Last Updated on
Website security. It’s a matter of vital importance to those of us who own websites, and yet a lot of people don’t really understand what makes a website secure or not secure.
Today we speak with our friend, Monzurul Haque, who owns the web hosting company Fifohost, for answers to this often misunderstood concept of how exactly your website becomes and then stays secure.
Use the following table of contents to navigate this post a little more efficiently, if you don’t feel like reading the full transcript of our conversation:
Table of Contents
- What makes a secure website, basically?
- SSL Certificates / HTTPS Protocol
- Toughening up your security protocols
- Brute force attacks
- Final thoughts on website security
Let’s dive right into things, here!
The Basics of Website Security (Intro)
YHSW: What makes a secure website, basically?
Monzurul: For starters, if a website has SSL, and the web server is configured properly, by maintaining standard security measures, then this denotes a secured website.
Another point to mention is that if the website is dynamic and has a good coding standard, this always helps. Otherwise, there will always be a risk of leaking data and compromising the whole site.
YHSW: What’s a good coding standard?
Monzurul: Maintaining code structure and logical implementation so that it never exposes things that’s not intend to be public. No outside database manipulation by MySQL injection as such.
SSL Certificates / HTTPS Protocol
YHSW: Let’s talk more about the SSL. This is a digital certificate?
Monzurul: Yes, and it’s known as Secure Sockets Layer, and it ensures that the transfer of data between server and browser is secure, allowing no middleman/bot to interfere and retrieve the data.
YHSW: How does it do this?
Monzurul: It is an underlying technology that works on the network level, while transferring data when user inputs any data into their browser, and then starts sending the data from the browser to the server. First, the data transfers from the browser which has been encrypted, and then the same thing happens from server to browser.
YHSW: This is related to the HTTPS protocol, right? As in, the SSL certificate?
Monzurul: Yes, exactly.
YHSW: So how does the SSL relate to the HTTPS protocol exactly? in my experience, I simply turn “on” the SSL in hosting and then HTTPS is active. Is it really that simple?
Monzurul: SSL indicates that the site/domain is using HTTPS protocol. And no, most of the time enabling the SSL certificate is a little more involved than you describe.
YHSW: What is needed to enable the SSL…and who controls its operation?
Monzurul: Basically, you need to buy a valid SSL certificate from well know SSL providers such as globalsign, comodo etc.
Then, you need to go though with some processes to generate the SSL certificate, at which point it will need some input from you and from the server.
Based on that interaction, you will get an SSL certificate, and then from there, you would need to install that certificate itself on the server.
YHSW: So is this another case of the re-seller phenomenon at work? I say this because with most web hosts that I know of, they use Let’s Encrypt or some handy tool as such.
In other words, some sort of all-in-one SSL solution, so that it simplifies the process to be either “turn on SSL” or “turn off SSL”, and all the SSL business is taken care of from there.
Monzurul: These days, you might have heard about “Let’s encrypt” certificate and the non profit organization who provides free SSL certs and some tools will make your life so much easier and clicking a button will do all the things I mentioned above.
YHSW: So is there a difference in quality with different SSL’s then? For example, free vs. purchased ones.
Monzurul: Yes, most known hosting companies / ssl sellers just resell certs from globalsign, comodo etc…So, then, yes there is.
YHSW: Oh, I see. Like what?
Monzurul: With paid and costly SSL certs you will see a greenbar with the designated company name which indicates more trust worthiness to both user and search engine.
YHSW: Ah, I see. But still I wonder, what makes that SSL better, though? Technically speaking, is there just better code behind it?
Monzurul: No. It’s just to point out to users and search engines that the SSL certificate user has gone through a longer and more complicated verification process, which then denotes better user data safety.
However, with the free SSL like Let’s encrypt, you will have almost same kind of security. Of course, nobody is there to back you up, if something bad happens.
YHSW: Hmm, I see. So, does that kind of freebie SSL really provide much security then for a website? I think most people who have websites are barely even aware of HTTPS protocol or SSL, and that’s why many people don’t have them integrated. Your average person just isn’t that aware of these things.
