As a web development company, we got asked quite a few technical questions (obviously). Some of those questions fall outside the scope of what we do – we design and develop great websitea, we don’t fix your brother’s Windows XP machine.
But, one typical question that we get a lot of relates to security. Specifically, how can I (or my company) be safe online.
Well, this really is a complicated questions. But recently, I was at a local Starbucks and just had to try out a new firefox plugin.
Recently a firefox plugin was released called FIRESHEEP. This simple little plugin takes just seconds to install, is incredibly simple to use, but can wreak amazing havoc!
Just what exactly does FIRESHEEP do? After installation, it adds a sidebar to your Firefox browser. This sidebar has one simple button labeled “Start Capturing”. When enabled (meaning you click the button) it captures anyone’s (yes, anyone) login credentials! What does this mean? Well, take a look at what I grabbed in just a few minutes at Starbucks:
I’ve blurred out all the names and replaced all the images with the blank people. But, in just 5 – 10 minutes at a local Starbucks, I was able to log into 3 different facebook accounts, 1 twitter account, 1 wordpress web site, 1 amazon account, and 1 GitHub account (it’s a code storage service for programmers). Amazing. Or Terrifying… All this without ANY special knowledge on my part. All I had to do was start the plugin. Then when I clicked on the top Facebook icon, I was instantly logged into facebook AS THAT USER. I can change things, update things, delete things – do anything I wanted.
So, how does this work? Well, first of all, I did not ever have access to the users password. We’ll use Facebook for our example here. I never had the user’s facebook password. When you log into facebook, typing in your username and password, you are on a secured web site – your browser has HTTPS at the start of the web address. What this means is that all the communications between you and the server (Facebook) are totally encrypted and can’t be read by anyone who happens to “capture” them. So, this is good. But, once you are logged into Facebook, the pages go back to HTTP – meaning the communication is NOT encrypted and if someone just happens to capture the communication, they can read it. Now, it gets a bit complicated, but the next step in the process involves how Facebook knows you are already logged in. Obviously, as you navigate your way around Facebook, you don’t want to type your password in every single time. So, how does Facebook know you are indeed you? Well the answer is your cookie. Websites you visit regularly stores bits of information on your computer called cookies. These cookies contain various bits of information. One bit of information is typically a session id. This session id is a unique number or ID that proves to Facebook that you are who you say you are. So, when you click on a link on Facebook, the web site asks for this Session ID to verify it is you who really did this. Without the Session ID, you would have to log in again. But, the problem is that this Session ID is sent unencrypted to the server. So, anyone who is listening can get this session ID. And, once someone has your Session ID, they can “pretend” to be you until you log out (which essentially kills your session id).
Sound scary? It should. This means anyone at a public wi-fi hotspot (like Starbucks) anyone can log into your facebook, twitter, google, amazon and other accounts (by the way – firesheep only works on 30 or so sites – but it includes all the big ones). They could post updates, send tweets, send messages, and more. All without your knowledge.
So, what can we do to prevent this? Well, here’s a few simple (and a couple not so simple) solutions:
What about you? Any ideas? What do you do to be secure when out in public?
One of my favorite companies to watch, listen to, learn from, and use products by is 37 Signals.
I find their cloud products awesome to use (I’m an avid user of Highrise, for example). Their books equally inspiring.
Just recently, one of the designers for 37 Signals, spoke at the future of Web Apps conference in London.
In this talk, he described a five step process for creating a real-world web app:
While I would have to admin that nothing is really super unique, they way Ryan and 37 Signals works is a great study in getting things done.
Hope you enjoy the talk as much as I did:
Ryan Singer at Future of Web Apps, London 2010 from Ryan Singer on Vimeo.
There’s a new buzz word going on around the web. It’s called HTML 5. And, unless you are a web designer, you probably haven’t heard anything about it. But, it is rapidly promising to be an amazing way to bring new and exciting things to the web.
Need some proof? Check out this link that showcases some of the coolest new features of HTML 5, created by the boys at 9Elements Design Studio: HTML 5 DEMO!
Now for many of you – about 32% of you to be exact (according to my Google Analytics) – you saw nothing except the “OH NO” warning.
Wonder why that is? Well, the simple answer is that Internet Explorer doesn’t yet support HTML 5 elements.
There’s a simple test out that tries to tell us how well any particular browser does at implementing the new HTML 5 standards. You can find this test at http://www.html5test.com. I recently went through the test with 6 browsers – 3 Mac and 3 PC. Here’s the results, starting with the best:
As you can see, Google Chrome for the Mac scored 137 points out of a possible 160. A pretty good score.
Now the real question here is why Google Chrome for the Mac scored 137 but Google Chrome for the PC only scored 118? But, 118 was still good enough to snag second place
Coming in just 5 points behind Google Chrome for the PC is Safari – Apple’s built in browser for the Mac. Still a pretty nice score!
Here we have a tie (the way I think we should). Bot Firefox for the PC and Firefox for the Mac scored exactly the same score – 101.
Now, before I move on to last place, notice the above score. All of them are above 100. In the grand scheme of things, this is a pretty good result for modern standards such as HTML 5.
But, now we have last place:
A whopping 19!!!! You have got to be kidding me. This is the best that Microsoft could do? All the other browsers score over 100 and Internet Explorer – the most recent up to date version – scores only 19? Obviously something is very wrong here.So, with all this information about browser scores and HTML 5 comes the obvious question – WHY SHOULD YOU CARE? Well, the answer is that HTML 5 is going to be the future of the internet and wether you are choosing a browser or, even more important, choosing a web developer, you want someone who is familiar with HTML 5 and can leverage all of its power for your site. You don’t want someone stuck with old, out-dated technologies designing your site using the same tools, the same tricks that were popular ten or even twenty years ago.
Got questions, want to make comment? Comment below or CONTACT US today to talk more!
