Website security is one of the most important topics in nowaday’s tech landscape. For years, the Internet has been a Wild Wild West and, outside of banking, website security was probably the last thing on a web developer’s or online business owner’s mind.
However, in recent years and after a few major leaks affecting companies like Sony or Yahoo, consumers and companies alike started feeling the need to know their data is safe and protected. While the whole industry is now abuzz with solutions designed to protect the data of people visiting websites, from credit card info to browsing habits, incidents still do happen.
The first 2 months of 2017 were marked, in the tech news area at least, by the aftermath Yahoo’s handling of the 2014 incident, where 500 million user accounts were compromised. The Yahoo board of directors decided that Marissa Mayer, the CEO, will not receive a bonus in 2017, a measure designed to reflect Mayer’s poor handling of the crisis. Mayer herself decided to forgo her equity grand, writing the following statement on Tumblr:
“I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
For those who don’t remember the exact details, a Yahoo team discovered that a hack affected 26 user accounts and proceeded to inform the company’s legal department. Little did they know this hack would come to affect up to 500 million accounts. The lack of investigation and analysis of this incident lead to an unprecedented website security crisis and opened an important dialogue between consumers, developers and online businesses.
Without Yahoo and this storm, what happened just a few weeks ago could have gone much, much worse.
On February 23rd, Cloudflare revealed a serious bug that affected more than 5 million websites using its services: passwords, authentication tokens, cookies and other sensitive data leaked in plaintext. Anyone who noticed the error could have collected a variety of users’ personal information, information that’s either encrypted or obscured.
The bug appeared in a HTML parser used by Cloudflare to increase website performance, upgrading HTTP links to HTTPS. Three security features offered, namely server-side excludes, email obfuscation and automatic HTTPS rewriters, were not properly implemented with the parser and caused random chunks of data to be exposed. Even worse, this error also affected Cloudflare itself, leaking a private key used to secure connections between his own machines.
Fortunately, this bug was discovered by Tavis Ormandy, an engineer at Google. He first thought the bug was from his own project but once he realized its scope, he contacted Cloudflare via Twitter. In less then a few hours, Cloudflare assembled a team of engineers which then worked around the clock, in shifts, to fix the bug. The most severe issues was stopped in less then 12 hours but, even then, the team had to work for another six days to eliminate the bug and work with search engines to make sure the leaked data was not indexed and cached.
While the incident posed major security risks to companies like Uber and OkCupid, just a few of Cloudflare’s big-name clients, the company recognised the crisis in its early stage and managed to deescalate the situation.
What can you learn from it, whether you work as a web developer, you own an online business or are simply a consumer of other services?
There is no way to be fully protected. Website security has come a long way, data protection is one of the most important and explored aspects of the online experience, but you also need to become vigilant. No company or service can protect you 100%, so you need to implement additional protective measures.
Where do you start?
We explore here ? The first 3 steps you can take to make your website safer. They’re simple, intuitive steps that will ensure your project is as protected as can be and you have freedom to explore the best options for your business.
That said, we’d love to hear your thoughts, so join us on Facebook or Twitter for more insights and, of course, updates on our own product: ClusterCS, the modern control panel.