Monzurul: Premium SSL certificates are a better choice for websites in which their reputation and revenue are a primary concern. Premium certificates ask for greater proof of ownership and that is reflected in their organized and extended validation. And, yes, lots of people are not aware of https/SSL.
YHSW: I may be repeating myself, but once again, who controls the certificate ultimately? I’d always assumed hosting was in charge of it, but I guess the people who offer them are, and you say, providing the hosts, who then pay for this service to then re-sell to users, which is then absorbed into your hosting fees?
Monzurul: Yes, the certificate is owned by the company you get it from. Not the host, but the company, even if you don’t know which company.
These days most people just know you can get free SSL using Let’s encrypt, and that’s good enough. But for serious ecommerce sites, people go with premium SSL certs because more is at stake.
YHSW: So, if you have HTTPS active, even if it’s lower quality, it still can do the job of having no hackers jump onto your data stream. Is this true?
Monzurul: Yes, if there is no HTTPS, then people can intercept your communication with different sites, which is obviously not good.
YHSW: For instance, you mean that if I go to a café, and everyone is using their shared wifi, your data will be protected as long as you are visiting an HTTPS site. Otherwise, someone can hack you? Hackers love cafés!
Monzurul: Yes, exactly.
YHSW: Otherwise, hackers have to do things like parking their white van in front of my house and wait for me to surf the web.
Monzurul: The point is, if you log in to a non SSL/https site, they might get your login access, if they are within range.
YHSW: How exactly would they do that? I mean, how can a guy sitting across the room in a café use his computer to suddenly jump onto my data stream and see what i’m doing on my computer?
Monzurul: Just because there’s no HTTPS on a website, and that gives a hacker the chance to do it. Because in that case, you will just be sending plain data and there are some tools that can interpret data while you are transferring it.
YHSW: Are these tools legal? Or illegal and specific to hackers only?
Monzurul: They are illegal and used by hackers mostly.
YHSW: Hmm, I see. So, if i’m on a host who offers Let’s Encrypt, but I want premium, can I just go to someone who offers premium and install it myself rather than go through my host?
Monzurul: Yes, you can. You have that freedom even if you are in a shared hosting situation.
YHSW: Ok, one more thing about SSL. I understand the “secure” part, but what’s a socket layer?
Monzurul: Well, it’s very technical actually, but basically it just denotes a type of core data transportation.
YHSW: Alright. So then, what else helps with security for a website besides adding the SSL?
Toughening Up Your Security Protocols
Monzurul: The second major point worth mentioning about website security is that your hosting environment should follow good security protocols.
Although, if you are in a shared hosting environment, you sometimes don’t have access to these things. That said, I’d say that most shared hosting providers actually do have good security practices on their servers.
But, for vps/cloud/dedicated hosting you should best toughen up your security configuration.
This means, with regards to your SSH protocol, close unnecessary ports using a firewall, and also block bots trying to brute force login attempts. You can also apply security patches, and there’s many more options as well.
YHSW: SSH? What does SSH protocol mean exactly?
Monzurul: It’s a way to login to Linux servers, and you need to have some restrictions in place, otherwise it can and will get compromised.
YHSW: SSH means?
Monzurul: Secure Shell.
YHSW: What kind of restrictions?
Monzurul: For example, changing default SSH port to something else, and restrict the number of times user can try to login, etc.
YHSW: And by “compromised”, you mean basically hacking in?
YHSW: I wonder – Is it more likely for a bot to try to hack in, or a person? For instance, I would assume it’s mainly bots trying to hack a website, not people.. is this true?
Monzurul: Yes, it’s most likely bots 99.9% of the time. A person doesn’t have that kind of patience, to try so many login attempts.
YHSW: To be clear, the internet is full of bots, correct? Many millions or even billions. And so I would assume that all websites are under threat of bots at one time or another, right?
Monzurul: Yes, they are. Bots are always out there, and they are always getting smarter when it comes to hacking and also spamming.
YHSW: For instance, say you left your website completely unguarded. No protection at all. Would a bot come to that website because a) somehow it knows it’s unguarded, or b) it was coming for you anyway and you happen to be unguarded. Basically, can bots detect unguarded sites?
