Keep Your Data Safe With Secure Email

encryption

Are you using secure email?

This post is focused on secure email but some aspects like SSL and encryption apply equally to data in general.

  • With all the breaches in the headlines, it behooves us to secure our email.
  • Breaches expose client data that can be used to access your accounts.
  • Even if a hacker has your email account credentials, he may be unable to read encrypted email.
  • Email can be accessed by the unscrupulous in a number of ways.
  • Sending email without SSL is like sending your mail on postcards.

Think your data is safe?

Our focus is finding solutions that work for our clients with minimal intervention and/or setup.

Recent Breaches?

fraud
Fraud

These high profile breaches are a reminder that our data is not as secure as we would like.

Anything shared on the Internet is vulnerable to various types of snooping and hacks.

Email is no exception.

With the information gleaned from breaches, hackers may have direct access to your accounts if they uncovered passwords that you use elsewhere.

That’s why we suggest unique strong passwords  for every account.

Let’s investigate methods to secure our email.

How Difficult is it for Someone to Hack Your Data?

With folks getting emails on their mobile devices via Wi-Fi, it’s more important than ever to use secure email.cartoon-hacker-with-laptop-400

The best defense is to use encryption but that is not as convenient as we would like.

SSL email helps in most cases.

Otherwise your email is open to anyone that can sniff it out of the air.

That’s easier than you may think using attacks like Man in the Middle.

Hacking Methods Used

Once hackers have your information there are a number of ways to access your accounts.

With enough information, a determined hacker can gain access to your accounts.phishing-and-spy

  • Phishing – acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication
  • Man-in-the-middle attack (MITM) – attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
  • Session stealing (cookie hijacking) – exploitation of a valid computer session (session key) to gain unauthorized access to information or services in a computer system. … theft of a magic cookie used to authenticate a user to a remote server.
  • Keylogging (Keystroke logging/keyboard capturing) –  recording (logging) the keys struck on a keyboard, typically covertly.
  • Social Engineering – psychological manipulation of people into performing actions or divulging confidential information
  • Hacking your computer – malware planted on your computer allows hackers complete access to your data
    • If a hacker has access to your computer you need to have it cleaned.

Doesn’t  SSL Secure My Email?

Using SSL for your email provides security between you and your email host.

Prior to SSL (Secure Socket Layer) emails were sent in plain text from your email client like Outlook to the host server.

Google’s chart below shows that most email to and from Gmail in the America’s uses SSL.

email-Gmail Secure Email
Volume of email to and from Gmail

SSL is helpful but it doesn’t keep anyone with access to the server from reading your email or necessarily guarantee that it will be transported to the recipient via SSL.

Client-side SSL is a step in the right direction but encrypting you email is much more secure.

Using SSL and SSL Email Setup?

If you want to check whether you are using SSL you can use Comcast’s guide to interrogate various email clients.

If you need to setup an email account to use SSL you can contact your provider or Google setup “Provider Name” email.

“Provider Name” is the provider who sends you a bill each month.

Implementing Secure Email

Secure Email
Secure Email

We encrypted email for our clients back in the late 1980s but it was tedious to setup and use.

Consequently, secure email was not considered a priority and seldom used.

We need encryption to ensure that sensitive email is not compromised.

This requires some inconvenience on the clients but it’s the best way to secure our email.

HIPAA Compliant Email

With the advent of the HIPAA (Health Insurance Portability and Accountability Act) companies have become more security aware.

If you send sensitive email or work in the medical industry you may be required to secure your email or face penalties.

The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

Paubox article on HIPAA compliance

sending receiving email
sending receiving email

Is HIPAA Email Encrypted?

Some HIPAA email providers like GoDaddy do not necessarily encrypt email in transit.

There is some debate on whether or not HIPAA requires email to be encrypted.

GoDaddy encryption has an add-on for HIPAA email. It’s an all or nothing scenario so all your mailboxes either get encryption or they don’t.

Likewise encrypted email isn’t necessarily HIPAA compliant.

HIPAA compliance requires partners to sign a Business Associate Agreement (BAA).

HIPAA Compliant Hosts

GoDaddy and other hosts offer HIPAA compliant email.

Host
Host

GoDaddy was the least expensive of the providers we found using Exchange email.

