Posts Tagged ‘security’

Mobile Devices and SSL

Thursday, September 10th, 2009

I really do learn something new every day. I’ve been handing eCommerce sites for a while now (as well as some other types of secure sites) and I knew that Secure Socket Layer certificates (SSL) came in many flavors (and styles!), but I always thought of it like car insurance: if you want better coverage, pay more. If you just need to be covered to drive, get 1-800-Safe-Auto.

Well, today I learned something new, but it took some doing, so I’m hoping I can save someone else time and effort through the magic of Google search. Here’s the backstory: Mad Science Department got brought in a few months ago to help patch up and update an existing eCommerce site. We added true credit card processing, helped the client through the Labyrinth that is Authorize.net (which is a whole separate post, provided there’s enough Run in my beaker), and patched some security holes. In the process, we had the host apply a stock SSL. All smooth and cool, right?

This morning we got a note from the client’s local folk, saying that the client cannot access the site admin (under SSL) from a mobile device! Oh no! So after recreating the issue on my handy dandy iPhone, I contacted the host, who assured me that the SSL was working properly. Well, that’s a weight off my shoulders, but why isn’t it working for mobile? Host’s support didn’t know, suggested it had something to do with the phone. Hrumph.

So I checked the cert and tracked down the issuer. This is where a nice young man called Jeff comes in. He explained to me that the various SSLs actually use different types of encryption, and therefore some certificates which are perfectly good for web use simply cannot encrypt data over mobile networks (GSM,G3,etc.). In order to add this level of encryption, my client would have to upgrade to a higher premium, which would allow for more diverse and stronger coverage. Now I know.

I don’t usually give shout outs in my Lab Notes, but Jeff from Comodo was very helpful, so thanks.

Tags: ,
Posted in Administration, Open Source Software | No Comments »

When “bleeding edge” stops the bleeding

Saturday, September 5th, 2009

I’m the first to admit that I can be a bit lazy when it comes to minor upgrades on packages. In fact, sometimes I intentionally wait, as new “features” often mean new bugs, and I prefer to see those bugs all shook out before I update my projects. But security updates, now that’s another story.

Which is why I freaked out a little when I received this message in my Facebook stream. Then I followed through to some of hte other posts on the subject and realized that this was the self-same bug that had been identified Auguest 12 and patched with Wordpress version 2.8.4.

We Mad Scientists are a competitive bunch. We don’t like other Mad Scientists hacking into our stuff and messing with it, so as a rule, we apply security patches as soon as we are aware of them! If you or your agency is a maintained client of Mad Science Department, you probably have little to worry about. If you do see a “security upgrade” warning in your admin panel, it’s probably a good idea to let us know, but nine times out of ten, we’re already upgrading all the installations we maintain.

This kind of attack brings up other issues as well. It’s important to make sure that you are backing up your databases and file system regularly, so that you don’t lose too much in the event of a successful attack. Your host may even provide tools to automate this on a cPanel. If you are a user (not a developer) handling your own Wordpress installation, be vigilant and make sure you update as needed! Those warnings and messages in the backend are there for a reason! If you have a developer helping you, they’ll know the difference between feature updates (nice to have, but sometimes buggy) and critical security updates. Don’t be afraid to ask how necessary a given update is!

Tags: , , ,
Posted in Open Source Software, Proprietary Software | No Comments »