What's new
Pinball info

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Website - Secure Content

myPinballs

myPinballs

Site Supporter
Joined
Nov 19, 2011
Messages
5,488
Location
Pudsey UK
Alias
Jim
Hello,

A general question for all pinheads. I am planning the next upgrades for my website and haven't in the past thought much about this for awhile but some recent discussions have made me think about this again.

How many people are put off from accessing websites with non secure general http content (information pages, images etc ) as apposed to https secured content, regardless of whether the checkout part is secure.

Also how many people use google chrome as their standard browser these days?

Thanks
 
I don't care about non secure general content so long as checkout parts are secure. I use Firefox for most things but also use IE and Chrome as some websites/web apps work better in different browsers.
 
May as well go https all the way in this day and age. You can get free certs from letsencrypt.org
 
HTTPS for it all but also don’t forget to encrypt the credentials on your database too.


Sent from my iPhone using Tapatalk Pro
 
Go HTTPS all the way. There's no speed penalty for doing so, in fact quite the opposite. Google gives a minor ranking boost for doing it. If you put your whole site under HTTPS you don't have to faff about with making certain parts secure - e.g. contact forms, other forms with personal data - with the rest insecure.

Modern browsers, particularly Chrome, are moving towards an expectation that entire websites will be secured, and already warn about any non-HTTPS page that asks for passwords, etc.

As said above you can get free SSL certificates from Lets Encrypt that are every bit as effective as ones you have to pay for.

Basically dooooo ittttt
 
Neil McRae said:
HTTPS for it all but also don’t forget to encrypt the credentials on your database too.
Click to expand...

I know you know, and I expect Jim knows too... but I have a pet peeve when people use the word 'encrypt' which has a very specific and fairly narrow meaning when talking about security. For password credentials we really mean 'securely salted hash'. For other personal data (worth looking at GDPR), sure - encryption.

I see so many people on Stack Overflow and in other places asking how to encrypt passwords :tut:
We really have to start educating these people
 
any personal details these days really need to be encrypted. mad not to and GDPR pretty much non-optional. although I could buy almost 5000 NIB machines with the amount of money i'm spending to implement GDPR - just in-time for us to leave the EU!

Neil.
 
Wizcat said:
I know you know, and I expect Jim knows too... but I have a pet peeve when people use the word 'encrypt' which has a very specific and fairly narrow meaning when talking about security. For password credentials we really mean 'securely salted hash'. For other personal data (worth looking at GDPR), sure - encryption.

I see so many people on Stack Overflow and in other places asking how to encrypt passwords :tut:
We really have to start educating these people
Click to expand...
Unfortunately this is one of those things where I think you have to accept that in layman vernacular "encrypt" means "make secure", otherwise you're going to end up annoyed pretty much 24/7 :)
 
Durzel said:
...in layman vernacular "encrypt" means "make secure"
Click to expand...

Yeah it is a pretty clumsy association though, and people in the spotlight (ahem, not pointing fingers) have the ability to change this :)

Whenever there is a security breach, you'll typically see someone from the company say 'oh it's ok, all our passwords were encrypted' and I think, well.. were they? Encrypted implies decrypting is possible. And that should NEVER be the case with passwords. In the rare cases they say the passwords were hashed, I still want more information: With MD5, SHA256, or what? With unique salts per hash? All of this drastically changes how we should react to a password leak, and does nothing to (further) damage the information that has been leaked.

And like I say - it causes new/inexperienced developers to think 'I need to encrypt these passwords', so they start looking at encryption methods, and that jumbles them up and makes them look secure right?

Security is a staggeringly hard thing for people to get right. It's also not obvious when it has gone wrong, and the consequences of doing it wrong can be disastrous. I went through a real learning curve updating an old payment system I had written to be PCI-DSS compliant. On the back of that I'm really dreading how people will tackle the implementation of GDPR, because encryption done properly is much more difficult than 'apply 256bit AES routine', which will be the path that a lot of inexperienced developers tread down. It's really all about key management, which is a whole different problem.
 
What the hell are you guys talking about ???
I need so much educating on stuff like this. Let me know once sorted and then help me out by explaiing it all in terms I can understand. :confused:
 
GDPR is going to make all this stuff so much more fun.

And by fun I mean a total pain in the ****.

We're prepping for it now but we know it's going to have the potential to cause a lot of pain. Unfortunately a lot will be down to the interpretation of the various governing bodies but the general ethos seems to be that you'll be ok so long as you're making efforts to secure customers and personnel data.
 
Wiredworm is right - with GDPR customer data is suddenly a hot potato - you should only collect what you absolutely need to, and delete anything you don’t need, as soon as you no longer need it. Whatever you do store, should be stored securely.

For small businesses who stick to those rules and can demonstrate that they’ve done what they can to keep information secure there should be no problems.

A couple of emails to your providers to get in writing that they will store your customer data securely would be wise.

If you haven’t already, register with the ICO as a data controller - that is the governing body you need to stay on the right side of.


Sent from my iPhone using Tapatalk
 
Going back to the site improvements - how many people use chrome? I’d ask how many still use a laptop. I’ve not yet used my laptop to buy any pinball products - but spent hundreds on my mobile already and only had the game for a month.