HIPAA COMPLIANT EMAIL

HIPAA requires health care providers to ensure that their business associates will safeguard Protected Health Information (PHI). If you are interested in emailing with your patients, or sending any patient data through email, you need to be sure that your email is protected in a HIPAA-compliant manner.

OFFICE 365 FROM GODADDY HELP

Exchange

Some vendors offer HIPAA compliant email with Exchange like features.

In some ways, these email services may surpass Exchange by encrypting email.

On the other hand, why not get a service that is like Exchange when you can have Exchange even if it isn’t encrypted.

Encryption

You need encryption if you want to secure your email while in transit.

Encryption Key
Encryption Key

HIPAA email providers using Exchange email do not necessarily encrypt in transit.

There are, however,  encryption add-ons.

Encryption uses PGP key pairs.

One key is shared with the public and the other is private.

Without the private key, your message is safe from prying eyes.

Generating Keys

Part of the challenge of setting up and using PGP encryption is the generation and tracking keys.

Security Key
Security Key

The nomenclature is a bit confusing.

Key generators typically import private keys and export public keys.

Some key generators will export both public and private keys simultaneously.

Kleopatra

GPG4Win’s Kleopatra Interface is a bit clunky but works fine once set up.

Kelopatra
Kelopatra

We did have issues with some public certificates generated in Kleopatra not working with Gravity Form PGP Extension.

Interestingly the Kleopatra generated  public key did not work with Kleopatra but did work with Gmail Mailvelope extension.

Importing the  Kleopatra public key into Mailvelope and exporting produced a working certificate for our server.

Mailvelope

Mailvelope Chrome extension easy to install and use.

Mailvelope
Mailvelope

After running into issues with Kleopatra generated public certificates, we tried generating keys via Mailvelope.

Unfortunately, the certificates didn’t install well on Gravity Form PGP Extension.

Gravity Form PGP Extension requires a matching email address for a notification email and the Mailvelope public certificates displayed none.

Symantec Desktop Email Encryption

Symantec Desktop Email Encryption was the easiest solution to work with but expensive.

It works with Macs & Windows but not Linux.

Once setup outlook emails are decrypted automatically with no intervention of the user.

Secure Email

ProtonMail and Gmail send encrypted email these days but you lose that

Secure Email
Secure Email

feature when you send to an outside account.

Gmail is not HIPAA compliant.

Google Apps business email is HIPAA compliant.

Web Forms

If your website asks for sensitive information you should use SSL and encryption to protect that data.

Installation instructions for Gravity Forms PGP Encryption plugin
Installation instructions for Gravity Forms PGP Encryption plugin

Gravity Forms and their PGP Extension  makes it easy to setup an encrypted form.

Gravity Form PGP Extension requires public keys and matching email for notifications to be send.

Decryption

When you send encrypted email you must decrypt to read it.

The following table lists software that handles encryption/decryption.

PGP-Software
Recommended Software

Gpg4win

Gpg4win is a free solution for Windows Outlook users.

  1. Import private key
  2. Certify you will be able to
  3. Decrypt messages
    1. Open message
    2. click decrypt

Mailvelope

Mailvelope is a free and easy solution to implement for Gmail and Chrome.

This is the easiest solution if you are using Gmail and Chrome.

  1. Install extension
  2. Import private key
  3. Emails are automatically decrypted

Conclusion

  • Use SSL Email at very least.
  • Make sure your computer doesn’t have malware.
  • Encrypt email if you and your correspondents want the most security.
  • Use HIPAA email if you deal with Protected Health Information (PHI).

Speedup My Website With HTTP/2

http2-spdy\

Speedup My Website. Is it possible on a budget? We explore the options available for those on a budget.

Every second a website takes to load is a potential loss of a customer.

Is it possible to get new HTTP/2 protocol and SPDY with my hosting?

How about a CDN (Content Delivery Network)?

What Tools are Available to Measure Speed?

Downs Consulting uses multiple tools to Speedup My Website and give us a composite picture of

Speedup My Website - Measurement Tools
Measure Website Speed

design changes we need.

 

It’s best to resolve the issues flagged at the top of the list if possible.

  • DotCom Monitor – checks your website from all 23 of their locations simultaneously if they are available.

