Category Archives: Security

Unencrypted content: a threat to Google’s business model

Google’s recent announcement to give a (currently still small) ranking boost to websites using HTTPS is undoubtedly going to make the web safer for everyone.

Missing from the discussion is the fact that unencrypted content and unscrupulous ISPs present a small, but growing threat to Google’s business model. Google depends on ad revenue, and insecure connections allow third parties to tamper with data while in transit. ISPs can use this to their advantage by injecting their own ads. This is already happening: see here or here and this topic on reddit. It was also briefly mentioned in one of the comments under the original “ranking boost” announcement:

HTTPS ads comment google

HTTPS ensures data integrity and would make ad injection not only technically far more difficult, but also most certainly illegal. This also explains why Google says that even simple “content sites” should use HTTPS: they might not collect any user data, but they can still serve ads.

Being a good citizen of the web” and making the web safer for everyone sounds nice and is certainly something many people working at Google have in mind. However, it would be naive to assume that Google isn’t also looking out for it’s own commercial interests.

eFax reviews and alternatives

eFax reviews make “Hotel California” look good

Before signing up with eFax, do yourself a favor and read the reviews on websites like, or

From my own experience I can confirm that it is difficult to cancel your account with eFax. You also have to be careful if they offer you a more reasonable rate: In my case this rate reverted back to the original rate after 4 months. The customer service representative admitted that “he didn’t know about this” and offered to reactivate the cheaper rate for another four months. At this point I asked him to cancel my account instead, which he pretended to do after asking for my PIN. Unfortunately, eFax kept charging me and when I complained by email, I was told that my account had never been cancelled and that I had to call them again (which I just did). This time I had a witness listening to the conversation and wrote down the name of the person I talked to (she essentially refused to give me her last name, claiming there was only one person with her first name working there). If they still keep billing me I’ll simply ask my bank to do a chargeback.

I’d also like to point out that eFax sends you every received fax by email (as an attachment, in addition to letting you download it through the message center). While this is certainly convenient, it may be a serious security risk if a fax contains sensitive data. Unencrypted emails are about as secure as a postcard. Some people prefer to send a fax precisely because they do not want to send an (unencrypted) email. Having eFax transform faxes into an emails is not a good practice.

eFax alternatives

There are a lot of companies offering similar (or even better) services for fax sending and receiving. I eventually signed up with PamFax not only because they were cheaper, but mostly because they make it very easy to cancel your account. They also never send the actual fax by email, you only get a notification and then download the fax over a secure connection (SSL)  Your fax is now sent as an attachment, though you can change this under Account>Notifications1. PamFax allows you to integrate your account with Skype, Facebook, Salesforce,, Dropbox and Google Docs (to varying extents) and their modern website makes eFax look really dated.

Finding reviews for Pamfax was a bit difficult. There are a few confusing reviews in the Skype apps shop. As the service is run by a German company, you can also find some user reviews in German on (currently 8 reviews with an average of 4 stars out of 6).

Personally, I’m very satisfied with PamFax so far.

Another online fax service I found was PopFax. If you know any other eFax alternatives, please leave a comment.

Here’s another option: If you own a Fritz!Box, that might be all you need to receive and send faxes. However, I found that the integrated Fritz!Box fax was clearly less reliable than an actual fax machine.

Update October 2nd, 2012: is one more alternative I just found (didn’t try it out though, still very satisfied with PamFax).

Update January 16th, 2013: is yet another service (apparently only available in German). 1I’ve also updated the description for PamFax above.

Do you want to view only the webpage content that was delivered securely?

Does Internet Explorer annoy you with this security warning?

Do you want to view only the webpage content that was delivered securely?

This message appears when you’re using a secure connection (https://) and the website is trying to load non-secure (http://) elements, too. The culprit was easy enough to find (using HttpWatch or similar tools):

HttpWatch sniffer results

What made this case unusual is that it wasn’t a server-side problem. Instead, the DivX HiQ plugin + Web Player Beta installed on the client’s machine was causing the issue on every single secure page. The warnings disappeared after uninstalling DivX HiQ (disabling the plugin should work, too):

Uninstalling DivX Web Player Beta

So, if Internet Explorer is suddenly giving you these warnings, check if you’ve recently installed DivX.

How long would it take you to notice that your website has been compromised?

My last post concerning mass sql hacks of websites shows what can happen if your website is distributing malware and you don’t act fast enough. In that post, I also mentioned it might be a good idea to have some sort of self-checking mechanism integrated in your CMS which would alert you if unauthorized changes were made. While I still think that’s a good idea, there’s a much easier and faster option when it comes to small, rather static websites: change detection services!

