Security 2 - gonnalearn.com

Why disabling Flash in Chrome is better than Click-to-Play

Chrome comes with its own Flash plugin and – if you’ve enabled “click-to-play plugins” you might get the impression that Flash is still widely used (and required) on the internet. According to what I’ve read today, this might be misleading: Even though you’ve enabled click-to-play, websites will still detect that your browser supports Flash and serve you the Flash-enabled version instead of the Flash-less alternative.

To disable Flash in Google Chrome, enter “chrome://plugins” and then click on “Disable”:

Unencrypted content: a threat to Google’s business model

Google’s recent announcement to give a (currently still small) ranking boost to websites using HTTPS is undoubtedly going to make the web safer for everyone.

Missing from the discussion is the fact that unencrypted content and unscrupulous ISPs present a small, but growing threat to Google’s business model. Google depends on ad revenue, and insecure connections allow third parties to tamper with data while in transit. ISPs can use this to their advantage by injecting their own ads. This is already happening: see here or here and this topic on reddit. It was also briefly mentioned in one of the comments under the original “ranking boost” announcement:

HTTPS ensures data integrity and would make ad injection not only technically far more difficult, but also most certainly illegal. This also explains why Google says that even simple “content sites” should use HTTPS: they might not collect any user data, but they can still serve ads.

“Being a good citizen of the web” and making the web safer for everyone sounds nice and is certainly something many people working at Google have in mind. However, it would be naive to assume that Google isn’t also looking out for it’s own commercial interests.

eFax reviews and alternatives

eFax reviews make “Hotel California” look good

Before signing up with eFax, do yourself a favor and read the reviews on websites like epions.com, yelp.com or viewpoints.com.

From my own experience I can confirm that it is difficult to cancel your account with eFax. You also have to be careful if they offer you a more reasonable rate: In my case this rate reverted back to the original rate after 4 months. The customer service representative admitted that “he didn’t know about this” and offered to reactivate the cheaper rate for another four months. At this point I asked him to cancel my account instead, which he pretended to do after asking for my PIN. Unfortunately, eFax kept charging me and when I complained by email, I was told that my account had never been cancelled and that I had to call them again (which I just did). This time I had a witness listening to the conversation and wrote down the name of the person I talked to (she essentially refused to give me her last name, claiming there was only one person with her first name working there). If they still keep billing me I’ll simply ask my bank to do a chargeback.

I’d also like to point out that eFax sends you every received fax by email (as an attachment, in addition to letting you download it through the message center). While this is certainly convenient, it may be a serious security risk if a fax contains sensitive data. Unencrypted emails are about as secure as a postcard. Some people prefer to send a fax precisely because they do not want to send an (unencrypted) email. Having eFax transform faxes into an emails is not a good practice.

eFax alternatives

There are a lot of companies offering similar (or even better) services for fax sending and receiving. I eventually signed up with PamFax not only because they were cheaper, but mostly because they make it very easy to cancel your account. ~~They also never send the actual fax by email, you only get a notification and then download the fax over a secure connection (SSL)~~ Your fax is now sent as an attachment, though you can change this under Account>Notifications¹. PamFax allows you to integrate your account with Skype, Facebook, Salesforce, Box.net, Dropbox and Google Docs (to varying extents) and their modern website makes eFax look really dated.

Finding reviews for Pamfax was a bit difficult. There are a few confusing reviews in the Skype apps shop. As the service is run by a German company, you can also find some user reviews in German on heise.de (currently 8 reviews with an average of 4 stars out of 6).

Personally, I’m very satisfied with PamFax so far.

Another online fax service I found was PopFax. If you know any other eFax alternatives, please leave a comment.

Here’s another option: If you own a Fritz!Box, that might be all you need to receive and send faxes. However, I found that the integrated Fritz!Box fax was clearly less reliable than an actual fax machine.

Update October 2nd, 2012: HelloFax.com is one more alternative I just found (didn’t try it out though, still very satisfied with PamFax).

Update January 16th, 2013: Simple-Fax.de is yet another service (apparently only available in German). ¹I’ve also updated the description for PamFax above.

Update August 17, 2016: InterFAX is not just another alternative to eFax, but also has a Fax API which could be very interesting for developers.

Do you want to view only the webpage content that was delivered securely?

Does Internet Explorer annoy you with this security warning?

This message appears when you’re using a secure connection (https://) and the website is trying to load non-secure (http://) elements, too. The culprit was easy enough to find (using HttpWatch or similar tools):

What made this case unusual is that it wasn’t a server-side problem. Instead, the DivX HiQ plugin + Web Player Beta installed on the client’s machine was causing the issue on every single secure page. The warnings disappeared after uninstalling DivX HiQ (disabling the plugin should work, too):

So, if Internet Explorer is suddenly giving you these warnings, check if you’ve recently installed DivX.

How long would it take you to notice that your website has been compromised?

My last post concerning mass sql hacks of websites shows what can happen if your website is distributing malware and you don’t act fast enough. In that post, I also mentioned it might be a good idea to have some sort of self-checking mechanism integrated in your CMS which would alert you if unauthorized changes were made. While I still think that’s a good idea, there’s a much easier and faster option when it comes to small, rather static websites: change detection services!

Here’s a few I found through search engines, a blog post from 2005 by Marshall Kirkpatrick and an article in c’t magazine 4/2008 (page 170):

ChangeAlarm – free, typically checks for updates once per day

ChangeDetect – free and paid membership options

ChangeDetection – free, typically checks for updates once per day, does not detect changes in HTML tags

InfoMinder – no free membership, 30 day trial available

TheWebWatcher – free for personal use, monitoring intervals starting from 1h

TracerLock – no free membership, max 20 URLs, 4 US$/month

TrackEngine – free, 19,95 US$/year for 10 “bookmarks”, 4,95 US$/month for 50 “bookmarks”, possibly includes more frequent updates for paid services

WatchThatPage – free, priority accounts available for donation of US$ 20/year. Fastest update: once per day. There seems to be no limit on the number of pages you can watch. Pages can be organized in folders. Simple keyword filtering available. Refuses to watch pages with badly mangled HTML.

Yes, I know, most of these sites scream “web 1.0” at you and – ironically – seem to be averse to change themselves (the latest news on TrackEngine are from December 2001, Merry Christmas!). They won’t really help if you’re in charge of large websites with thousands of pages. However, they might be appropriate for small websites, like this one which has been displaying “OwNed By un alien …” for months on the “liens” and “evenements” pages.

I’ll update this post after trying out some of these services (you can subscribe to my RSS feed here 😉 ). Please note there’s also tons of change detection software (running locally on your computer) which I’m not covering here.