The performance report gives a detailed accounting of the fastest and slowest elements. You can email the performance report in .csv or .pdf.

  • Google  PageSpeed is the gold standard since we want to please Google Search Engines. This test measures both mobile & desktop performance.
  • GTmetrix has an excellent tool to measure website issues and optimize
    GTMetrix Score
    GTMetrix Score

    images.

Tip: Open optimized images in a separate window and save them to use in your website.

GTmetrix incorporates PageSpeed and YSlow into their analysis.

GTmetrix is a Downs Consulting favorite speed tool.

  • MONITIS simultaneously tests 3 regions of the world.
  • Page Scoring – is a simple test but runs quickly. If your site is slow you need to use a more comprehensive test.
  • Pingdom offers a good tool to test speed from various locations. They will also monitor your site for a fee.

Pingdom is a Downs Consulting favorite speed tool for Speedup My Website.

  • UPTRENDS WEBSITE SPEED TEST – Uptrends has robots that scan your page from one of their 35 locations.
  • WebPagetest is another test supported by Google. It has a lot of information in their reports.

WebPagetest suggests progressive JPEGs in their results. Progressive JPEGs are similar to the interlaced GIFs. The images appear line by line in Venetian blind fashion.

We use Progressive JPEGs in this post to Speedup My Website but you may not notice on a fast connection.

  • Website Optimization also provides quick analysis and recommendations. Some of the report are a little dated referring to 56K downloads but it’s best to minimize downloads for our cellular connections anyway.
  • Yahoo’s YSlow is another good choice. It uses JavaScript to initiate a test on the page that you have loaded.

How Do I Speedup My Website?

Review the speed test tools and follow up on their advice. The speed test tools may suggest optimized images, compressed files, cache, and CDN among other things.

Speed Internet
Speed Internet

In general, the results listed 1st are the ones that will have the most impact on the speed of your site.

 

What is HTTP/2 Speedup My Website

HTTP/2 is the new protocol for the web. It’s based on Google’s SPDY.

http/2 - spdy
http/2 – spdy

HTTP/2 allows multiplexing and sends out files all at once even before they are requested.

Compare that to HTTP sending out files one at a time as they are requested.

Here’s a demo.

Who Supports HTTP/2?

The problem is that many hosts do not offer HTTP/2 and it requires https for most browsers.

Can I use shows the browsers that support HTTP/2. Currently that’s over 80% of the browsers in the U.S. and 71% of the world.

Major CDNs are also supporting HTTP/2.

There are some caveats though.

Chrome & Firefox require HTTPS (SSL) for the protocol. Fortunately Let’s Encrypt  provides free certificates if your host supports it.

Internet Explorer 11 requires Windows 10 for  HTTP/2.

My Host Doesn’t Support HTTP/2

Perhaps you have prepaid hosting that isn’t going to expire anytime soon. Alternatively, you may not want to pay for SSL.

You may want to use a basic CDN plan like CloudFlare.

CloudFlare’s free plan will get you started without changing hosts. They

CloudFlare Minify Settings
CloudFlare Minify Settings

provide SSL and options to minify your js, css, and html.

Tip: Purge the cache when changing settings.

Basically Cloudflare handles your traffic once you point DNS at them.

Tip: Don’t enable DNSSEC unless you are certain your host supports it.

As a bonus your site will have SSL without having to install a certificate on your host.

No SSL for WordPress Installed via Application.

One caveat is CMS applications like WordPress that are installed behind the scenes via an application.

Our Experience:

GoDaddy site without WordPress – SSL worked via https fine.

GoDaddy WordPress site worked but the styling was lost.

Tip: Switching your site to https inside WordPress could make your site unavailable on some hosting plans (e.g., GoDaddy).

Lost My Site Switching WordPress to HTTPS – SSL

If you used an application to install WordPress rather than creating

Error 404 - Page Not Found
Error 404 – Page Not Found

MySQL database and installing via WordPress 5 minute install then it’s likely that you won’t be able to use SSL on the WordPress portion of your site.

Fix Unavailable WordPress Site by  Moving

It may be possible to fix an unavailable site by  moving it. GoDaddy hosting makes it easy to move WordPress sites. Other hosting plans may not be so friendly.