Monzurul: The answer is B. Bots/hackers will try to find a way in, and they are always circulating around, looking for any unguarded site on the web that they can find.
YHSW: Do you know how many bots on average are coming to any given website in a given period of time?
Monzurul: To be honest, I don’t have a good idea about that, as it generally varies based on the website’s own popularity at any given time.
YHSW: I see. Is repeated logins the only way for a bot to break in?
Monzurul: No, there are lot of ways for bots to gain access. Such as, a MySQL injection in order to get to the main database.
YHSW: When a hack attempt is made, does a secure website know there is an attempt being made, or it simply prevents that attempt from being made?
Monzurul: It simply tries to block the attempts when they are being made.
YHSW: So, then, does the security system for a website somehow keep a record of these attempts somewhere?
Monzurul: Yes, there will be logs about each and every attempt.
YHSW: Can you define a firewall when it comes to website security?
Monzurul: A firewall prevents unusual activities by blocking ports, and also the IP address from the attacker.
YHSW: Is there software to create a firewall or does the host or web developer need to code it themselves?
Monzurul: There are various softwares on the OS level of things.
YHSW: Does every host offer a firewall? Can a webmaster make their own firewall?
Monzurul: Every host offers a software firewall, but there are some advanced types of firewalls that get installed directly into an internet gateway/router. A webmaster can only manage an OS based firewall if he/she has admin access, it should be said.
YHSW: What are some of the good firewall software names?
Monzurul: iptables and Firewalld are the core OS-based firewall softwares. There are some third party softwares too, such as Config Server Firewall, which basically uses iptables to create the firewall rules.
YHSW: Which do you use over on your own web hosting service?
Brute Force Attacks
YHSW: What is a brute force attack on a website?
Monzurul: A bot/hacker tries to guess the password by using computer generated passwords is known as a brute force attack.
YHSW: Would the bot just keep guessing forever, unless it is stopped?
Monzurul: Yes. That’s where the firewall restriction comes effective.
YHSW: You were mentioning before closing “ports”.. what is a port exactly?
Monzurul: In this context of a website, a port is like a door. You enter into the website through ports, same as you enter into your home through a door.
We should note that every website use port 80 by default in the server to serve the website content to the visitor. When you put a domain name in url bar it goes to the server and looks into port 80 for the website content.
YHSW: Why port 80?
Monzurul: It’s a standard. I mean that’s the port number everyone agreed upon while setting the protocol.
YHSW: What do the other ports do?
Monzurul: They have their designated work, and there are a lot of ports, for the record.
YHSW: So, if i have 5 visitors, they all enter via port 80?
Monzurul: Yes, and unless you don’t take any security measures for that port then hackers will exploit that port.
YHSW: Hm, so the difference between a hacker and a normal user is just that a hacker tries to log in, right?
Monzurul: Yes, hackers are always trying to exploit while normal users just visiting the site, browsing content generally.
YHSW: Ok then. So, overall, port 80 is the most important port of them all?
YHSW: Ok then. Hackers can’t enter via port 79?
Monzurul: No, it’s not a open port by default.
YHSW: Oh, I see.
Monzurul: If you open that port and don’t take any security measure for that port then hackers will exploit that port too.
YHSW: So, if I am making my own server and website, can I go against the rules and choose a different port?
Monzurul: No, you can’t. All browsers are set to look for port 80. You can’t do anything about that.
YHSW: Do you think it’s more the responsibility of the host to provide a secure connection and protect webmasters, or is it more the responsibility of webmasters to make sure they have done everything to make sure their websites are secure?
Monzurul: It’s both. Both should do their part right to prevent any wrong doing.
YHSW: I’d say webmasters are more naive than hosts, wouldn’t you? Less experienced with matters of security.
YHSW: What do you think about comment spam? Is it dangerous?
Monzurul: No, they are not. It’s just useless and creates inconvience for the webmaster. However, if you approve a lot of spam comments, that can be dangerous if you do it a lot. It creates bad connections to other bad IP’s from bad websites.
YHSW: Is there anything else we should talk about regarding making your website more secure?
Monzurul: I think we’ve covered a lot for now!
YHSW: Ok, thanks Monzurul.
Monzurul: Thank you.