Canadian Web Hosting Blog and News
7Nov/140

Time to go secure

Have you been working on your SEO and hoping to get your website to the top of the search engine?

Google is pushing for HTTPS

On August 6th, 2014, Google tested out using HTTPS as a Ranking Signal. They reported that their test showed positive results when they used encrypted connections as a signal in their ranking algorithm. HTTPS has since become a permanent search ranking signal on Google.

Google stated that the HTTPS is a very lightweight signal that only affects less than 1% of global queries and there has been no reports of ranking changes. So if two sites were the exact same, then the page using HTTPS may rank above the unsecured page. The boost will only be URL specific and not site-wide.

Watch Google’s video on why HTTPS matters: http://bit.ly/1tmM5z5

High quality content on a webpage will still outweigh the HTTPS signal but it looks like Google is pushing for the switch and hinting that the HTTPS signal will become a bigger part of their ranking algorithm in the future.

Even if you are a non-commercial website, it may be wise to switch to a secure server anyway. For one thing, a secure server guarantees that your content cannot be altered, e.g. have unexpected ads added. It also allows your website to look more authentic, an important factor if the content on your website is intended to provide advice, e.g. financial or medical information.

Google may be pushing for HTTPS so that it helps identify site ownership and therefore eliminate spam. It could also be potentially harder for NSA to track the content users are consuming if we browse HTTPS sites.

Migration nightmare?

No, migration to HTTPS doesn’t have to be complicated. It’s relatively easy to purchase the Security Certificate from your web hosting company. But sometimes you may experience a 301 error code, which means the redirect from your HTTP domain to your HTTPS is corrupted. This happens when there is a potential for duplicated content and several other technical issues during transition.

To avoid potential problems during migration, site owners should avoid redirect chains, similar to this one:

  1. I click on your website at http://iloveyoyos.com
  2. You redirect me to http://www.iloveyoyos.com
  3. Then you redirect me to https://www.iloveyoyos.com

If you’re building a new site, changing domain names or making a change to your URL structure (e.g. platform changes) then you won’t be experiencing the redirect issues.

It is estimated that we have two years to move to HTTPS before a non-secured website becomes a critical SEO problem. So you can take your time, but we are starting to see warnings generated on websites that tell visitors they are connecting onto a non-secured website:

Example of website warning/Canadian Web Hosting

So for a low annual sum, it may really be worth it to make the move now and avoid these privacy warnings that kill site traffic.

The different kinds of security certificates

These are the different types of secured/non-secured URLs you will come across:

On Google Chrome:

Non-Secured Connection

DV/OV Certificate Valid

EV Certificate Valid

DV/OV Certificate Error (cert invalid)

DV/OV Certificate Error (mixed content)

 

So which one should we choose for our website?

Google won’t factor in the different kinds of certificates into site rankings at this time, but they do affect user trust and conversion rates, so it is good to understand how to choose from the variety of security certificates available.

- Shared Certificates are commonly offered by web hosts. You use their certificate but the security certificate isn’t connected to your domain name. www.iloveyoyos.com will contain your non-secure content while your shopping cart will go on www.iloveyoyos.cartprovider.com. This is less costly but takes away from your brand name and user confidence.

- Free Certificates are sometimes used for personal websites or forums. Companies may offer these free security certificates for specific reasons, e.g. if you are part of qualified Open Source project. These certificates will not be valid for businesses but may be applicable for non-profit projects.

- Domain Validated (DV) Certificates are the most common SSL certificates. It is often used by small businesses and covers a single subdomain, e.g. www.iloveyoyos.com but not iloveyoyos.com. Users to this website will see a security icon by the domain.

- An Organization Validated (OV) Certificate requires both the organization and the domain registry to verify information. The OV certificate will check to make sure the business is legitimate and is therefore more expensive to get than the DV certificate. Users can only tell the difference between the two if they click the padlock icon.

- The Extended Validation (EV) Certificate is the most expensive and hard to get SSL certificate. It requires a business to include domain ownership and organization information, as well as show legal existence in their organization. The EV Certificate takes more time to process and are more expensive. Users of EV certified websites will see a green bar on their browser and likely be more confident in their shopping experience.

Hopefully by now you have learned more about security on websites and how to improve your business online.

Still confused or need help with getting a SSL certificate? Contact Canadian Web Hosting today by emailing sales@canadianwebhosting.com.

 

Sheila W.
@CAWebHosting
@CWHUpdates

17Oct/140

Canada’s unique privacy laws provides protection for personal information

The European Union (EU) and Canada supervises the private sector’s use of personal data while the US has minimal regulation of their private sector. Canada’s privacy laws focuses on “individual autonomy through personal control of information” (Techvibes).The US focuses more on protection from the government while Europe tends to protect their dignity and public image (Identity Bureau Trulioo).

In addition to two federal laws in Canada that protect personal information, there are also provincial laws in Alberta, British Columbia and Quebec that are similar to PIPEDA (Personal Information Protection and Electronic Documents Act). These laws set out ground rules for how private sectors may collect, use, or disclose personal information in a commercial setting. Unlike the US, Canada’s strict privacy laws are recognized by the EU and privacy compliance is overseen by privacy commissioners and ombudsmen at both the federal and provincial levels (Techvibes).

So what does this mean for businesses in Canada?

In today's business market, service organizations are looking for a partner who can help them deploy IT infrastructure services and have the necessary controls and measures that comply with their local and corporate requirements. One of Canadian Web Hosting's core missions is to help businesses meet their SSAE 16 certification requirements (formerly the SAS70), which meets the new international service organizations standards for Type I and Type II reporting.

The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues the SSAE 16 Type II (formerly SAS 70) to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.

The CSAE 3416 certification is issued under Canadian Institute of Chartered Accountants (CICA), Canadian Standard on Assurance Engagements (CSAE) 3416 to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.

Okay... then what does this mean for our customers?

Customers can now outsource web-hosting services including Dedicated Servers, virtual servers (VPS), CA Cloud Servers and/or Shared Hosting to a provider that already meets SSAE 16 requirements. In doing so, you can focus your company's time, money, and manpower on core functions that will drive additional revenue to your business. Here are some examples of Canadian Web Hosting's SSAE 16 compliance controls and physical security that our hosting environment supplements:

  • Facilities and asset management
  • Logical access and access control
  • Network and information security
  • Computer operations
  • Backup and recovery
  • Change and incident management
  • Organizational and administrative controls
  • Security policies, reporting, and monitoring
  • Physical and logical security

Canadian Web Hosting is the industry leader in delivering 100% Canadian web hosting solutions for businesses requiring a SSAE 16 certification with their web hosting environment. When combined with our enterprise-grade web hosting hardware, and a securehosting environment that features many leading technologies including our Unified Security Services, Canadian Web Hosting will help you achieve compliance.

  • SSL capability
  • Enterprise-level, application level protection
  • Hardware/Software firewall
  • IP-Restricted FTP
  • Managed backups with guaranteed retention
  • Advanced 24/7monitoring
  • Multi-level intrusion prevention (IPS/IDS)
  • Anti-Spam, Anti-Malware, Anti-Virus
  • Log Management
Have more questions? Contact us at 1-888-821-7888 or email sales@canadianwebhosting.com.
Sheila W.
@CAWebHosting
@CWHUpdates

26Sep/140

Improve your business with a better digital infrastructure

With an increase in online business trends, a company’s digital infrastructure should be beneficial to your business and not interfering with its growth. A strong framework is therefore essential to a business’ performance.

Learn the qualities of a good digital infrastructure:

1. Have options.
Your employees should have multiple ways of accessing business applications. With a soaring number of portable electronics being used, employees should have the ability to access their work applications on their phones, tablets, laptops, etc. This increases the rate of communication internally and with customers.

2. Have multi-media applications.
Business applications should be able to handle any type of communication, not just text-based. Think of videos, voice, and other data that could be easily passed between employees and with other businesses and clients.

3. Allow for collaboration.
Increase productivity by using applications that allow for collaboration in real time. Employees that can view and edit projects together save time and get better results.

Understand your current digital infrastructure:

1. Know what your current infrastructure can and cannot do.
Do you know what components you have and whether are necessary?

2. Employees need to know how to use it.
Your employees should have a clear understanding of how to use your digital infrastructure.

3. Think about your physical limitations.
The digital infrastructure needs to be able to handle the environment it is in, such as extreme weather conditions. And when problems arise and employees can’t physically get to work, they need to be able to access your digital infrastructure remotely. Customers also need to be able to get in touch for support.

How to improve your digital infrastructure:

1. Ask your employees and customers.
Find out what they think is missing. Employees and clients are the ones using your infrastructure and providing business.

2. Modify applications and come up with your own if necessary.
Find what’s right for your company and tweak it to make it perfect.

3. Virtualize it.
Use business applications that are accessible outside of your office. Store these systems on a remote server. Virtualizing also helps save you money by lowering support cost.

4. Be up to date.
Consult IT professionals and stay on top of your game. Don’t be spending money and time on developing applications that are soon out of date.

 

 Sheila W.

@CAWebHosting
@CWHUpdates

3Jun/130

Protecting Your Website From Malware

When searching for your business online and you see this -

 

Your website and business are in trouble.  You’ve been hacked.  What should you do?

Every day, malicious users, hackers and cybercriminals attempt to compromise thousands of websites.  Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner and/or business.   Every day, we see customers who unbeknownst to them, have been hacked and their site has become infected with harmful code which in turn can record keystrokes on visitors’ computers, stealing login credentials for online banking or financial transactions.

You may ask yourself, isn’t it my web hosts job to protect my server?  The answer is both yes and no.  Your web host, like Canadian Web Hosting, has most likely implemented strong network security mechanisms and other security features that ensure your service works properly including hosting your website.  However, where the most common misconception is that your web host does not control your server and your code for your website unless you are utilizing managed services.  In an unmanaged environment, each customer is responsible for updating their applications, website code and implementing services to protect their business.    We’ve seen some recent vulnerabilities with popular applications like WordPress that have severely impacted customer websites because they did not keep their applications up to date, even after receiving notifications that their code needs to be patched due to emergency vulnerabilities that have been identified.   These attacks range from server configuration problems, SQL injections, Code injection, error templates and many more.   It is also interesting to note that many customers fall into heavily targeted areas without even knowing that they are in a high risk geography.  Trustwave recently release a graphic that shows the most common areas of attack based on country.

So, if you’ve been hacked what should you do?   Here is where you ask yourself, do I want to handle it myself? Or get help?  Here at Canadian Web Hosting we follow-up a very rigid methodology to quickly identify malware/hacks on customers site, and have built a rigorous process to eliminate the hack as soon as possible.  Typically, we will look at the following steps:

1)      Scanning your site

2)      Quarantining the site

3)      Validating backup files

4)      Assessing the damage (hacked with spam or malware)

5)      Identify the vulnerability

6)      Clean and maintain the website

7)      24/7 Monitoring

Now, depending on your own expertise these steps range from basic to advance and may require a security professional to analyze the hack, remove it from your site/code and validate that your site is clean.  In the next article, we will spend more time talking about each step and identifying some best practices to minimize any impact on your business and your customers.    However, some simple steps can go a long ways in the event that an issue has occurred.   Check your user accounts and make sure you have unique passwords that follow secure password principles, update your web applications and operating systems whenever a patch is released, and utilize low-cost 3rd party security providers that can monitor your site 24/7 and will notify you of any potential vulnerabilities or malware attacks on your site.

There are a few services like this available today like stopthehacker and Sucuri that offer basic month-to-month or yearly costs to monitor your site and your reputation and notify you in real time when an issue occurs.  Recently, Canadian Web Hosting, the leading provider of web hosting and cloud-based Infrastructure as a Service (IaaS) solutions in Canada, partnered with Sucuri, the leader in malware prevention to deliver a cost-effective solution that is focused on malware detection and removal.  The reasons for this are several but are focused on several key principles – 1) extremely effective at identifying issues, 2) low cost threshold, 3) continuous updates to their database and security threads and 4) use of security professionals who review your site code and implement fixes.   This last point has been a key benefit for Canadian Web Hosting customers as it avoids common issues that we see with “automated” malware removal where the system just carves out the code without recognizing possible scenarios that will cause a site to crash or become unworkable.

Sucuri, works by actively scans all pages of customers’ websites for viruses and possible web malware threats to see if malicious users have injected harmful code into them. Additionally, Sucuri continually monitors potential new versions of malware and protects online businesses from any emerging threats.  Because of potential complexities identified in the process list above,  Canadian Web Hosting security experts take a very proactive approach work with our customers and will actively manage any malware notifications or possible attacks. In the event that an issue is identified, Canadian Web Hosting’s security teams take all necessary actions to rectify the situation including validation of clean backups and files, malware removal, and continuous communication with the customer.  Here are some of the features of Sucuri:

Standard Malware Detection
Advanced Malware Detection with Artificial Intelligence
Server-side Scanning including .htaccess Hack Detection
Webpage Defacement Detection
Phishing Page Detection and many more
Malware Cleanup
Blacklist and Reputation Monitoring
Vulnerability Assessment

Server Side Scanning
Speed Monitoring & Up-time Monitoring
WordPress Plugin

Working in combination with Canadian Web Hosting’s Secure IT platform, customers will benefit from using Canadian Web Hosting’s advanced Defense Network layer approach that both protects and monitor botnets, malware and a customer’s website's IP reputation to protect their users and networks from possible malware attacks. This includes malware prevention scanning that blocks inbound and outbound traffic by tracking malicious activities to their firewall gateways to enforce pre-determined security policies, as well as server side and website scanning that when combined are 85% more effective in preventing malware and malicious attacks when compared to traditional malware services.

31Jan/130

How WhatsApp Violated Canadian Privacy Law? Unencrypted messages.

Canadians know that we have much stricter online privacy laws than most of our counterparts around the world and with that said, as a company, Canadian Web Hosting, always follows and keeps track of stories that breach our Canadians laws. Why? Because Canadian people and Canadians businesses care very much about where their own data are stored which is right here on Canadian soil. Both of our data centres are located in Vancouver, BC, and Toronto, ON and as you can imagine, we pride ourselves in protecting our customers' data very seriously. Your online data.

WhatsApp
Photo © abulhussain on Flickr

Now, if you are the kind of user who enjoys apps and texting, you are probably familiar with WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS since the app uses your data plan instead of your texting plan. The app is readily available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

A few days ago, the media reported that privacy commissioner Jennifer Stoddart said that the mobile chat app WhatsApp violated Canadian privacy law and needed to be updated to comply with all her concerns. The article states:

Investigators found messages were being transmitted unencrypted, which left them vulnerable to being intercepted by hackers, particularly on public WiFi hotspots. The company did begin encrypting messages in September in response to the privacy agencies. But Stoddart says WhatsApp still has work to do to resolve all its identified issues. She was unhappy that users were not getting adequate disclosure about how their status messages could be seen by people not on their contact list. The company says it will address the complaint in a new release expected in the fall.

If you're a heavy app user, you might want to think twice about the purpose of the apps that you are using and how one company is utilizing your personal contact information. We often blog about privacy and you can keep up by following our "privacy" tag. Recently, we wrote about data centre physical security, our deployment of SecureIT Botnet and Malware Prevention, and the roles of StopTheHacker and prevention.

If you're looking for additional information on this topic, you may email us at sales@canadianwebhosting.com, or call us at 1-877-871-7888. You may also contact us through social media on Twitter at @cawebhosting, through our Facebook Page or leave us a comment below.

Kevin Liang
CTO / SEO Guru