My company reads my secure web traffic

We’ve all been told that we should use websites that encrypt their traffic. We should look for the https:// at the start of the address to make sure the site is secure and give us peace of mind. But what if your company was still monitoring your web use, even though it was secure?

If you work in a medium to large sized organisation, then there’s a fair chance that you access the internet through a proxy service. This is a server that routes (and often restricts) web traffic in such a way to protect the corporate network – and maybe minimise staff wasting half their day on Facebook!

But with encrypted sites (where the URL begins with https://) a lot of people might assume that their employer might know they are visiting a particular site, but not what they are reading, writing or downloading. However that’s not the case.

Increasingly companies are implementing a feature called SSL Interception.

When you visit a site – for example https://securesite.com/ – you would normally assume that the owner of securesite.com is the one hosting the SSL certificate that is used to encrypt the traffic between your browser and the web server.

However with SSL Interception the company’s proxy server generates SSL certificates for the sites that it’s employees visit. So when someone accesses https://securesite.com/ at work, their traffic is being encrypted by an SSL certificate generated by the proxy – and as such, the proxy server can unencrypt the traffic and examine (and log) what’s going back or forth. The proxy then re-encrypts the traffic before passing it out onto the internet to the website.

Most of the time employees don’t even notice the difference because the site still looks secure in their browser. They only find out that it’s happening if a problem occurs with the proxy server’s certificate – either that the company lets it go out of date or it’s wrongly configured – and people start seeing errors in their browser.

The only sure way to tell if SSL Interception is happening is to examine the certificate and see who issued it. You can do this in Chrome by clicking on the padlock symbol to the left of the address bar, and then click on ‘certificate’ on the popup screen.

If the certificate says it is ‘Issued to’ the site you are trying to access then your traffic isn’t being intercepted. But if the certificate says it is ‘Issued to’ someone else – such as your employer – then they are intercepting and reading your web traffic.

And as long as your employer mentions in a computer usage policy or similar that they reserve the right to monitor all web traffic, this is perfectly legal in most parts of the world.

SiteGround web hosting Black Friday sale

I got a notification today that SiteGround, the web hosting company that I use to host all my sites, are having a Black Friday sale with discounts of up to 75% off their hosting plans.

The discounts apply to their shared hosting plans, and are available from Friday 23rd to Monday 26th November 2018 inclusive, and might be worth looking at if you’re in the market for new web hosting.

I’ve been with them since February this year and have been very happy with their service – in particular the way they optimise performance of WordPress websites. My sites load so much more quickly than they did with my old host, and the integration with free SSL cert provider Let’s Encrypt is also welcome.

As a caveat, I would say that SiteGround already heavily discount their hosting plans all year round. Their standard discounts tend to be around the 65% mark, and so this Black Friday sale has to be seen in that context.

To make the most of this discount you need to consider if you can afford to prepay for your hosting for a number of years. If you are willing to pay for 2 or 3 years in advance, you will pay the discounted price for the whole of that period. But at the end of the discount period you go back to paying full price, which can be a big price jump.

For example, the GrowBig plan at present is charged at £14.95 per month. It’s currently discounted by 66% to £4.95 per month. Presumably during the Black Friday sale, that price after the 75% discount will be even lower such as around £3.75 per month. If you signed up for 1 year, you’d be paying 12 x 3.75 plus VAT (at 23% in Ireland) which is a total of £55.35 (approx €64).

However after the discount period, to stay on the same plan would cost you £220.66 (approx €253) at full price for the next year. That’s quite a hike, so it’s worth bearing this in mind before you sign up – particularly if you don’t relish the prospect of moving hosting providers again next year.

This isn’t the greatest sales pitch, but I prefer to be honest and up-front with people so that they are going into something with their eyes open. And along those lines I’d also like to declare that by clicking on any link to SiteGround in this post has the potential to earn me referral income. 

Mobile first design

When designing a blog it’s easy to think only about how the site looks on the big monitor attached to your desktop computer. After all that’s the tool we use to maintain our blogs.

But if ever you needed evidence that you need to prioritise mobile devices, take a look at these statistics from another site of mine:

The table shows:

  • 78% of pages are viewed using smartphones
  • 14% of pages are viewed via desktop computers
  • 8% of pages are viewed using tablets

Almost 4 in 5 of all visitors are coming to my site using a smartphone. That could mean that they’re viewing my site in a completely different way than I am on my desktop computer.