Here’s a few I found through search engines, a blog post from 2005 by Marshall Kirkpatrick and an article in c’t magazine 4/2008 (page 170):

ChangeAlarm – free, typically checks for updates once per day

ChangeDetect – free and paid membership options

ChangeDetection – free, typically checks for updates once per day, does not detect changes in HTML tags

InfoMinder – no free membership, 30 day trial available

TheWebWatcher – free for personal use, monitoring intervals starting from 1h

TracerLock – no free membership, max 20 URLs, 4 US$/month

TrackEngine – free, 19,95 US$/year for 10 “bookmarks”, 4,95 US$/month for 50 “bookmarks”, possibly includes more frequent updates for paid services

WatchThatPage – free, priority accounts available for donation of US$ 20/year. Fastest update: once per day. There seems to be no limit on the number of pages you can watch. Pages can be organized in folders. Simple keyword filtering available. Refuses to watch pages with badly mangled HTML.

Yes, I know, most of these sites scream “web 1.0″ at you and – ironically – seem to be averse to change themselves (the latest news on TrackEngine are from December 2001, Merry Christmas!). They won’t really help if you’re in charge of large websites with thousands of pages. However, they might be appropriate for small websites, like this one which has been displaying “OwNed By un alien …” for months on the “liens” and “evenements” pages.

I’ll update this post after trying out some of these services (you can subscribe to my RSS feed here ;) ). Please note there’s also tons of change detection software (running locally on your computer) which I’m not covering here.

SQL Injections – why companies should care (and users, too)

While I had read reports about successful mass SQL attacks on hundreds of thousands – by some estimates even millions – of websites months ago, I didn’t really care much, assuming that this issue would only concern outdated, irrelevant and poorly coded websites.

I realized I was wrong (partially wrong) about a week ago when I was looking for recipes for my newest toy, a blender from a brand every YouTube user knows. Unfortunately, the manufacturer’s website contained not only recipes, but also references to a malicious external script:

For a moment, I thought about making a stupid video showing some JavaScript that does not blend but then decided on contacting the company first. Indeed, only one day later the site had been cleaned.

Normally, I wouldn’t even mention this on my blog, since I believe “public shaming” is only justified if a company or webmaster does not react withing a reasonable time or if the case at hand is particularly outrageous (before you disagree, please consider that my entire blog is about not being perfect and still having a lot to learn). However, when I visited the website again on Sunday (in order to show the company’s products to a friend and restaurant owner), NoScript showed the site had been compromised once more and was trying to distribute malware again (this time, the evil domain was instead of When I tried to send another message over the contact form this morning, Firefox 3 wouldn’t even let me visit the page without a very clear warning:

The reason Firefox is showing this warning is that Google now “officially” considers this site (possibly) harmful:

Aside from the obvious “make sure your code is not vulnerable to SQL injections (and don’t forGET it’s not only about POST parameters*), what can be learned here?

If your site has been compromised, you should react quickly and make sure it can’t happen again. Otherwise Google will sooner or later list your website as “suspicious” and you’ll certainly lose visitors and business. A compromised website also reflects poorly on your company and your brand. I would be particularly concerned about the negative effects in the case of companies relying heavily on the internet for business (including internet marketing). Furthermore, one has to wonder if you might be held liable for exposing your visitors to malware.

Don’t rely on expensive third party scanning tools. Did you notice the “Hacker safe” logo in the first screen shot above where my virus scanner was already showing a warning? Instead, I suggest hiring a capable programmer (you’ll need one to fix the vulnerabilities anyway) and have him customize a monitoring solution which issues a warning anytime your website or database has been “illegally” modified (I might pick this idea up in a later post). This would make sure you’re the first to realize when something is wrong, not your visitors or Google.

If I were a capable programmer familiar with ASP and MSSQL and had some free time, I’d think about spending a few hours searching for affected websites, somehow ranking them (e.g. “best known”, “in my area”, etc.) and then contacting them with an offer to remove the malicious code and the vulnerabilities (or maybe redesign the entire website). Think about it, there might be millions of affected websites out there, this seriously screams “business opportunity” (BTW, I’m not a… er, not familiar with ASP and MSSQL and I’m busy, so please don’t contact me). Of course, sooner or later someone’s bound to misunderstand your offer (“this guy hacked our website and now he’s asking for money”). ;-)

As a user, don’t follow my bad example in the first screenshot. Instead, disable JavaScript by default and enable it only for sites you can trust. This can be done best by using the excellent NoScript plugin for Firefox. Don’t think that Firefox + Google alone can always protect you, you won’t get the big red warning above unless the site in question has been compromised for some time.

*technical details can be found in Michael Zino’s article ASCII Encoded/Binary String Automated SQL Injection Attack and by following some of the links I posted before.