Tormenting one engineer at a time.
Security
Cloudflare and this website?
11 year ago
If you scroll to the very bottom of this page, or any page for that matter, you’ll see a new icon in my footer. It mentions Cloudflare. This should go under the lessons of server management, particularly website management.
Often you may run into a problem where you might get “Dugg” or “Slashdotted”. Well, maybe not that often, but if you have a small home server like mine, it wont handle that kind of traffic if it does happen. That’s a crucial point as a webmaster. Your stuff is being read, and that’s a great feeling for anyone on the internet.
Cloudflare steps in where you might fail. Cloudflare is going to cache everything on your website and if your site goes down, it will serve it for you. No additional software installation and more importantly, no hardware. All I had to do to set it up was modify where my DNS was pointing. The only downfall to this method is subdomain folks wont be able to take advantage. Sorry “mybestwebsite.hopto.org” or whoever. You have to own your own domain from GoDaddy or 1&1, or my most favorable these days, Domain.com.
If the event does happen, here’s what the theory tells me. My server goes down. Cloudflare will recognize that and serve cached copies of my pages, seeing as its receiving all the traffic first. At that point, the server comes back online, and Cloudflare works with my server to get everything updated and good to go.
Let’s talk setup, what did it REALLY take to get it set up completely? Step 1. I signed up for a Cloudflare account. Easy and free. Step 2. I told it I wanted it to protect dethlefsmoreno.com. Step 3. It copied my existing DNS records into its system. Step 4. I went to my registrar and changed my DNS to point to the Cloudflare DNS (provided at the appropriate time by Cloudflare). Step 5. Wait about an hour (times will vary depending on your DNS provider, registrar, etc). I got an email when it detected the DNS change, and no interruption in service.
What else does it do? It’s also supposed to stop bad people from getting to my website. People like Viagra spammers, or so on. Also it implements my Google Analytics code into each page, regardless of what my website actually serves up. Also tracks, more accurately, my visitors. Because I’m having them control the DNS settings (but not the registration or the hosting), they have the ability to do a lot more than the simple stuff that plugins of WordPress, Joomla, SMF, etc attempt to do.
I suggest giving this a try. Mileage will vary, as this is a low traffic website (for now), so I’d be interested to hear how it helps (or hurts) your website.
Protect yourself from phishing
21 year ago
Some ask, “What exactly is phishing? Isn’t that just sitting in a boat and drinking beer?” Sadly, no. In a perfect world, we wouldn’t need to know about, nor protect ourselves, against phishing. Phishing is an attempt to STEAL your password. Most phishing attempts are websites designed to look just like another. Your bank, for instance, may be a potential phishing site. eBay and PayPal are common as well. They look just like the real thing, but instead of signing into your account after putting your password in it gives you an error message like “Due to technical difficulties, we can not sign you in.” or simply a white page. In the background, however, your password has been stored for someone to access it and use it against you and for their own personal gain. Here’s a typical phishing attempt:
I receive an email from eBay saying I won a bid for an item, let’s say an Xbox 360, for 20 bucks. Great deal, right? I click the link in the email and am presented with a page in my browser asking for my username and password. I try and sign in, it says that I have a bad password. Try again? Sure, I could have mistyped it. Nope… still not letting me in. Well, dang. Did I use a different password? I try all my normal passwords. Nothing. I click the reset password link, it says “Sorry! Due to technical difficulties we can not reset your password. Try again later.” Fine. I push it to the back of my mind, to be dealt with later.
Let’s think about this and derive how to protect ourselves from this attack.
1. I received an email, for an auction I did not partake in. RED FLAG. This is my first clue.
2. It’s a great item that I could easily get, but for much less than normal. RED FLAG #2. Xbox 360 for 20 bucks? Way too good to be true.
3. I clicked the link from the email, taking me to a page that looks like eBay.
4. I inserted my username and password, came back invalid multiple times.
5. I tried my other passwords that I may have used, thinking I was remembering the wrong one. The rest is pretty obvious.
Now, how to protect yourself from it. First, take everything in email with a grain of salt. Don’t believe it’s true. Secondly, if it seems too good to be true, IT IS. Third, never click a link that was emailed to you. If the email is true, just go to the site it proclaims to be by entering its address in your browser. Go directly to ebay.com and sign in there. If it’s important enough, the site will tell you on first login. If you feel there still might be a chance for a problem, most websites protect themselves with security certificates signed by Certificate Authorities recognized by big names. For instance, look at the following screenshots from Google Chrome:
Addressbar: Notice the green lock with the verified companies name in it. 
Clicking that lock provides something to this affect. Tells us the details and some technical information. Note this certificate is signed by VeriSign, a reputable Certificate Authority.
Clicking Certificate information on the bottom left of the above screen gives the below screen. Note it restates that the certificate was issued to signin.ebay.com and by VeriSign. 
This proves that it’s unmodified and as intended by the eBay company. The only way for this to still result in identity theft is if an attacker got into eBay, which is outside of your control and highly unlikely (so I’d hope). That’s for another article.
Lastly, NEVER send your username and password to people through email. I can be your Banks CEO if I word it just right through email.
I hope that this helps someone in understanding how phishing works and how to avoid it. Please comment with any other tips or feedback.