock and say it has a secure connection. This lock could be green, or grey, or whatever color the browser chooses to display. The fact of the matter is that the browser controls how the certificate displays to the user, not the certificate.

What do you think about this? Do you agree with Paradox Labs? Let us know what you think in the comments!


Jun 11, 2020

SSL Grades For The Top 6 Social Media Sites

I've been keenly aware of SSL/TLS settings on web servers for the past 9 years. Mainly because securing websites has been a big part of my job, and part of that is keeping up to date with the latest threats to SSL/TLS encryption in websites. Periodically PCI/DSS standards change which means I have to scramble to implement improved SSL/TLS standards for the websites owned by the company I work for. One of the tools I use to test my own servers is SSL Labs by Qualsys

Those of you that have been following my blog for years know about it since I write about it periodically.

Well, one of the things I like to do is check other websites and see how their SSL/TLS stands up. Are they secure enough? Should I trust them? You get the picture.

I decided to test 6 of the top social media sites out there to see if they cut the mustard! Here they are:

Twitter

Coming in at the best secured social media site with a beautiful A+ rating is Twitter! I can't complain about that at all. Well done!




LinkedIn

The social media site for professionals did fairly well with an A rating. They got dinged a little for not having DNS CAA settings which in short tells browsers which SSL certificates are authorized for use by that particular domain. It is a really easy to setup, so there isn't a good reason not to have that done. They also got dinged for weak ciphers. Still though, not a bad rating.




Facebook

Probably the king of social media, and often slammed for their draconian censorship is Facebook with a trash rating of B! They were capped at a B because they still support TLS 1.0 and 1.1 which was depreciated by PCI/DSS a couple of years ago. They also accept the RC4 cipher which is garbage. More on that after the rest of the ratings.



Snapchat

The app used by teenage girls and basic bitches on Tinder! I've said it before, your animal Snapchat dating profile picture isn't cute! Knock that shit off! Anyway, they were capped at a B rating too! At least they turned off RC4...




Instagram

Instagram is a favorite of mine. I like what their filters can do for some of the pictures I take while out hiking, or spending time with friends and family. Still though, their encryption is't great since they were capped at a B as well. That isn't very surprising since they were bought out by Facebook.




TikTok

Finally we have TikTok. My daughter has me addicted to this silly video social media app! I wasn't going to use it but she kept texting me various videos and I was tired of opening up the links in my phone's browser. Now I love it! Still though, their security sucks as bad as Facebook with a B rating. At least they don't support RC4!






Why SSL Labs hates TLS 1.0 and TLS 1.1

Per Qualsys:

Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+.

Why RC4 Sucks

Again, from Qualsys:

RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses. After the BEAST attack was disclosed in 2011, we—grudgingly—started using RC4 in order to avoid the vulnerable CBC suites in TLS 1.0 and earlier. This caused the usage of RC4 to increase, and some say that it now accounts for about 50% of all TLS traffic.

Last week, a group of researchers (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt) announced significant advancements in the attacks against RC4, unveiling new weaknesses as well as new methods to exploit them. Matthew Green has a great overview on his blog, and here are the slides from the talk where the new issues were announced.
The funniest part about some of these sites still supporting RC4 is that the above blog quote from Qualsys was written in 2013! There is no good reason for anyone to still be using it at this point!

Conclusion

So should you stop enjoying these social media sites because the ratings aren't all A+? Not really. Most of these servers support strong ciphers in preferred order. That means as long as you are using updated applications and modern browsers, you are most likely connecting using the strongest ciphers and TLS versions offered by the servers. You will be fine. On top of that, most of the info you put out on social media isn't that secure anyway.

This is more of an indictment of their security and systems engineers, and I'm calling them out to do better and try harder. It's not that difficult to get at least an A rating! It also pushes your customers to improve their security as well by not allowing them to keep using legacy systems! If they want to connect to your service, they need to use modern browsers!

Your thoughts?

What do you think about this? Let us know in the comments!

May 25, 2020

Becoming a better man: My top 10 list of audiobooks

I recently wrote an article about dating in small town Colorado, and in that I mention an ex-girlfriend of mine. One thing I am grateful for having dated her is the fact that she got me hooked on audio books. Not just any audio books, but books on self development. Listening to these, often multiple times, has really helped to make me a better man... I think.

Most of these books fall into one of three categories:
  1. Finance and investment
  2. Leadership
  3. Dating and relationships
Without further ado, here is my top 10 in no particular order:
These books are absolutely life changing in my opinion. They have complete changed my view on everything I have ever been taught about money, dealing with people, and dealing with relationships. 

Out of all of these, the most eye opening is probably Atomic Attraction. I think everyone should read that book, men or women. It is really geared towards men understanding women's psychology, but it would help women understand why they always find themselves attracted to assholes!

Atomic Attraction has also changed how I view dating. I've been enjoying playing the field, meeting multiple women, and not taking things so seriously! It has been amazing. So far I've listened to it three times. I'm sure I'll listen to it many more!
 
What are some of your favorite books? Let us know in the comments!



May 12, 2020

What to Compare When Choosing an eCommerce Platform


For many people, owning and operating a successful eCommerce business equates to living the dream. Running an eCommerce company means that you can easily sell products and services online without face-to-face sales pitches, there’s no need to worry about factoring in the cost of renting an expensive storefront, and you can make money as you go about your daily life. For many eCommerce store owners, the option of dropshipping has even made it possible to make a living without having to spend a lot of money on inventory. Today, it’s relatively easy to get an eCommerce store up and running, but turning it into a successful business is a whole other story. If you’re considering starting an eCommerce business, here are some essential things to keep in mind when choosing a platform.