Conclusion

Speedup My Website via HTTP/2 via a CDN like Cloudflare works fine and

VROOOM!
VROOOM!

costs nothing but time.

The CDN caches your files, optimizes, provides HTTP/2 and SSL.

Downs Consulting would prefer a host supply these features but that’s likely to be expensive.

 

 

Easy Small Business Website with WordPress

Easy Small Business Website

There are some simple ways to build nice WordPress websites if you use a host like GoDaddy. There are a lot of advantages to using a WordPress site but there is also a drain on host resources. I recommend that you put each WordPress site on its own hosting plan. Conventional websites can be stacked on hosting plans.

 

The nice thing about a WordPress site is that you won’t have to deal with moving files around like on a conventional website. Once you establish hosting you just install the application. This is much less complicated than setting up a database, and configuration file.

 

If you have issues setting up the website you can always call their support for help. Most likely they will set it up for you.

From there on out you need to come up with content for your Easy Small Business Website and you can upload the media (i.e., pictures, video) from the WordPress control Panel.

If you want a new look you just upload a new theme. The nicer ones have a modest cost but many nice ones are available for free.

GoDaddy’s installation procedure can be found here – https://www.godaddy.com/help/install-wordpress-834. Don’t forget to keep your WordPress site software current. Malicious users take advantage of vulnerabilities and upload content to your site for nefarious purposes. The application can be set to update automatically on some hosts. Downs Consulting recommends updating your plugins too.

There may be other hosts that offer a similar setup but many are nearly as versatile to move the site if the need arises.

I have an article here about the components necessary to get started. Think of websites as being composed of a the rights to the domain, the actual code and a physical place to host the code.

Confused? Downs Consulting can get you started and/or build the website for you.

SSL Certificate – New or Renewal

Periodically we have to update or add a SSL certificate for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation.

We will concentrate on single domain certificates in this post but there are wildcard certificates available for companies that use lots of sub-domains.

It’s easier if your email is on the Admin Email contact  of the domain. My recommendation is to get this done 1st or you will be waiting on emails to someone else at various stages of the process. Here’s GoDaddy’s guide for updating domain contact information.

Buying SSL Certificate or Renewal

If you need a new SSL you can find them on the Internet for as little as $5/year.  Be sure to check with your host to ensure the cheap SSLs can be installed on your host.

If your SSL is up for renewal you need to renew the SSL or go through the entire procedure for new SSL. It’s easier to renew.

Certificate Signing Request (CSR)

Once you have purchased a SSL or renewal you will need to generate a Certificate Signing Request (CSR) from your server or utilize an existing one if the server has not changed. Here’s a link to GoDaddy’s CSR generation & SSL Installation page. This request has to be approved by the domain Admin Email contact so this goes much faster if that’s you.

Download & Install the SSL Certificate

Once your CSR is approved you will be able to download the SSL certificate. If you have access to the server you may install yourself. Otherwise you will need to send the certificate to the host & let them install.

Here’s GoDaddy’s SSL installation procedure for Plesk as an example. Your installation procedure will depend on the server and your access. Likewise the hosting plan (managed or unmanaged) will determine the amount of assistance you will receive.

Managed Hosting

In managed hosting you get a lot of help in these matters. They may do the installation for you or  guide you through the process.

Unmanaged Hosting

Unmanaged hosting is the cheapest but it typically means you are on your own when installing certificates or troubleshooting. If you have a virtual private server (VPS) or physical server then you have the ability to install certificates via a control panel or SSH. For this sort of hosting you can purchase certificates wherever you like and install yourself. Most of these hosts offer little support but you may find videos that apply to your specific needs.  There will be instructions that come with the certificate but you will need to know what sort of control panel you use and/or your web server software.

If you don’t have access to the server certificates then it’s up to your host to install them and they may require you to buy directly from them.  This may seem expensive but you won’t have to do much of the work.

Control Panels

Two common control panels are cPanel & Parallels Plesk Panel.

Web Servers

Most web servers run use a version  of Linux and use apache as the web server. These servers support PHP, Perl, Python,  CGI scripting and  MySQL database.  Typically these hosts use a cPanel control panel.

Windows Servers  use  Windows Server Operating systems and IIS. Windows Web Servers support  ASP &  ASP.NET. typically the servers run Plesk control panels.