Design for mobile users first, and then think about desktop users second. If you’re using Wordpress or similar just look for a ‘responsive’ theme - this will mean it works nicely on a mobile [emoji6]


Sent from my iPhone using Tapatalk
 
I personally do not care but many people do, and Google does, so those are two excellent reasons to make the effort to get HTTPS working. I can afford to take calculated risks with my computer hardware + info because it is my trade and I know what I'm doing, so even my dissent does not represent a good use case.

I use Chrome primarily but I use all major browsers on occasion.
 
Well we could to get into a big discussion about the craziness of having to have a secure request for anything these days including a picture of an 80s pinball electronics board, but i don't think i will, its just not worth it...

I'll summarise and say i've created a new CSR request and am now waiting for the certificate approval. https for mypinballs.com here we come, bye bye http
 
Man-in-the-middle attacks got easier over time, mostly due to advanced browser hijackers, cross-site-scripting attacks and other means of trying to sneak payment details. That your site is about what it is, is just a distraction from the point that it does deal with money payments and therefore there is something to steal from people using it.

The hard push on HTTPS is because historically, the software industry has proven itself too incompetent to guarantee security without it. And now we all have to faff about with it. It sucks but that's life.
 
I use Chrome as my browser of choice, but also have to use Firefox and IE depending on what random sites i've found that don't like Chrome.
 
The only downside in everything being HTTPS, I feel, is that it will and probably already does make people believe that the websites they're on are safe, just because that padlock is there.

HTTPS doesn't guarantee anything beyond the network connection to the web server. How that server stores your data is up to the webmaster, and is not something an end user would have any clue about (save for a site being compromised and this data being revealed to be insecurely stored, etc). I used to work for an ISP and one of the websites (one that sold expensive jewellry) stored peoples full credit card numbers, CVV, etc in an Access database...

From a technical point of view though there is no reason nowadays not to put the whole website under HTTPS. It will perform faster than HTTP, is easier to maintain than a mixed content site, etc.
 
Last edited:
edsr said:
Going back to the site improvements - how many people use chrome? I’d ask how many still use a laptop. I’ve not yet used my laptop to buy any pinball products - but spent hundreds on my mobile already and only had the game for a month.

Design for mobile users first, and then think about desktop users second. If you’re using Wordpress or similar just look for a ‘responsive’ theme - this will mean it works nicely on a mobile [emoji6]


Sent from my iPhone using Tapatalk
Click to expand...

Traffic on our network is 5:1 laptop to Mobile - so I’d think quite a lot! But I agree in having a website that works well in all devices.

Neil.
 
Neil McRae said:
Traffic on our network is 5:1 laptop to Mobile - so I’d think quite a lot! But I agree in having a website that works well in all devices.

Neil.
Click to expand...

Hi Neil is the ‘network’ a corporate network or are you referring to the forum? Consumer mobile web traffic is now well above desktop in the U.K. but corporate scenarios and ones where there is only a desktop site will always skew figures. If it is referring to the forum is that accounting for traffic via the app? I would expect not but there are always surprises! [emoji4]


Sent from my iPhone using Tapatalk
 
Last edited:
edsr said:
Hi Neil is the ‘network’ a corporate network or are you referring to the forum? Consumer web traffic is now well above desktop in the U.K. but corporate scenarios and ones where there is only a desktop site will always skew figures. If it is referring to the forum is that accounting for traffic via the app? I would expect not but there are always surprises! :)


Sent from my iPhone using Tapatalk
Click to expand...

where do you get your numbers from? I strongly don’t agree!

I run technology at BT and between our U.K. network global network and mobile network I have a very good view

I’m using MAC addresses to determine what is a laptop.

Cheers
Neil.


Sent from my iPhone using Tapatalk Pro
 
http://www.telegraph.co.uk/technology/2016/11/01/mobile-web-usage-overtakes-desktop-for-first-time/ (and several others reporting the same data) will tell you that global traffic is now higher on mobile. But it will also say in the U.K. it’s still less than 50% - but that’s because the stats don’t include app usage but does include the 9-5 mon-fri corporate traffic. Factor that in as we are predominately interested at consumer traffic and it’s a foregone conclusion that a consumer-facing website will receive more hits from mobile than desktop (I worked agency-side for the last 7 years so saw this change slowly happening - even corporate FTSE250s saw more mobile traffic at weekends. But you are also correct - total unfiltered U.K. traffic is still higher on desktop (as the article also proves) [emoji4]


Sent from my iPhone using Tapatalk
 
Sadly doesn’t correlate with what the network tells me and I know what I’d believe!

Neil
 
It depends how you measure it as well.

I would wager a small sum that there are more *numbers* of mobile users but the desktop users are business and power users, and they all suck up WAY more band than the mobile users, as mobile users are metered, apps and websites are conscious of this while for desktop usage there is no concern at all for excess size.

Plus, then consider there are no mobile BitTorrent users...
 
PBrookfield said:
Plus, then consider there are no mobile BitTorrent users...
Click to expand...

Could i be the the only one? Highly doubtful. In fact, placing utorrent on my better half's phone has now stopped the constant requests for Greys anatomy every thursday.
 
You must log in or register to reply here.
Back
Top Bottom