For instance, all the links to other pages and advertising that shows as a column on the right of the page on the desktop are instead at the bottom of the page on mobile – and so it’s a lot less prominent to those visitors.

In order to address this we need to adopt a mobile-first attitude to design. We need to think about how a site looks on a smartphone ahead of the desktop.

A good responsive design will help – but we also need to check how the design moves content around once the screen size shrinks. That’s why I’m beginning to check everyone on my smartphone just as often as I use the laptop.

6 Ways to Improve the Performance of your WordPress Blog

How fast does your WordPress blog load? Have you tested performance on mobile as well as desktop? Did you know that performance is one of metrics that Google uses to rank sites?

When talking about performance its important to remember that around half of all traffic these days comes from mobile devices, and these devices can often be on limited data connections. So when you look at site performance (as with web design these days) you should adopt a mobile-first strategy.

I used a tool https://testmysite.withgoogle.com/ to check on the performance of my WordPress blog, and it reported that my site takes 7 seconds to load over a 3G connection – which apparently results in me losing a quarter of visitors that simply give up before the site ever loads!

Google has a goal that its sites should all load within half a second. That level of performance might not be achievable for everyone, but we can all do better.

So how do you optimise your WordPress site to load more quickly?

1. Keep pages small

A testing tool like GTmetrix can tell you how fast your page loads, and how big your page is. If you are loading lots of images, videos and scripts, then the size of your site could be huge – and therefore slow – without you realising it.

My site comes in at just over 1MB which is actually pretty good. If yours is more in the range of 3-5MB (or even more!) then you need to start thinking about page size.

Reduce the number of posts displayed on your page. Do you really need to show 10 posts at a time? I have my site set to only show 5 posts at a time, and by halving the number of posts I also halve the page size!

Also think about whether you need all the content served from 3rd-party sites, such as Facebook or Twitter, that could be slowing down your site.

2. Minify your code

Use code minifying plugins such as Autoptimize to reduce the size of your HTML, javascript and CSS files by removing all unnecessary space in the source code. It won’t have any effect on the way your page looks, but it will reduce the size of the files being served.

3. Optimise images

A picture paints a thousand words, but it can also slow you down!

Loading lots of large images can be one of the primary causes of poor site performance. So consider the number and size of any images you display. Obviously for a photographer’s portfolio site you’re going to need to show large high-quality images – but you don’t need to show them all on one page.

Use a plugin such as Smush to automatically optimise images as you upload them to your site. It will reduce the file size of your images without losing any of the quality.

4. Eliminate unnecessary plugins

It’s tempting to keep installing more and more plugins to help add new features to a site – but every time you add a new plugin, it’s more code for WordPress to have to run before it can render your site. So have a clear out and get rid of any plugins you don’t need.

It’s also a good idea to minimise the number of plugins and themes you have installed for site security. The more plugins and themes from different authors you have installed, the higher the potential sources of vulnerability to hacking.

5. Select your hosting account carefully

Not all hosting providers are the same, and although most will allow you to run WordPress from your account the performance of sites can vary wildly from one host to another.

If you’re shopping around, look at hosts that have specific WordPress optimised hosting. I like SiteGround as they have optimised their hosting to serve WordPress sites as fast as possible.

And if you’re getting a lot of traffic to your site, then ditch the shared hosting and get your own virtual or cloud server. It will give you a lot more resources to serve a lot more people at once.

6. Upgrade PHP

PHP is the programming language that WordPress runs on, and many hosting providers use an older version of it by default. However if your host allows you to upgrade to a newer version (or they can do it for you) then your site will get a good performance boost.

When upgrading from PHP 5.6 to version 7, WordPress performance doubles!

Source: http://www.zend.com/en/resources/php7_infographic

Password length for my eir

While many online portals are embracing two-factor authentication and other security best practice, our telecoms utility eir seems determined to stop us using good quality passwords.

As you can see from the screenshot below, the self-service portal my.eir.ie doesn’t allow users to set passwords longer than 10 characters.

The error message on screen also notifies anyone (including potential hackers) that all passwords for the system are between 6 and 10 characters – which would be a massive help to anyone attempting a brute-force attack on the site, as it would reduce the number of password combinations they need to try.

This is a shocking example of bad security by design, and is a carryover from the old Meteor self-service portal. Someone at some time in the past chose to limit password length, which forces people to use short insecure passwords.

In accordance with the 2011 European Union directive designed to protect your online privacy, I am required by law to check you consent to the use of cookies on this web site. Click on "Accept" to grant that consent. Click for more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close