Started by Admin in Ski Chatter 19-Jun-2015 - 4 Replies
It's that time of year when we at J2Ski are hunkered down in the bat-cave, avoiding the scourge of sunshine and waiting for the days to get shorter again...
Being the fun people we are, we use this time to dive deep into the technicalities of our websites and we go poking around the Internet to see what we can do better. Yep, the evenings just fly by... but today we're looking at (your) security.
To get to the point - are the ski websites you use secure? and does it matter?
To answer the second question first...
If you ever login to a website, using a username and password, then yes, it matters. Your password goes from your browser to the website, but it doesn't go straight there. It bounces around the Internet, from one server to another, until it eventually gets where it should. A secure website will make your browser encrypt your password before sending it, but a non-secure site won't. If you use a public Wifi service then it's worse; your password is almost literally floating around in the air and can be very easily sniffed by anyone else using that Wifi.
So, who cares if someone nicks your password for dodgychat.com? Well, provided you use a different password for every website you use, then your risk is limited to someone accessing your account (reading everything you've saved there, and impersonating you) on that site and if you can live with that then fine. ...you do use a different password everywhere don't you?
Now, would you like that password encrypted or not?
Better check that your favourite website's secure then.
How to (start) seeing if the site's secure, step 1. This is easy :-
- if the address of the website starts with https: (note the 's' - for SECURE), then the data you send from your browser to the website is encrypted and difficult to intercept and tamper with (this is an SSL connection).
Almost all browsers use a padlock symbol to indicate an SSL connection, with many now highlighting the address bar in green to show a confirmed certificate.
- if the address of the site starts with plain old http:, then no encryption is used and your password is sent bouncing around the Internet in plain, clear text. So anyone with access to any of those servers between you and the final website, or sharing that public wifi with you, can "sniff" (read, copy and take home!) your password.
So, if it's just http: then it's not secure, BUT BUT BUT...
Some secure sites are more equal than others
Unfortunately, https: is just the first step. There are a range of "protocols" that can be used to secure connections, and many older ones are now compromised (vulnerable). There is much that can be done to secure a website... but, to be frank, many webmasters can't be bothered.
We ran a few tests and, honestly, there are some well-known ski sites out there that really should be better looked after. So we're going to name and shame!
One of the most comprehensive security tests available on the Internet is that available at SSL Labs - you can test any website using this link - https://www.ssllabs.com/ssltest/
SSL Labs check a huge range of protocols and potential vulnerabilities before spitting out an overall (and detailed) assessment.
Here are some results...
Top of the class is, yes, J2Ski.Com, with full-time SSL
SSL Labs wrote:Secure - Graded A+ - https://www.ssllabs.com/ssltest/analyze.html?d=j2ski.com
SkiClub.co.uk - mainly http, but https when logged in
SSL Labs wrote:"obsolete and insecure" - Graded C - https://www.ssllabs.com/ssltest/analyze.html?d=skiclub.co.uk
SnowForecast.Com - mainly http, but https when logged in
SSL Labs wrote:"vulnerable and exploitable" - Graded F - https://www.ssllabs.com/ssltest/analyze.html?d=snow-forecast.com
Crystalski.Com - http
SSL Labs wrote:Not Trusted - Graded M - https://www.ssllabs.com/ssltest/analyze.html?d=crystalski.com
SkiAndSnowboard.co.uk - http
SSL Labs wrote:Not Trusted - Graded M - https://www.ssllabs.com/ssltest/analyze.html?d=skiandsnowboard.co.uk
Snowheads.com - http
SSL Labs wrote:Not Trusted - Graded T - https://www.ssllabs.com/ssltest/analyze.html?d=snowheads.com
We'd obviously be pleased to hear from any of the above, and even more pleased to hear if they start putting things right...
Well, good and bad news; a couple of sites have shown that they can be bothered with your security, but there are still some that can't.
Props for improving their security go to :-
- The Ski Club, who now score a pretty secure A- (previously "obsolete and insecure") on the SSL Labs Test (links above).
- SkiAndSnowboard.Co.Uk, now scoring an A (previously "untrusted").
And loud boos, for no improvement, for :-
- Snow-Forecast, CrystalSki (who can't be bothered to use the right certificate!) and Snowheads.
To re-iterate; when you login to a site without secure http (i.e. https), or with weak security, it's equivalent to writing your password on a postcard and sending it through the mail...
But how did you know about my subscription to dodgychat.com?
acarr wrote:But how did you know about my subscription to dodgychat.com?
Everybody knows about that...
- J2Ski have dropped a tick to A (from A+ last week!) - we'll get onto that!
- SkiClub still good at A-
- SnowForecast.com - still insecure at F*
- CrystalSki - get a T, potentially an A, but still have the wrong certificate setup AND have now let it expire. Bit slack there guys!*
- Skiandsnowboard.co.uk have improved to an A.
- Snowheads.com - still insecure.*
* If you ever login to any of the sites marked as insecure, you absolutely MUST NEVER use the same password that you use anywhere else (e.g. your online bank, your iCloud stash of celebrity pix etc.) AND you should change it regularly.
Reminder - How to tell if your connection is secure
Look at the address bar on your browser window; if there's a padlock then the connection is secure (using https) and if there isn't, or it has a strike through it then the connection is not secure.
When you login to a site using plain http, your password goes across the Internet in clear, unencrypted text and CAN easily be intercepted without you knowing.
Topic last updated on 07-October-2016 at 08:27