SEO Benefits:

If you want to succeed with an online business, you are going to need at least a surface level understanding of search engine optimization (SEO). This involves everything that goes into making sure that your site is visible to search engines, and with over 90% of online experiences beginning with search engines like Google, it’s safe to say that it’s fairly important. Use comparisons such as this one of WooCommerce vs Shopify to determine which has the best SEO tools for your needs. Check out PieSync’s blog to find more comparisons of eCommerce platforms and their features.

Payment Options:

Payment is the most critical part of the online shopping experience, and when you run an eCommerce business, you need to be prepared to accommodate a range of payment options. If you’ve ever had to look somewhere else because the store or restaurant you were trying to buy from only accepted cash and you didn’t have any on you, you’ll know how frustrating it can be. The more payment options you can offer on your eCommerce website, the better. If you only take a few types of credit cards, you’re going to end up turning potential customers away. Look for an eCommerce platform that allows you to offer a wide range of payment options to your customers.

User Experience:

You will want to choose an eCommerce platform that takes the user experience very seriously. How users perceive your website and the type of experience they have when using it can really make or break your business. If there’s poor navigation, a complicated checkout process and it’s difficult to find information on a product, your visitors are going to have no problem pressing the back button and trying somewhere else.

Support:

Finally, no matter how user-friendly a platform appears to be, bear in mind that there’s always the potential for things to go wrong, and the last thing that you want is to be left waiting around for answers while you lose business. If your site goes down, you want to get answers and a solution as quickly as possible. Opt for an eCommerce platform that provides large online support communities and tutorial libraries along with round-the-clock support from staff if needed.

Starting a successful eCommerce business is easier than ever when you choose the right platform for your online shop.


Apr 6, 2020

SEO Project Management Done Right

One of the biggest bottlenecks to getting a project started is planning. This involves establishing goals and laying out the vision for the project. But when it comes to execution, people resort to just getting things done. This is not a very efficient way of working, and the way you get things done will have a profound effect on the outcome. This is where proper project management procedures like Kanban come into play. If you want your SEO agency to work better and produce better results, you have to ensure that your workflow is both smooth and efficient. Below, we will look at what Kanban is and see how it can help optimize your workflow.

What Is Kanban?

Kanban is a management method for improving work processes that is getting more and more successfully applied to the world of project management. It advocates for doing just what is needed when it is needed and in just the amount needed. When working like this, companies are able to eliminate waste, unreasonable requirements (also known as scope creep), and inconsistencies in their results. Kanban is also able to make the production process smoother which makes teams more productive.

Kanban calls for transparency so that everyone on a team knows what is being worked on, what they have to work on, and what is left to be done. Because of this, your teammates can do just what is required and no more. For a more in-depth look at what exactly Kanban is, check the linked article from Kanbanize. Kanbanize is a leading Kanban platform, giving you clear visibility and control over your projects with their automated software.

Kanban and Project Management

One of the best ways to use Kanban to do project management is with a Kanban board. This can be a simple board that shows what is in the queue, what is being worked on, and what is completed. The board could also be customized to show the names of the team members beside the tasks they are currently working on or that they should work on in the future.

The board can also be customized so that the different tasks can be moved to their respective columns when their status changes, like when they are picked up or completed. Your teammates should also get an alert when a task is assigned to them so that there is no time wasted between assigning a task and letting a team member know they are responsible for it.

The biggest strength of this approach is that because everything is visual, it is easy to understand and navigate even to those who may be new to the company.

The Benefits of Using the Kanban Approach

When teams use Kanban for project management, everyone knows what they should be doing at any one time. This allows the teammates to focus on their tasks which makes them more efficient.
Kanban allows the collection of all information related to a task in one place. Teammates can see everything they need to know about a project in one glance. Kanban allows for the division of work into smaller tasks. Because of this, work can be completed faster, as many more people would be working on a single project.

The process of using Kanban for project management can be improved over time as a company learns how their employees work best. It can also be adjusted for the types of projects a company normally handles. Finally, Kanban can be used in different situations and arrangements.

Kanban Limits Multitasking for Higher Productivity

A lot of people think that when they multitask, they are being more productive. This is wrong. The Kanban project management principle states that employees should work on a single task at a time. This allows them to focus their efforts on one thing, and they can produce higher-quality work this way.

Multitasking opens up the possibility that your mind will wander as you hop between different tasks, and this can be detrimental to the end product. The best thing to do would be to work on just one job and pass it along to another teammate and then you can pick up another task. This chain continues until a project is complete.

Kanban Can Be Improved on Over Time

One of the best things about using the Kanban process is that there is always room to switch things up or improve on them. When trying to get your team to peak performance, start by identifying any holes in the way they work. It could be that they are multitasking or working on different parts of different projects at any one time.

Once you have identified these holes, it is time to plug them. Start by introducing small changes to the way your team works and ramp things up as you identify more areas that need improving. If you keep repeating this process, you will get your team to where you want it in a very short time.
Project management does not have to be complicated. If you run an SEO agency where are a lot of things to handle and projects to complete, your team could always benefit from using the Kanban approach.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam