Just In Time, the Brave Browser Becomes My Default

Last night I saw a respected security professional I follow on Twitter mention the Brave web browser, and how good he thought the mobile version is. Brave was started by the Mozilla Project co-founder Brandon Eich, and is based on Chromium, the open-source base that Google Chrome is constructed upon.

Today, I caught wind that Chrome is soon going to prevent you from doing things such as disabling its DRM management feature called Widevine. The problem with this is summarized here:

…a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

In short, because of the closed nature of the DMCA, we end users are at risk unnecessarily, and we will soon have no ability to disable this plugin should we wish to do so.

Enter The Brave

Brave offers a browser that works on all platforms (Windows, Mac, Linux) and on mobile. It blocks ads by default, blocks malware, and is lean and fast. Putting user privacy and security at the forefront, along with speed, this thing is a powerhouse as it forces https on websites and prevents malware-serving advertisement networks from invading your workspace.

But the difference is the paradigm shift in supporting advertisers, as opposed to simply blocking them out completely:

Brave intends to keep 15% of ad revenue for itself, pay content publishers 55%, ad partners 15% and also give 15% to the browser users, who can in turn donate to bloggers and other providers of web content through micropayments.

I have yet to figure out how or if that will work, exactly, and it doesn’t seem to be fully impemented in the browser yet, but it seems like a great way to solve the elephant-in-the-room problem the Internet faces today: how to earn money and keep users safe at the same time, so that they don’t need to run ad blockers and anti-tracking plugins?

Stay tuned for more info as I learn it, and as I figure out Brave.

Let’s Encrypt The World

lets-encrypt-logoI have been a big fan of free SSL certificate authority LetsEncrypt.org since it was in Private Beta. Now in Public Beta, and now being a Certificate Authority recognized by every major web browser, it’s time for you to start using it on your website!

The great thing about Let’s Encrypt is that it is free. Why? Because the sponsors behind it believe encryption is for the public good. And they are correct. No more do you need to pay $80/year or more for an SSL certificate through some company like GoDaddy. This all may sound too good to be true, but it isn’t.

Wait, what?

In case you are unfamiliar with what I’m talking about here, LetsEncrypt.org offers you free SSL (Secure Socket Layer) certificates for your website. This make your website secure and encrypted for your visitors, just like your bank does, by changing your site’s address from using http://  to https://.

Being a user of the WHM/CPanel web hosting tools for the handful of websites I run, I found a great set of instructions and scripts you can use to get this set up and running in that environment. Just follow the instructions in the WHM forum here. Be sure to set up the cron job so that your cert(s) get renewed automatically. If you forget, it’s very easy to do it by hand from the command line, but the cron job makes it so that you don’t need to remember.

Encrypt WordPress

If you are a WordPress website owner, you can configure it to use the SSL certificate by editing your site’s URL in Settings > General. I especially recommend this for WordPress admin area logins, but there’s not reason you shouldn’t be using SSL on your whole site anymore. This is especially true considering Google favoring SSL-enabled sites over non-SSL sites.

Redirect Traffic to HTTPS

Using an .htaccess file, you can set it up so that any traffic going to your http:// website is automatically redirected to your https:// version. This is the snippet I use in my .htaccess file for that:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Go forth and encrypt all the things!

Responsive Design and WordPress

This year we have seen the dawning of the responsive design craze amongst web designers and developers. I remained skeptical about the trend, primarily because I was raised in the world of good usability and accessibility, and breakpoints and adaptive images seemed incongruous and presumptuous with the foundations of those schools of thought. While responsive design proponents like to say that multi-device adaptation is providing good usability, I disagree.

Relating to my favorite CMS, WordPress, the whole responsive design trend has rubbed me in even more wrong ways. I’ve watched designer after designer dive into responsive WordPress themes, and I’ve even tried using a few myself, only to leave me wondering…why?

This article has some great analyses on this exact topic, and it provides some good food for thought in regards to responsive design and WordPress. From the article:

My biggest issue with responsive design is that it is a reactive client-side approach which, in the context of a server-side content management system like WordPress, seems completely unnecessary.

What are your thoughts on responsive design and WordPress?

Tips, Tricks, Enhancements

I love the things that make my job easier, make a task simpler, or help protect me in the event of a problem. I collect lists of these things so that I can share them with you, my dear blog readers. Enjoy!

Lazarus
A web browser add-on that auto-saves any web form you are filling out. Never again will you lose that perfect Facebook political argument reply you’d been working on for an hour until your browser crashed. It be free. It be cool.

Feedly
This is what has replaced my Google Reader account now that Google has announced it will be shutting down Reader this summer. It’s simple, though it takes a little getting used to, and it will import all your feeds from Google Reader automatically.

Mailplane
My favorite way to use GMail and Google Calendar on my Mac(s). It lets me keep multiple accounts open at once in a tabbed interface, seamlessly switching back and forth to get things done. It also works with Google tasks.

So long, old friend.

After 10 years, I am quitting Firefox and moving to Chrome. This is a big change for me. I’ve used Firefox since it was called Phoenix. I’ve written magazine articles about how much I loved it. I’ve rubbed elbows with its developers and championed its cause.

But I gotta move. Chrome has evolved and has surpassed my old friend. I do not feel great about having to depart from my allegiance with the browser that began the death of Internet Explorer, but I really can’t justify clinging onto it anymore.

Since becoming a full-time Mac user last year, I’ve noticed the flaws of Firefox. The locking up, the memory leaks, the slowness. It has become quite annoying.

Now that I’m a full-time user of Google Apps at work and at home, it just makes sense.

Now that my favorite plugins for Firefox are all available for Chrome, and even some new ones that are awesome, it just makes sense.

So after I gave Chrome a decent trial this week (something I’ve done in the past just for kicks), I have decided it is time.

Practical Security : Using Email on Public Wifi

In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.

I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).

Using Email on Public Wifi (and the high level of risks
therein)

Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.

If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.

Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).

As this excellent StopDesign
article explains:

What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)

Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.

By default, email is not secure!

Yes, this includes you, Mac user. Yes, this includes you,
Gmail/Yahoo/Hotmail/AOL user.

Make sure your email is on a secure connection!

The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.

If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign
article, or this well-written article entitled “5 Steps to Make Your Email Secure“.

Whatever you do, stop checking your email at Starbucks unless you know
it is secure!